Firewall Wizards mailing list archives

Re: future of IDS

From: John Ladwig <jladwig () nts umn edu>
Date: Mon, 19 Oct 1998 22:53:20 -0500 (CDT)


On Fri, Oct 16, 1998 at 10:31:36AM -0700, Tupshin Harper wrote:

| 2) With the reality of GB LAN networking nearing the mainstream,
| has anybody(switch vendor or other) speculated on having for
| example a 10/100MB switch that has a GB port that can spit out all
| traffic on all ports for monitoring?  Would seem like an ideal
| solution for the security conscious.

      I don't think sniffing traffic is part of my ideal network
configuration.  A single point of failure of compartmentalization is
not something I want to install.


Point.  However, given the proliferation of network protocols which
have their meat above Layer 3 (NetBIOS/tcp to name one), I really
*want* packet-decode sometimes for IDS purposes.

However, in a public-academic environment, some legal-types get *real*
nervous about sniffing/logging contents of communications.  Not my
counsel, so far, but others' of comparable nature.

      Since others have mentioned hardware trends, let me throw in
another monkey wrench, which is crypto.  When I can route everything
over ssh or IPsec, your network sniffer becomes a traffic analysis
tool, and then keeping up with gigabyte streams is a lot easier.


FWIW, for that we already using the daylights out of the Netflow logs
which spill off the sides of our late-model Cisco gear.

Can be really useful, and the traffic logs come at little cost to the
infrastructure.  Disk space, however, for a network our size, is
substantial if you want to keep records long enough to reasonably
answer "what went bang."  Even if you only do border-traffic logging.
Cross-core traffic logging at the packet level looks like a
substantial (~200~300GB for 2 weeks uncompressed) data volume.

External logs can be very useful as a reality check on possibly-
compromised hosts' logfiles.  They work very nicely in concert with
host-based tools such as the Linux ktcpd mods get inside the packets a
little better and report very nicely on what options packets had set,
and all that.

Which is, I think, where this thread is heading.

    -jml    *works in progress*

Current thread:

Re: future of IDS, (continued)
- - Re: future of IDS Martin W Freiss (Oct 19)
    - Re: future of IDS Owen O'Connor (Oct 23)
  - Message not available
    - Re: future of IDS Bennett Todd (Oct 23)
    - Re: future of IDS Dominique Brezinski (Oct 27)
    - Re: future of IDS Bennett Todd (Oct 28)
    - Re: future of IDS David LeBlanc (Oct 28)
- Re: future of IDS Gigi Sullivan (Oct 16)
  - Re: future of IDS David Lang (Oct 19)
- RE: future of IDS Tupshin Harper (Oct 16)
  - Re: future of IDS Adam Shostack (Oct 19)
    - Re: future of IDS John Ladwig (Oct 23)
  - RE: future of IDS Jonathan Rozes (Oct 19)
- Re: future of IDS Joseph S. D. Yao (Oct 19)
- Re: future of IDS NetSurfer (Oct 19)
- Re: future of IDS cfb (Oct 19)
- Re: future of IDS Vern Paxson (Oct 16)
  - Re: future of IDS Stephen P. Gibbons (Oct 19)
    - Re: future of IDS Crispin Cowan (Oct 23)
    - Re: future of IDS Stephen P. Gibbons (Oct 23)
  - Re: future of IDS Darren Reed (Oct 19)
    - Re: future of IDS Doug Hughes (Oct 23)

(Thread continues...)