Firewall Wizards mailing list archives
Re: future of IDS
From: Bennett Todd <bet () mordor net>
Date: Mon, 19 Oct 1998 09:38:23 -0400
1998-10-16-22:55:20 Martin W Freiss:
Bennett Todd:My own prediction is that we're going to see a strong trend towards a new archicture (supposedly available or at least under development for the commercial NFR, at least), where the IDS is partitioned into capture and analysis engines, and the capture engine is designed to be replicated over as many hosts as needed.... where the capture engine is in the firmware of the switch (hey, free product idea for the rest of you :-)). Tough for statistical analysis, should be doable for more signature based IDSes.
Well, no, that's not what I was thinking; last place I worked closely with switches, we were consolidating from 7 switches with 72 or more ports each, many with 12 ports of 100baseT, and ISL interconnecting, up to one much bigger switch with dual everythings. Either way, you've got a bandwidth problem: a switch carries more traffic than can be logged or analyzed. Whereas seach individual host does not carry so much, so the thing to do is to distribute the first level of analysis out, so that only a condensed stream needs to be brought back to the central management and analysis station. -Bennett
Current thread:
- future of IDS Colin Campbell (Oct 16)
- Re: future of IDS Bennett Todd (Oct 16)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS Owen O'Connor (Oct 23)
- Message not available
- Re: future of IDS Bennett Todd (Oct 23)
- Re: future of IDS Dominique Brezinski (Oct 27)
- Re: future of IDS Bennett Todd (Oct 28)
- Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS Bennett Todd (Oct 16)
- Re: future of IDS David Lang (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)