On Tue, 30 Dec 1997 13:06:19 -0500 (EST), Brad <brad @
>> I am interested in any feedback from users who use any type of
>> intrusion detection systems (commercial or others) on a switched
>THis is a problem I think every vendor is facing at this point. I am not
>aware of any product that will do this yet.
ODS has a product called the "Secure Switch", which includes our RealSecure
IDS. Look at http://www.ods.com and click on "Security".
>There are workarounds, host based intrusion detection being one, but this
>can get unweildy if you have hundred or thousands of hosts that need to be
>installedon and managed. Then there is the overhead associated with
>running IDS on each host.
Host based and network based IDS do different things, have different
strengths and weaknesses, and should be used for different purposes.
Network based IDS is efficient from a management point of view (a single
device can collect IDS information for an entire subnet), but is somewhat
subject to false positives (reporting an event as possibly malicious when
it is not, e.g. reporting a large number of legitimate hits on a fast web
server as a possible Syn flood).
Host based IDS requires more management effort, does not typically act in
real time, but has access to more refined levels of information (host audit
logs), so has a much lower level of false positives.
An appropriate strategy might be to run network IDS for wide coverage, with
host based IDS on critical systems, or on hosts that are reported to be
engaged in suspicious activity by the network IDS.
>> The question is this. If the network is fully switched, how effective
>> is any intrusion detection system (without using an shared hub)?
It has to be in the hub if you want to do network based IDS on fully
switched networks. The IDS has to live somewhere on the data path.
>> Some thoughts are to place the intrusion detection system near a choke
>> point (like a firewall), but this will still need some shared hub.
>> Installing any intrusion detection system on a firewall itself is out
>> of question (due to complexity).
>A problem with this is that you dont see the internal traffic, only stuff
>passing through that choke point.
>I envision that IDS will need to be integrated into the switches, and
>routers, themselves somehow, as an extra card, additions to switch or
>router OS's, etc...
It's a much more compelling argument to integrate IDS with a switch, rather
than with either firewalls or routers. Since a standalone IDS could use
the firewall or router API (e.g. Checkpoint's OpSec) to update access
rules, the firewalls can concentrate on firewalling and the routers can
focus on routing. One advantage of disassociating the IDS from the
firewall is that an IDS deep inside your network could update the Internet
perimeter defenses; this is useful for things like Smurf attacks.
Still ,the only way to get on the data path in switched networks is to
integrate into the switch itself.
Note that we're talking about two different types of monitoring here. IDS
in combination with firewalls (and probably routers, too) is primarilly
focused on enhancing external security (strengthing the perimeter). IDS in
the switch is primarily useful for detecting internal threats and misuse.
Internal IDS is most effectively used as deterence. In other words, let
everyone know that monitoring is going on.
>> Assuming the network will have ATM backbone with different VLAN's in
>> the network, we can think of an intrusion detection system with
>> multiple interfaces to each VLAN, still if the network is switched, how
>> effective will be the intrusion detection?
Don't think you should need multiple interfaces, as long as the IDS
understands how to grok an ATM cell stream. There are a lot of possible
encapsulations: RFC 1577, LANE, "Legacy" formats like Fore IP. You may
need to do some network tuning. ;-)
>Thisis definitely feasable, but you bring up another problem, IDS systems
>that work at ATM speeds, of which, again I know of none.
>The closest thing that I know if is NetRanger, from WheelGroup, which scale
>up to full FDDI and Fast Ethernet speeds. Butnot even NetRanger can work
>with ATM yet.
The ODS SecureSwitch has ATM/OC-3 interface modules. I haven't seen any
performance figures, but it appears to be a supported configuration.
I haven't heard of any published performance tests for IDS systems. If
anyone from the trade press is listening, this might be a useful article
for the community.
Disclaimer: I work for ISS, which makes RealSecure, which runs in the ODS
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East | Fax: +1 770 395 1972
Atlanta, GA 30346 USA | Web: http://www.iss.net
PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE