Re: future of IDS

[Gigi Sullivan <sullivan () seclab com>]

Hello to all ;)

On Thu, 15 Oct 1998, Colin Campbell wrote:

> Date: Thu, 15 Oct 1998 12:24:24 +1000 (EST)
> From: Colin Campbell <sgcccdc () citec qld gov au>
> To: firewall-wizards () nfr net
> Subject: future of IDS
>
> Hi,
>
> (may show some ignorance here so be gentle :-)
>
> Our firewall sits between two networks. The "external" houses lots of
> internet-visible web servers, much as one would expect. The internal net
> houses intranet servers. Up until recently, these nets were just plain old
> hubs. They also suffered from consistent 10% collision rates. Everyone was
> hurting.
>
> Consequently, we replaced these hubs with switches. Network performance is
> great. No collisions, the machines that can talk at 100Mb do, all is well
> with the world. Well, almost. I tried snooping some traffic between two
> machines and when I saw nothing, the difference between hubs and switches
> suddenly dawned on me.
>
> Now, after all this preamble, I do actually have a question for the great
> minds to ponder. With the likelihood that more and more hubs are going to
> disappear and be replaced by switches, where does that leave the humble

Uhm why are you saying so ? HUBs and swithes are not really the same
things. Sometimes you need HUB, sometime you need switch, imho.

> IDS that can no longer see all the traffic it needs to, to do its job?

I really don't remember the 'technical word', however you can configure a
switch's port to 'grabb' all the traffic that pass through the other
ports, hence acting like a 'one port' HUB.

> Colin

Bye bye


                        -- gg sullivan


--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com