>From: Aaron Schultz <[EMAIL PROTECTED]>
>Subject: RE: Intrusion Detection
>
>I've found no product that can do network-based detection for 100+Mb
>environments
Most of the network IDS' can handle higher bandwidths
by ganging multiple IDS behind a load-balancing device
like a TopLayer or Arrowpoint switch. I know of sites
that are handling 500mb/s+ with NFRs using this technique.
Theoretically, the sky's the limit, depending on the
size of the rack of IDS' you're willing to install.
That's not a perfect answer, of course. I'm working on
better answers but I don't want to talk about them yet.
Bandwith is always going to be an issue with network
IDS, since network traffic is constantly increasing,
and the number of endpoints to watch is increasing as
well. It's also an issue because there's a constant
tradeoff between doing intrusion detection _fast_ and
doing it _well_. Some IDS still don't do TCP reassembly,
so they're faster but easier to sneak an attack past.
Others don't track state based on packets that are ACK'd
but rather based on packets they see - so they don't
have to maintain as much state and are therefore faster
but easier to fool. I believe such issues will always
be a tradeoff.
mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work: http://www.nfr.net
Personal: http://pubweb.nfr.net/~mjr
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
