Re: IPS and Trunking

[levinson_k () securityadmin info]

That isn't a feature of the IDS, it's a feature of the switch.  The IDS just sniffs whatever passes by its network 
interface.  This has been a common basic feature of most switches for years, usually using the term span port or mirror 
port.  

There are some plusses and minuses with this approach as compared with the other popular alternative of using a network 
tap, e.g. it's cheaper, but you could run the risk of missing packets on busy switches where the total throughput 
exceeds the throughput of that switch port.

I'm not sure you would want to do this with an IPS.  IPS functionality requires that traffic pass through it, e.g. that 
it be installed inline on just one network segment, or else it will be unable to reliably stop traffic e.g. 
"prevention."  IDS/IPS can attempt to stop threats via "active response" where for example a spoofed TCP Reset packet 
is sent to try to close the connection, but this is not guaranteed to always work, and you want to enable it sparingly 
to avoid having false positives shutting down legitimate traffic.  On the other hand, inline IPS typically means you 
can monitor and protect fewer connections, which means more devices and more money compared to IDS spanning multiple 
networks.


kind regards,
Karl Levinson
http://securityadmin.info

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------