Great Circle Associates Firewalls
(December 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Intrusion Detection - Switched Network
From: blast <blast @ broder . com>
Date: Tue, 30 Dec 1997 11:36:03 -0800 (PST)
To: "Paul D. Robertson" <proberts @ clark . net>
Cc: Paul Alukal <pva @ bluerose . tju . edu>, firewalls @ GreatCircle . COM
In-reply-to: <Pine . LNX . 3 . 91 . 971230114055 . 1111B-100000 @ gargoyle>

On Tue, 30 Dec 1997, Paul D. Robertson wrote:

> On Tue, 30 Dec 1997, Paul Alukal wrote:
> 
> > Is there any commercial (or other) system which is capable of doing a
> > true intrusion detection in these kind of situations?
> 
> Most good switches will allow you to set particular ports to get all 
> traffic as if it were a hub.  This is where you configure the IDS.

Paul Alukal has a valid question and I have yet to find any 
'administrative' port on any switch that facilitates an IDS
on each segment concurrently.

Paul Robertson is right in saying that most "good switches"
have a port (single) to monitor a particular "domain" (collision/VLAN).
Problem is that these ports were not designed with an IDS in mind and 
may only offer your IDS a view one world (collision-domain) at a time.
This constraint may or may not facilitate your IDS.

Let me first state that the category we are speaking of when we say
intrusion detection systems (IDS) here is one that passively monitors
the wires and is triggered on user-defined traffic signatures.  
It goes not include IDS systems that monitor host-based resources 
like file-systems,processes,etc..

The best thing one can do when designing a network is to 
design the IDS in from the start.  IDS systems that act as satellites
on each segment reporting events back to mother-bird model well with 
your already deployed fault and performance management systems.
Other more centralized IDS systems find it difficult to conform to 
a highly switched environment.  IDS, unlike, fault and performance
monitoring, may not have to be on EVERY segment.

With any well designed system, we embrace our design constraints
and engineer toward our goals.  And those goals are....????
IDS of course. :-) 

Design goals will differ.
- You are just concerned with IDS systems on backbone segments
- You may just want it at the ingress and egress of secured segment(s)
- You may just want it at the ingress and egress of your autonomous system

By narrowing down the goals and not having to have "eyes" on all sides of
your head, you can reduce cost down to something that fits. 
Another point is that if some re-engineering of the network is to be done
to meet your goal, it only happens in areas that facilitate your plan.

Happy New Year everyone,
-blast
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   \    Tim Keanini    |         "The limits of my language,            /
   /                   |         are the limits of my world."           \
   \ blast @
 broder .
 com  |         --Ludwig Wittgenstein                  /
   \                   +================================================/
   |Key fingerprint =  7B 68 88 41 A8 74 AB EC  F0 37 98 4C 37 F7 40 D6 |
   /    PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html     \
   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%






Follow-Ups:
References:
Indexed By Date Previous: Re: Intrusion Detection - Switched Network
From: cbrenton <cbrenton @ sover . net>
Next: Re: Firewalls-Digest V6 #603
From: N2URMIND <n2urmind @ teamanarchy . com>
Indexed By Thread Previous: Re: Intrusion Detection - Switched Network
From: Brad <brad @ freedom . gmsociety . org>
Next: Re: Intrusion Detection - Switched Network
From: Rabid Wombat <wombat @ mcfeely . bsfs . org>

Google
 
Search Internet Search www.greatcircle.com