Firewall Wizards mailing list archives
Re: future of IDS
From: Bennett Todd <bet () mordor net>
Date: Fri, 23 Oct 1998 16:17:57 -0400
Thanks for your note --- you forced me to think about this issue a bit, and anything that coerces me into thinking must be for the best:-). 1998-09-17-12:13:41 Dominique Brezinski:
It is quite possible to analyze traffic on a switch, as a matter of fact the switch is already analyzing every frame that comes through. Logging all the traffic that comes through a switch is an entirely different story though. That is why the switch would actually become a data *reduction* point for the IDS. Of course, any analysis and data reduction done buy the switch *may* introduce latency depending on the switch architecture. It is quite possible to develop a switch that is capable of doing first level ID analysis and data reduction without introducing latency (think about something like a dedicated ID processor running in parallel with the switching processor). The frames take two paths as they enter the switch: the switching path and the ID path. The switching path gets the frame to its destination port, well the ID path analyzes the frame and either triggers an event, sends the frame to some other portion of the IDS, or drops the frame because it is not significant. [...]
That's all exquisitely clear and irrefutable. As I thought about it, I realized my conclusions --- which I stand by --- were founded on some assumptions which I hadn't voiced. I believe my assumptions stand today, but who can tell what the future may bring. The first assumption is that IDS is a rapidly-mutating, continuously evolving field; this week we will want to analyze things we hadn't thought of last week. Surely this is the case now; perhaps in the future it will be less of an issue --- as time passes, perhaps the field of network security will stabilize. I don't see it happening soon, but then I sure don't see everything. I still remember poo-pooing the WWW as recently as summer of 1995, claiming that the info I wanted wasn't there, that everything useful on the internet was available from netnews and ftp, and I just didn't see any use for WWW. O what a soothsayer I am.... But as long as the above-stated assumption holds, IDS will have to be implemented with flexible logic; it won't be anywhere nearly as precisely defined as packet switching, and the logic required to support IDS will require far more flexible run-time configuration. Hence I would argue that if you garnished a switch with parallel processors for doing IDS without a performance hit, you'd multiply the cost of the box many-fold. Which brings us to my hidden assumption number 2: IDS may be cute, it may be piles of fun, it may be the wave of the future, and it may be fashionable to natter about in circles where people like slinging buzzwords and playing with the latest toys, but it doesn't command the kind of respect that will finance that kind of expenditure. Some sites have gone to fully-switched networks; they bear the cost, and are quite proud of their extraordinarily high-performance network. I don't see very many sites paying many times the money to add IDS capabilities to their switches, at least not as yet. Maybe tomorrow. And if this isn't widely used, it won't enjoy even the mild economies of scale that current switch manufacture enjoys. A switch with IDS built in is a cool concept, particularly since the kind of general-purpose processors that'd be needed would be useable for other things too --- stand back, Deep Crack[1]. But I expect it'd be a fairly expensive SIMD supercomputer. -Bennett [1] <URL:http://www.eff.org/>
Current thread:
- future of IDS Colin Campbell (Oct 16)
- Re: future of IDS Bennett Todd (Oct 16)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS Owen O'Connor (Oct 23)
- Message not available
- Re: future of IDS Bennett Todd (Oct 23)
- Re: future of IDS Dominique Brezinski (Oct 27)
- Re: future of IDS Bennett Todd (Oct 28)
- Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS Bennett Todd (Oct 16)
- Re: future of IDS David Lang (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)