IDS mailing list archives
Re: IPS and Trunking
From: levinson_k () securityadmin info
Date: 8 Feb 2007 18:06:28 -0000
That isn't a feature of the IDS, it's a feature of the switch. The IDS just sniffs whatever passes by its network interface. This has been a common basic feature of most switches for years, usually using the term span port or mirror port. There are some plusses and minuses with this approach as compared with the other popular alternative of using a network tap, e.g. it's cheaper, but you could run the risk of missing packets on busy switches where the total throughput exceeds the throughput of that switch port. I'm not sure you would want to do this with an IPS. IPS functionality requires that traffic pass through it, e.g. that it be installed inline on just one network segment, or else it will be unable to reliably stop traffic e.g. "prevention." IDS/IPS can attempt to stop threats via "active response" where for example a spoofed TCP Reset packet is sent to try to close the connection, but this is not guaranteed to always work, and you want to enable it sparingly to avoid having false positives shutting down legitimate traffic. On the other hand, inline IPS typically means you can monitor and protect fewer connections, which means more devices and more money compared to IDS spanning multiple networks. kind regards, Karl Levinson http://securityadmin.info ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IPS and Trunking trav_2 (Feb 08)
- RE: IPS and Trunking Andrew Plato (Feb 08)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Gary Halleen (Feb 12)
- RE: IPS and Trunking John Coke (Feb 12)
- Re: IPS and Trunking Eric Hines (Feb 08)
- Re: IPS and Trunking Paul daSilva (Feb 08)
- Re: IPS and Trunking Jason (Feb 12)
- <Possible follow-ups>
- Re: IPS and Trunking levinson_k (Feb 08)
- RE: IPS and Trunking Andy Cuff (Feb 08)
- RE: IPS and Trunking Michaelson, Andrew J (Feb 12)
- RE: IPS and Trunking Chris Brown (Feb 12)
- RE: IPS and Trunking Luis Lopez Sanchez (Feb 13)
- Re: RE: IPS and Trunking vijay . upadhyaya (Feb 15)
- RE: IPS and Trunking Andrew Plato (Feb 08)