Re: future of IDS

Vern Paxson (vernee.lbl.gov)
Fri, 16 Oct 1998 23:39:50 PDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Dex Wycoff: "Re: future of IDS"
• Previous message: Doug Hughes: "RE: future of IDS"
• Maybe in reply to: Colin Campbell: "future of IDS"
• Next in thread: David Lang: "Re: future of IDS"
• Reply: David Lang: "Re: future of IDS"

> If you have a switch with 24 ports for 100BaseT, can you then push 1.2Gb/s
> through it ?

I believe you can push 1.2 Gb/s through it. Doubtless someone on the
list knows for sure.

> if you have a single 100BaseT monitor port, either than throughput for the
> entire switch is 100BaseT (serious reduction in performance) or you lose
> packets on the monitor port.

Yep. Don't know if there are switches with higher speed taps.

> > (3) get the end hosts to chip in and function as IDS sensors.
>
> Similar to the recent COAST project announcement for AAFID ?

Exactly.

> In environments where high speed networking is in place (HIPPI, ATM, FDDI)
> I think a combination of network based and host based is going to be
> necessary.

It's also the way to address the IDS insertion/evasion attacks discussed
in the SNI paper (and a tad in the Bro paper).

                Vern

• Next message: Dex Wycoff: "Re: future of IDS"
• Previous message: Doug Hughes: "RE: future of IDS"
• Maybe in reply to: Colin Campbell: "future of IDS"
• Next in thread: David Lang: "Re: future of IDS"
• Reply: David Lang: "Re: future of IDS"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:57 CDT