Firewall Wizards mailing list archives

RE: future of IDS

From: "Tupshin Harper" <tupshin () tupshin com>
Date: Fri, 16 Oct 1998 10:31:36 -0700

Not an ignorant question...Definitely a problem in a fair number of cases.
Question: does every machine on your net have it's own port on a hub?  If
so...then there is no easy answer.  My general approach has been to have
every port of a switch branch out to a hub(10 or 100MB depending on the
machines on that segment), and have one port on each hub running back to a
dedicated machine with as many NICs as necessary to monitor each segment.  A
possible alternative would depend on your machines runnning Windows(95, NT,
or 98) , and using Microsoft's Network Monitor which can monitor traffic on
a remote machine that has the network monitor agent installed.

Two questions for this crowd:
1) Anybody know of an equivalent remote packet dump/analysis program for
unix?
2) With the reality of GB LAN networking nearing the mainstream, has
anybody(switch vendor or other) speculated on having for example a 10/100MB
switch that has a GB port that can spit out all traffic on all ports for
monitoring?  Would seem like an ideal solution for the security conscious.

-Tupshin Harper
-Programmer/Network Administrator
-Studio Verso

-----Original Message-----
From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]On Behalf Of Colin Campbell
Sent: Wednesday, October 14, 1998 7:24 PM
To: firewall-wizards () nfr net
Subject: future of IDS

Hi,

(may show some ignorance here so be gentle :-)

Our firewall sits between two networks. The "external" houses lots of
internet-visible web servers, much as one would expect. The internal net
houses intranet servers. Up until recently, these nets were just plain old
hubs. They also suffered from consistent 10% collision rates. Everyone was
hurting.

Consequently, we replaced these hubs with switches. Network performance is
great. No collisions, the machines that can talk at 100Mb do, all is well
with the world. Well, almost. I tried snooping some traffic between two
machines and when I saw nothing, the difference between hubs and switches
suddenly dawned on me.

Now, after all this preamble, I do actually have a question for the great
minds to ponder. With the likelihood that more and more hubs are going to
disappear and be replaced by switches, where does that leave the humble
IDS that can no longer see all the traffic it needs to, to do its job?

Colin

Current thread:

future of IDS Colin Campbell (Oct 16)
- Re: future of IDS Bennett Todd (Oct 16)
  - Re: future of IDS Martin W Freiss (Oct 19)
    - Re: future of IDS Owen O'Connor (Oct 23)
  - Message not available
    - Re: future of IDS Bennett Todd (Oct 23)
    - Re: future of IDS Dominique Brezinski (Oct 27)
    - Re: future of IDS Bennett Todd (Oct 28)
    - Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Gigi Sullivan (Oct 16)
  - Re: future of IDS David Lang (Oct 19)
- RE: future of IDS Tupshin Harper (Oct 16)
  - Re: future of IDS Adam Shostack (Oct 19)
    - Re: future of IDS John Ladwig (Oct 23)
  - RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- <Possible follow-ups>
- Re: future of IDS Vern Paxson (Oct 16)
  - Re: future of IDS Stephen P. Gibbons (Oct 19)
    - Re: future of IDS Crispin Cowan (Oct 23)
    - Re: future of IDS Stephen P. Gibbons (Oct 23)

(Thread continues...)