Firewall Wizards mailing list archives

Re: future of IDS

From: Doug Hughes <Doug.Hughes () Eng Auburn EDU>
Date: Tue, 20 Oct 1998 09:01:54 -0500


Darren Reed writes:


Something which just occurred to me, switches are `meant' to be able to
switch such that full speed communications are kept between any two nodes
on the switch without taking bandwidth away from other pairs.

If you have a switch with 24 ports for 100BaseT, can you then push 1.2Gb/s
through it ?  Or is that just the `gigabit' hubs ?  The problem is, that
if you have a single 100BaseT monitor port, either than throughput for the
entire switch is 100BaseT (serious reduction in performance) or you lose
packets on the monitor port.

That's what the gigabit uplink ports are for. There may be vendors that
let you funnel all your 100Mbit and dup it out a gig, but I'm not aware
of them. But yes, the switch backplane better be capable of approaching 1.2Gb, and
most of them are these days.

THe IDS folks have been aware of this pending problem for a while.
The basic approaches are (1) use an explicit tap on the switch


see above.

(2) build the IDS into the switch (or get the switch to cooperate with
the IDS),


there are some interesting performance problems to be considered here.

and flexibility ones.. 
The problem is that with these higher speeds, switch vendors are increasingly
going to ASICs to pump out that kind of performance. And they are getting
phenomenal results! However, to do general purpose filtering, they might
stick in a regular RISC processor, which will significantly slow things
down if you start adding a lot of rules.

(3) get the end hosts to chip in and function as IDS sensors.


Similar to the recent COAST project announcement for AAFID ?

In environments where high speed networking is in place (HIPPI, ATM, FDDI)
I think a combination of network based and host based is going to be
necessary.


yes, though our analysis capability is falling behing our capability
to blast packets.

I predict that the IDS of the future on these high speed switched networks
is going to have to rely, to some extent, to sampling. Taking packets from
random ports at random time intervals and seeing what happens. Either that,
or, as has been done in the switching fabric itself, special hardware is going to
have to be designed and dedicated for the analysis task.

--
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug () eng auburn edu

Current thread:

Re: future of IDS, (continued)
- - - Re: future of IDS John Ladwig (Oct 23)
  - RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
  - Re: future of IDS Stephen P. Gibbons (Oct 19)
    - Re: future of IDS Crispin Cowan (Oct 23)
    - Re: future of IDS Stephen P. Gibbons (Oct 23)
  - Re: future of IDS Darren Reed (Oct 19)
    - Re: future of IDS Doug Hughes (Oct 23)
    - Re: future of IDS Darren Reed (Oct 28)
    - Re: future of IDS Doug Hughes (Oct 28)
- Re: future of IDS Dominique Brezinski (Oct 19)
- Re: future of IDS Brent Huston (Oct 19)
- RE: future of IDS Choi, Byoung (Oct 19)
- Re: future of IDS Dex Wycoff (Oct 19)
  - RFC blitzkreig server dreamwvr (Oct 23)
- Re: future of IDS Vern Paxson (Oct 19)
  - Re: future of IDS Owen O'Connor (Oct 23)
- Re: future of IDS Vern Paxson (Oct 19)

(Thread continues...)