Re: future of IDS

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Doug Hughes, sie wrote:
> > 2) With the reality of GB LAN networking nearing the mainstream, has
> > anybody(switch vendor or other) speculated on having for example a 10/100MB
> > switch that has a GB port that can spit out all traffic on all ports for
> > monitoring?  Would seem like an ideal solution for the security conscious.
>
> I believe that most switch vendors do this already. I know that
> both 3com and cisco support this on some if not all of their 
> switches. You select a port and replicate the traffic on it out
> another port.

I think you misread the question.  He's asking if there is a port
rated at 1GB/s+ which you can connect upto and receive _all_ the
traffic.  All the switches I've seen have standard 10/100BaseT
ports which you can select to be the monitor ports.

*Maybe* if you had something like one of the 3Com stackable switches
and rather than plug another switch in using their custom daisy chain
cable you plugged in your monitor THEN you might get what he's asking
about.  HOWEVER, I don't know of anything that can run at that speed
or do anything useful with data at anything close to that speed.  If
there is, someone please enlighten us.

*If* they are spitting out a copy of _all_ the traffic through a single
port then they *must* slow the switch down so that the entire throughput
is no longer in excess of 100MBit/sec and hence it is no longer a true
gigabit-switch (so why pay all that money ?).

Darren