Re: future of IDS

[Doug Hughes <Doug.Hughes () Eng Auburn EDU>]

> In some email I received from Doug Hughes, sie wrote:
> > > 2) With the reality of GB LAN networking nearing the mainstream, has
> > > anybody(switch vendor or other) speculated on having for example a 10/100MB
> > > switch that has a GB port that can spit out all traffic on all ports for
> > > monitoring?  Would seem like an ideal solution for the security conscious.
> >
> > I believe that most switch vendors do this already. I know that
> > both 3com and cisco support this on some if not all of their 
> > switches. You select a port and replicate the traffic on it out
> > another port.
>
> I think you misread the question.  He's asking if there is a port
> rated at 1GB/s+ which you can connect upto and receive _all_ the
> traffic.  All the switches I've seen have standard 10/100BaseT
> ports which you can select to be the monitor ports.
In theory you should be able to do this with a 100Mbit switch with say
a 1G uplink port. In practice, it looks like most switches let you choose
1 and only 1 port to mirror to another port for analysis.

> *Maybe* if you had something like one of the 3Com stackable switches
> and rather than plug another switch in using their custom daisy chain
> cable you plugged in your monitor THEN you might get what he's asking
> about.  HOWEVER, I don't know of anything that can run at that speed
> or do anything useful with data at anything close to that speed.  If
> there is, someone please enlighten us.
Those matrix connections are like 8GB (FD). There is no machine that you
can plug into one of those, even if 3com were willing to divulged how
they do it (which I doubt - it gives them marketing edge in stackable arena)

> *If* they are spitting out a copy of _all_ the traffic through a single
> port then they *must* slow the switch down so that the entire throughput
> is no longer in excess of 100MBit/sec and hence it is no longer a true
> gigabit-switch (so why pay all that money ?).

Well, that's just it. They only allow you to copy 1 port (in the case of
3com and I think cisco too). But, they do have 100Mbit switches with
Gig uplinks (3300 for example). The backplane/matrix should be MORE than capable
of handling it.. you're unlikely to have all ports at 100% capacity.
The 3500, as another example (though more of a small datacenter switch),
has like a 24Gb backplane or something obscene like that..

You'd need some mighty fine hardware to try to analyze that! (talking about
taking a sip out of a firehose)

--
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug () eng auburn edu