Re: future of IDS

[cfb <cfb () ocn21 kdd-ok ne jp>]

Colin Campbell wrote:
> Hi,
>
> [...]
> Now, after all this preamble, I do actually have a question for the great
> minds to ponder. With the likelihood that more and more hubs are going to
> disappear and be replaced by switches, where does that leave the humble
> IDS that can no longer see all the traffic it needs to, to do its job?

Most switches have some sort of policy routing mechanism (and the higher
end switches even have bandwidth management features, as well).  I
suppose that it is up the network network implementer to build a network
capable of funneling interal corporate traffic though a choke point
where an IDS system can effectively listen to all that it needs to.  I
thought that's what gigabit ethernet building backbones and VLANs were
all about (and you thought the extra bandwidth was for carrying voice
and video...).  One thing is for sure: all switches are not created
equally and some network architectures are more mature than others. 
Choose your weapons carefully.

Personally, I'm not sure that I would want an IDS system paying
attention to all the traffic generated internal to a single corporate
office.  The interest level starts becoming significant at inter-office
communication level.  Obviously all traffic external to the enterprise
needs to be monitored.  In my opinion, where things start getting
interesting is when workgroups have highly disparate geographic
locations.  You may call me old school, but geographically disparate ==
the need to be monitored.  Building a corporate IDS system, which might
involve multiple, distributed IDS boxes all over the world connected by
slow, uncovered communications is a significant undertaking (which is
why people still earn a decent income doing it...  "hard" is where the
money is; in this business, though, "hard" seems to have a half life of
about 5 years).