Re: future of IDS

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----

the problem with monitor port on switches is that if you have a fair size
office the total bandwidth of traffic that goes through the switch can
easily be higher then the speed of the port you are monitoring on (yes I
know gigabit ports are now available, but even these can be overflowed,
and what IDS even claims to be able to handle gigabit speeds). Monitor
ports may work at the lower end but not in larger settings where they are
more likly to be desired.

David Lang


On Fri, 16 Oct 1998, Gigi Sullivan wrote:

> Date: Fri, 16 Oct 1998 19:30:10 +0200 (CEST)
> From: Gigi Sullivan <sullivan () seclab com>
> To: Colin Campbell <sgcccdc () citec qld gov au>
> Cc: firewall-wizards () nfr net
> Subject: Re: future of IDS
>
>
> Hello to all ;)
>
> On Thu, 15 Oct 1998, Colin Campbell wrote:
>
> > Date: Thu, 15 Oct 1998 12:24:24 +1000 (EST)
> > From: Colin Campbell <sgcccdc () citec qld gov au>
> > To: firewall-wizards () nfr net
> > Subject: future of IDS
> >
> > Hi,
> >
> > (may show some ignorance here so be gentle :-)
> >
> > Our firewall sits between two networks. The "external" houses lots of
> > internet-visible web servers, much as one would expect. The internal net
> > houses intranet servers. Up until recently, these nets were just plain old
> > hubs. They also suffered from consistent 10% collision rates. Everyone was
> > hurting.
> >
> > Consequently, we replaced these hubs with switches. Network performance is
> > great. No collisions, the machines that can talk at 100Mb do, all is well
> > with the world. Well, almost. I tried snooping some traffic between two
> > machines and when I saw nothing, the difference between hubs and switches
> > suddenly dawned on me.
> >
> > Now, after all this preamble, I do actually have a question for the great
> > minds to ponder. With the likelihood that more and more hubs are going to
> > disappear and be replaced by switches, where does that leave the humble
>
> Uhm why are you saying so ? HUBs and swithes are not really the same
> things. Sometimes you need HUB, sometime you need switch, imho.
>
> > IDS that can no longer see all the traffic it needs to, to do its job?
>
> I really don't remember the 'technical word', however you can configure a
> switch's port to 'grabb' all the traffic that pass through the other
> ports, hence acting like a 'one port' HUB.
>
> > Colin
>
> Bye bye
>
>
>                       -- gg sullivan
>
>
> --
> Lorenzo Cavallaro
> Intesis SECURITY LAB            Phone: +39-2-671563.1
> Via Settembrini, 35             Fax: +39-2-66981953
> I-20124 Milano  ITALY           Email: sullivan () seclab com

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNifk6j7msCGEppcbAQFPVggApcHIMyxN6NZ4ginlMBatNa1tuB0koWzE
LfLFCkNP1fOVfXEJOaf66J38tV77bYG/uFnoPhlBQWRD/do9ZS+FXu7e629J9Uzh
CCUs/1bzvaBwskRHulbHhjR539QLA/Hg7eiSmVHCaEzpY6ADZramMeYM5JGDG0J8
0Z2mwWQsuqWdu+Qe+FTPaDUwuHNZ/3+H4kZ+DZLZ/mk1UEZ82qax2HYLdHFNBjSL
7q4Hjqi/xqcMt/647qyKSEHDCkdBdwxUCOl4NohBRjYs5k+/RD/cDu8ogqesKcja
sIuudIyv1RfMPlSqaPR5kLTh+TX1mb67e4nqciwjkZ68j9dC7gk+nQ==
=g9uR
-----END PGP SIGNATURE-----