Firewall Wizards mailing list archives

Re: future of IDS

From: David LeBlanc <dleblanc () mindspring com>
Date: Wed, 28 Oct 1998 07:51:39 -0500

At 12:13 PM 9/17/98 -0700, Dominique Brezinski wrote:

It is quite possible to analyze traffic on a switch, as a matter of fact
the switch is already analyzing every frame that comes through. Logging all
the traffic that comes through a switch is an entirely different story
though. That is why the switch would actually become a data *reduction*
point for the IDS. Of course, any analysis and data reduction done buy the
switch *may* introduce latency depending on the switch architecture. It is
quite possible to develop a switch that is capable of doing first level ID
analysis and data reduction without introducing latency (think about
something like a dedicated ID processor running in parallel with the
switching processor). The frames take two paths as they enter the switch:
the switching path and the ID path. The switching path gets the frame to
its destination port, well the ID path analyzes the frame and either
triggers an event, sends the frame to some other portion of the IDS, or
drops the frame because it is not significant.


The switch _will_ induce latency - it is inevitable.  In the parallel
method you mention, you're at least going to have to copy every frame in
order to get 2 pipelines.  Copying data doesn't come free.  Secondly, the
switch is typically only looking at the lowest levels of the packet, and so
the processing is very fast.  In order to have IDS actually running in
parallel, your IDS processor would have to have significantly more
capability than the routing processor.  You might be able to tolerate some
latency in the IDS at high traffic levels by having a fairly fat input
buffer.  Whether or not the latency actually constitutes a problem would
depend on the needs of the customer and the design of the system - but it
will be there.  I would agree with you that this method is far less likely
to introduce substantial latencies than a serial system, but serial systems
have functional advantages as you point out.

TANSTAAFL.


David LeBlanc
dleblanc () mindspring com

Current thread:

future of IDS Colin Campbell (Oct 16)
- Re: future of IDS Bennett Todd (Oct 16)
  - Re: future of IDS Martin W Freiss (Oct 19)
    - Re: future of IDS Owen O'Connor (Oct 23)
  - Message not available
    - Re: future of IDS Bennett Todd (Oct 23)
    - Re: future of IDS Dominique Brezinski (Oct 27)
    - Re: future of IDS Bennett Todd (Oct 28)
    - Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Gigi Sullivan (Oct 16)
  - Re: future of IDS David Lang (Oct 19)
- RE: future of IDS Tupshin Harper (Oct 16)
  - Re: future of IDS Adam Shostack (Oct 19)
    - Re: future of IDS John Ladwig (Oct 23)
  - RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- <Possible follow-ups>
- Re: future of IDS Vern Paxson (Oct 16)

(Thread continues...)