Re: future of IDS

[Dominique Brezinski <dom_brezinski () securecomputing com>]

At 12:24 PM 10/15/98 +1000, Colin Campbell wrote:
> Now, after all this preamble, I do actually have a question for the great
> minds to ponder. With the likelihood that more and more hubs are going to
> disappear and be replaced by switches, where does that leave the humble
> IDS that can no longer see all the traffic it needs to, to do its job?

Many switches support the concept of a management or monitoring port. A
management port receives data destined to or sent from any port on the
switch, therefore a sniffer or IDS can be plugged into it and still be
affective. Some switches allow any port to be configured this way, while
most have a specific port that can be allocated to this task. 

Another alternative is to put the IDS data collection component on the
switch, which has already been done and is available commercially. Many
switches are just specialized general purpose computing devices, and they
tend to have reasonable amounts of memory and fast processors.

The point you bring up is one of the objections to network-based ID that
may host-based IDS proponents bring up. Obviously host-based IDS does not
suffer in highly segmented networks. A highly segmented network can still
fully support network ID *if* it is architected to do so and the equipement
deployed has the right feature sets. I am not taking sides yet, because
both network and host based ID have limitations in the current commercial
marketplace.

Dominique Brezinski CISSP                   (612)628-5378
Secure Computing        http://www.securecomputing.com