IDS mailing list archives
Re: Fw: Promiscuous vs Inline IDS
From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 05 May 2003 17:20:00 -0500
Without knowing more, it's impossible to say. What's your persistent throughput? What speed processor would you be using? Do you plan to use load balancing? What IDS will you be using? Etc., etc.
Promiscuous mode does not affect throughput because it doesn't intrude on the packet stream. It "sits" beside it sniffing everything that goes by. You *can* experience packet loss, but that again depends on a number of factors.
Inline IDS can definitely create a bottleneck because all traffic has to pass through it (depending on where you put it, but I'm assuming you want it at the ingress/egress point of your network.) You need to plan well and be very aware of the capability of the device you decide to use.
--On Wednesday, April 30, 2003 04:40:37 PM +0400 Mustapha Huneyd <mhbengal () yahoo com> wrote:
I was wondering if there are tests conducted to show traffic (bottleneck) patterns for both INLINE & Promiscuous IDS. Also are there tests that highlight differences or similarities in capture patterns for both kinds of IDS? Basically I want to know if an Inline IDS would create a bottleneck in a Fast ethernet / GE network?. For e.g. SNORT inline vs ISS Realsecure or Cisco IDS Mustapha ------------------------------------------------------------------------- ------ Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 ------------------------------------------------------------------------- ------
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ------------------------------------------------------------------------------- Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attackoccurs? No? No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false
positives disappear. http://www.securityfocus.com/StillSecure-focus-ids2 -------------------------------------------------------------------------------
Current thread:
- Fw: Promiscuous vs Inline IDS Mustapha Huneyd (May 04)
- Re: Fw: Promiscuous vs Inline IDS Paul Schmehl (May 06)
- Re: Fw: Promiscuous vs Inline IDS Dener L. Martins (May 07)