Great Circle Associates Firewalls
(December 1997)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Intrusion Detection - Switched Network
From: Brad <brad @ freedom . gmsociety . org>
Date: Tue, 30 Dec 1997 13:06:19 -0500 (EST)
To: pva @ bluerose . tju . edu (Paul Alukal)
Cc: firewalls @ greatcircle . com
In-reply-to: <199712301602 . LAA15151 @ bluerose . tju . edu> from "Paul Alukal" at Dec 30, 97 11:02:24 am

> Hello everyone,
> I am interested in any feedback from users who use any type of
> intrusion detection systems (commercial or others) on a switched
> network.

THis is a problem I think every vendor is facing at this point.  I am not aware of any product that will do this yet.

There are workarounds, host based intrusion detection being one, but this can get unweildy if you have hundred or thousands of hosts that need to be installedon and managed.  Then there is the overhead associated with running IDS on each host.

> The question is this. If the network is fully switched, how effective
> is any intrusion detection system (without using an shared hub)? By
> switched network, I mean each network device  is connected directly to
> a port on a switch. The switch technology gives each port a different
> virtual circuit through the switch (unlike a shared hub), that even
> makes sniffing difficult (or impossible).

> Some thoughts are to place the intrusion detection system near a choke
> point (like a firewall), but this will still need some shared hub.
> Installing any intrusion detection system on a firewall itself is out
> of question (due to complexity).

Thisis currently the method that make the most sense to me, with currently available technology.

A problem with this is that you dont see the internal traffic, only stuff passing through that choke point. 

I envision that IDS will need to be integrated into the switches, and routers, themselves somehow, as an extra card, additions to switch or router OS's, etc...

> Assuming the network will have ATM backbone with different VLAN's in
> the network, we can think of an intrusion detection system with
> multiple interfaces to each VLAN, still if the network is switched, how
> effective will be the intrusion detection?

Thisis definitely feasable, but you bring up another problem, IDS systems that work at ATM speeds, of which, again I know of none.
The closest thing that I know if is NetRanger, from WheelGroup, which scale up to full FDDI and Fast Ethernet speeds.  Butnot even NetRanger can work with ATM yet.

> Is there any commercial (or other) system which is capable of doing a
> true intrusion detection in these kind of situations?

In short, not that I know of.  THere are answers and solutions based on choke points, key servers (switched subnets as opposed to switched to the host), etc...
You can work with host based systems, like Axent, but that introduces another set of problems.
With all this said, there may be a product out there that can do this that I am unaware and would be greatful for any information on it.  Yes I do work for WheelGroup, but my first mandate is to do what is right for the situation, and NetRanger, ISS, Axent, Ballista, any of these may or may not be the answer.  I am a security professional first.

> Thanks in advance for any comments or suggestions.
> Paul Alukal

--I work for WheelGroup, but I do not speak for them.
--All opinions stated are my own.

Indexed By Date Previous: Re: Intrusion Detection - Switched Network
From: John Whittaker <john @ zoneoftrust . com>
Next: Re: Intrusion Detection - Switched Network
From: Brad <brad @ freedom . gmsociety . org>
Indexed By Thread Previous: Re: Intrusion Detection - Question.
From: "Paul D. Robertson" <proberts @ clark . net>
Next: Re: Intrusion Detection - Switched Network
From: cbrenton <cbrenton @ sover . net>

Search Internet Search