Re: future of IDS

[Bennett Todd <bet () mordor net>]

Thanks for your note --- you forced me to think about this issue a bit, and
anything that coerces me into thinking must be for the best:-).

1998-09-17-12:13:41 Dominique Brezinski:
> It is quite possible to analyze traffic on a switch, as a matter of fact
> the switch is already analyzing every frame that comes through. Logging
> all the traffic that comes through a switch is an entirely different story
> though. That is why the switch would actually become a data *reduction*
> point for the IDS. Of course, any analysis and data reduction done buy
> the switch *may* introduce latency depending on the switch architecture.
> It is quite possible to develop a switch that is capable of doing first
> level ID analysis and data reduction without introducing latency (think
> about something like a dedicated ID processor running in parallel with the
> switching processor). The frames take two paths as they enter the switch:
> the switching path and the ID path. The switching path gets the frame to its
> destination port, well the ID path analyzes the frame and either triggers an
> event, sends the frame to some other portion of the IDS, or drops the frame
> because it is not significant. [...]

That's all exquisitely clear and irrefutable.

As I thought about it, I realized my conclusions --- which I stand by --- were
founded on some assumptions which I hadn't voiced.

I believe my assumptions stand today, but who can tell what the future may
bring.

The first assumption is that IDS is a rapidly-mutating, continuously evolving
field; this week we will want to analyze things we hadn't thought of last
week. Surely this is the case now; perhaps in the future it will be less
of an issue --- as time passes, perhaps the field of network security
will stabilize. I don't see it happening soon, but then I sure don't see
everything. I still remember poo-pooing the WWW as recently as summer of 1995,
claiming that the info I wanted wasn't there, that everything useful on the
internet was available from netnews and ftp, and I just didn't see any use for
WWW. O what a soothsayer I am....

But as long as the above-stated assumption holds, IDS will have to be
implemented with flexible logic; it won't be anywhere nearly as precisely
defined as packet switching, and the logic required to support IDS will
require far more flexible run-time configuration. Hence I would argue that if
you garnished a switch with parallel processors for doing IDS without a
performance hit, you'd multiply the cost of the box many-fold.

Which brings us to my hidden assumption number 2: IDS may be cute, it may be
piles of fun, it may be the wave of the future, and it may be fashionable
to natter about in circles where people like slinging buzzwords and playing
with the latest toys, but it doesn't command the kind of respect that will
finance that kind of expenditure. Some sites have gone to fully-switched
networks; they bear the cost, and are quite proud of their extraordinarily
high-performance network. I don't see very many sites paying many times
the money to add IDS capabilities to their switches, at least not as yet.
Maybe tomorrow. And if this isn't widely used, it won't enjoy even the mild
economies of scale that current switch manufacture enjoys. A switch with IDS
built in is a cool concept, particularly since the kind of general-purpose
processors that'd be needed would be useable for other things too ---
stand back, Deep Crack[1]. But I expect it'd be a fairly expensive SIMD
supercomputer.

-Bennett

[1] <URL:http://www.eff.org/>