IDS mailing list archives

Re: Fw: Promiscuous vs Inline IDS

From: Paul Schmehl <pauls () utdallas edu>
Date: Mon, 05 May 2003 17:20:00 -0500

Without knowing more, it's impossible to say. What's your persistentthroughput? What speed processor would you be using? Do you plan to useload balancing? What IDS will you be using? Etc., etc.

Promiscuous mode does not affect throughput because it doesn't intrude onthe packet stream. It "sits" beside it sniffing everything that goes by.You *can* experience packet loss, but that again depends on a number offactors.

Inline IDS can definitely create a bottleneck because all traffic has topass through it (depending on where you put it, but I'm assuming you wantit at the ingress/egress point of your network.) You need to plan well andbe very aware of the capability of the device you decide to use.

--On Wednesday, April 30, 2003 04:40:37 PM +0400 Mustapha Huneyd<mhbengal () yahoo com> wrote:


I was wondering if there are tests conducted to show traffic (bottleneck)
patterns for both INLINE & Promiscuous IDS. Also are there tests that
highlight differences or similarities in capture patterns for both kinds
of IDS? Basically I want to know if an Inline IDS would create a
bottleneck in a Fast ethernet / GE network?.

For e.g. SNORT inline vs ISS Realsecure or Cisco IDS

Mustapha


-------------------------------------------------------------------------
------ Can you respond to attacks based on attack type, severity, source
IP, destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------
------




Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack

occurs? No?No wonder why you're swamped with false positives!Download a free 15-day trial of Border Guard and watch your false

positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------

Current thread:

Fw: Promiscuous vs Inline IDS Mustapha Huneyd (May 04)
- Re: Fw: Promiscuous vs Inline IDS Paul Schmehl (May 06)
- Re: Fw: Promiscuous vs Inline IDS Dener L. Martins (May 07)