OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS on switch with multiple VLANs
From: Kim R. Suszczewicz (kimzzzPLANETZIGZAG.COM)
Date: Wed Nov 01 2000 - 22:39:52 CST

I am in a similar situation as Michael. Our 8,000 node network has slowly
migrated to a VLAN switched network with different subnets on each switch.
The internal sensor traffic has dwindled to a minimal level to only traffic
that hits back of our firewall. So now the internal sensor doesn't 'see'
the VLAN to VLAN traffic or traffic within a VLAN. It would seem to be cost
prohibitive to try and explain to the customer that they need an IDS sensor
on each switch. So I too would be interested in any other VLAN technical
solutions or success stories.

Regards,
Kimzzz

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Michael Young
Sent: Wednesday, November 01, 2000 7:14 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: IDS on switch with multiple VLANs

I'm currently faced with the problem of implementing an IDS in an
environment where multiple VLANs from different subnets exist on a single
switch. Spanning port technology won't help, as you can only have 1
spanning port per switch, so only one VLAN gets the IDS. I've considered
agent-based network IDS, but wonder if the cost per host becomes
prohibitive at around 17,000 machines.

Is there a simple solution I'm missing?