[no subject]

Asymmetric routes cause problems for IDS's that just watch a span
port or use a tap, as sessions get lost and alerts can't be 
correlated as easily. 

The idea being that a sensor sees a trigger, it alerts, and 
either the source gets staticly routed to a tunnel interface, 
or, depending on capacity and where the sensor is located, 
it just routes the traffics source network through the 
monitoring network. 

It's like diverting part of a stream. From what we have been seeing
in the papers, it isn't the data collection that is the difficult
part anyway, it's the administrative overhead and knowledge 
management that needs all the resources. When people criticize
these plans, they tend to attack the challenges of data collection. 

I think the technical challenges that data collection poses are 
overblown and serve as kind of a red herring that diverts attention
from the larger ethical (non-operational) problems of data aggregation
and response. 

-- 
batz