Firewall Wizards mailing list archives
Re: future of IDS
From: John Ladwig <jladwig () nts umn edu>
Date: Mon, 19 Oct 1998 22:53:20 -0500 (CDT)
On Fri, Oct 16, 1998 at 10:31:36AM -0700, Tupshin Harper wrote:
| 2) With the reality of GB LAN networking nearing the mainstream, | has anybody(switch vendor or other) speculated on having for | example a 10/100MB switch that has a GB port that can spit out all | traffic on all ports for monitoring? Would seem like an ideal | solution for the security conscious. I don't think sniffing traffic is part of my ideal network configuration. A single point of failure of compartmentalization is not something I want to install.
Point. However, given the proliferation of network protocols which have their meat above Layer 3 (NetBIOS/tcp to name one), I really *want* packet-decode sometimes for IDS purposes. However, in a public-academic environment, some legal-types get *real* nervous about sniffing/logging contents of communications. Not my counsel, so far, but others' of comparable nature.
Since others have mentioned hardware trends, let me throw in another monkey wrench, which is crypto. When I can route everything over ssh or IPsec, your network sniffer becomes a traffic analysis tool, and then keeping up with gigabyte streams is a lot easier.
FWIW, for that we already using the daylights out of the Netflow logs which spill off the sides of our late-model Cisco gear. Can be really useful, and the traffic logs come at little cost to the infrastructure. Disk space, however, for a network our size, is substantial if you want to keep records long enough to reasonably answer "what went bang." Even if you only do border-traffic logging. Cross-core traffic logging at the packet level looks like a substantial (~200~300GB for 2 weeks uncompressed) data volume. External logs can be very useful as a reality check on possibly- compromised hosts' logfiles. They work very nicely in concert with host-based tools such as the Linux ktcpd mods get inside the packets a little better and report very nicely on what options packets had set, and all that. Which is, I think, where this thread is heading. -jml *works in progress*
Current thread:
- Re: future of IDS, (continued)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS Owen O'Connor (Oct 23)
- Message not available
- Re: future of IDS Bennett Todd (Oct 23)
- Re: future of IDS Dominique Brezinski (Oct 27)
- Re: future of IDS Bennett Todd (Oct 28)
- Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Martin W Freiss (Oct 19)
- Re: future of IDS David Lang (Oct 19)
- Re: future of IDS Adam Shostack (Oct 19)
- Re: future of IDS John Ladwig (Oct 23)
- RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Stephen P. Gibbons (Oct 19)
- Re: future of IDS Crispin Cowan (Oct 23)
- Re: future of IDS Stephen P. Gibbons (Oct 23)
- Re: future of IDS Doug Hughes (Oct 23)