RE: future of IDS

[Doug Hughes <doug () Eng Auburn EDU>]

> Not an ignorant question...Definitely a problem in a fair number of cases.
> Question: does every machine on your net have it's own port on a hub?  If
> so...then there is no easy answer.  My general approach has been to have
> every port of a switch branch out to a hub(10 or 100MB depending on the
> machines on that segment), and have one port on each hub running back to a
> dedicated machine with as many NICs as necessary to monitor each segment.  A
> possible alternative would depend on your machines runnning Windows(95, NT,
> or 98) , and using Microsoft's Network Monitor which can monitor traffic on
> a remote machine that has the network monitor agent installed.
>
> Two questions for this crowd:
> 1) Anybody know of an equivalent remote packet dump/analysis program for
> unix?
What difference would there be between this and remotely logging into
the machine and running tcpdump or snoop or whatever? That would seem
to be more efficient than redirecting the entire packet stream back
along the channel you are using.

> 2) With the reality of GB LAN networking nearing the mainstream, has
> anybody(switch vendor or other) speculated on having for example a 10/100MB
> switch that has a GB port that can spit out all traffic on all ports for
> monitoring?  Would seem like an ideal solution for the security conscious.

I believe that most switch vendors do this already. I know that
both 3com and cisco support this on some if not all of their 
switches. You select a port and replicate the traffic on it out
another port.