Firewall Wizards mailing list archives
Re: future of IDS
From: Doug Hughes <Doug.Hughes () Eng Auburn EDU>
Date: Tue, 20 Oct 1998 09:01:54 -0500
Darren Reed writes:
Something which just occurred to me, switches are `meant' to be able to switch such that full speed communications are kept between any two nodes on the switch without taking bandwidth away from other pairs. If you have a switch with 24 ports for 100BaseT, can you then push 1.2Gb/s through it ? Or is that just the `gigabit' hubs ? The problem is, that if you have a single 100BaseT monitor port, either than throughput for the entire switch is 100BaseT (serious reduction in performance) or you lose packets on the monitor port.
That's what the gigabit uplink ports are for. There may be vendors that let you funnel all your 100Mbit and dup it out a gig, but I'm not aware of them. But yes, the switch backplane better be capable of approaching 1.2Gb, and most of them are these days.
THe IDS folks have been aware of this pending problem for a while. The basic approaches are (1) use an explicit tap on the switchsee above.(2) build the IDS into the switch (or get the switch to cooperate with the IDS),there are some interesting performance problems to be considered here.
and flexibility ones.. The problem is that with these higher speeds, switch vendors are increasingly going to ASICs to pump out that kind of performance. And they are getting phenomenal results! However, to do general purpose filtering, they might stick in a regular RISC processor, which will significantly slow things down if you start adding a lot of rules.
(3) get the end hosts to chip in and function as IDS sensors.Similar to the recent COAST project announcement for AAFID ? In environments where high speed networking is in place (HIPPI, ATM, FDDI) I think a combination of network based and host based is going to be necessary.
yes, though our analysis capability is falling behing our capability to blast packets. I predict that the IDS of the future on these high speed switched networks is going to have to rely, to some extent, to sampling. Taking packets from random ports at random time intervals and seeing what happens. Either that, or, as has been done in the switching fabric itself, special hardware is going to have to be designed and dedicated for the analysis task. -- ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug () eng auburn edu
Current thread:
- Re: future of IDS, (continued)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Crispin Cowan (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Darren Reed (Oct 19)
- Re: future of IDS Doug Hughes (Oct 23)
- Re: future of IDS Darren Reed (Oct 28)
- Re: future of IDS Doug Hughes (Oct 28)
- RFC blitzkreig server dreamwvr (Oct 23)
- Re: future of IDS Owen O'Connor (Oct 23)