Re: future of IDS

["Ryan Russell" <ryanr () sybase com>]

Nah.  Plugging my sniffer in between a couple of devices doesn't
add any latency.  Designing a Y-splitter into your switch.. one
direction to the switch engine, one to the IDS engine, wouldn't
add any latency to the switch function.... You'll just need a hell
of an IDS engine.

Copying the data CAN be free... processing it two ways won't be.

Your statement is perfectly valid for switches that exist today,
but there's no reason one couldn't design one with monitoring in
mind...  It would just be too expensive, and no one would buy
it is all.

                    Ryan




The switch _will_ induce latency - it is inevitable.  In the parallel
method you mention, you're at least going to have to copy every frame in
order to get 2 pipelines.  Copying data doesn't come free.  Secondly, the
switch is typically only looking at the lowest levels of the packet, and so
the processing is very fast.  In order to have IDS actually running in
parallel, your IDS processor would have to have significantly more
capability than the routing processor.  You might be able to tolerate some
latency in the IDS at high traffic levels by having a fairly fat input
buffer.  Whether or not the latency actually constitutes a problem would
depend on the needs of the customer and the design of the system - but it
will be there.  I would agree with you that this method is far less likely
to introduce substantial latencies than a serial system, but serial systems
have functional advantages as you point out.