That isn't a feature of the IDS, it's a feature of the switch. The IDS just sniffs whatever passes by its network interface. This has been a common basic feature of most switches for years, usually using the term span port or mirror port.
There are some plusses and minuses with this approach as compared with the other popular alternative of using a network tap, e.g. it's cheaper, but you could run the risk of missing packets on busy switches where the total throughput exceeds the throughput of that switch port. I'm not sure you would want to do this with an IPS. IPS functionality requires that traffic pass through it, e.g. that it be installed inline on just one network segment, or else it will be unable to reliably stop traffic e.g. "prevention." IDS/IPS can attempt to stop threats via "active response" where for example a spoofed TCP Reset packet is sent to try to close the connection, but this is not guaranteed to always work, and you want to enable it sparingly to avoid having false positives shutting down legitimate traffic. On the other hand, inline IPS typically means you can monitor and protect fewer connections, which means more devices and more money compared to IDS spanning multiple networks. kind regards, Karl Levinson http://securityadmin.info ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
