Re: Use of Taps for IDS

From: Baeder, Jason (GEIO) (Jason.Baeder@geio.ge.com)
Date: 03/11/02


From: "Baeder, Jason (GEIO)" <Jason.Baeder@geio.ge.com>
To: Greg Shipley <gshipley@neohapsis.com>, SEdwards@toplayer.com
Date: Mon, 11 Mar 2002 21:21:59 -0000

Stop the madness! At long last this is turning into a practical thread
(thanks to Greg). There are some valid points here that should be taken
seriously by the IDS/Switch/Tap vendors. There is a void in the marketplace
that needs to be filled (marketing people live for these kinds of
opportunities).

I think it's worth revisiting three potential solutions (in no order of
preference)

1. an IDS sensor that can accept the dual outputs from existing ethernet
taps on two different NICs and reassemble the traffic internally
2. an ethernet tap that puts outputs reassembled traffic on a single cable,
instead of two, allowing the output to go directly to an IDS' existing
single input NIC
3. a switch that can take output from multiple taps (representing multiple
distinct LAN segments) and mirror that traffic to individual IDS sensors
(one per LAN segment) at very heavy load and high speed (think Cisco 29xx
on steroids, able to handle an aggregate of 4-8 Gigs of traffic)

Would I pay more for the right solution? Yes, I would. Can I quantify that
now? No I can't.
Note to Mr. Edwards: solution #3 is _not_ load balancing, just multiple
mirrors (and no flow control either)

Vendors, start your engines......

Jason

----Original Message -----
From: "Greg Shipley" <gshipley@neohapsis.com>
To: <SEdwards@toplayer.com>
Cc: <focus-ids@securityfocus.com>; <mreed@toplayer.com>
Sent: Saturday, March 09, 2002 9:33 PM
Subject: RE: Use of Taps for IDS

>
> I know that some vendors (ISS?) are talking about being able to take in
> the two separate feeds (OutputA and OutputB) into two separate NICs, and
> sorting it out on the IDS (eliminating the need for a switch), but my
> understanding is that this functionality isn't around yet.
>
> What would be ideal is some sort of cost-effective integrated tap/switch
> combination that a) tapped the traffic passively, and b) could output a
> unified stream to an IDS as single physical feed. To address your
> comments here:
>
>
> I'm not sure if this is the answer you're looking for, but assuming I'm
> paying $10k->$20k for a sensor, if I had a vendor that could do the
> tapping and re-assembly for me in some sort of rack-mountable chassis, I
> think that would be worth around $3k to me. This is based off of the
> assumption that the alternative would be purchasing a Cisco 2xxx series
> switch and some Netoptics or finisar taps. Obviously a gig/fiber
> solution
> would be worth more.
>
> That's me though - I'd be curious to hear what the rest of this list
> thinks. Also, side note to NIDS vendors: Consider this - if your
> potential customers are looking to spend $3k or more on a solution to
> tap
> traffic, and you can do that natively in your appliances/devices using
> just a tap (read: you can re-assemble two physical streams), guess who
> you
> make a lot happier?
>
> Just food for thought,
>
> -Greg
>
>
> P.S. My apologies to those using MS-clients where my ASCII art will look
> terrible. :)
>



Relevant Pages

  • RE: Recent Gartner IDS/IPS report
    ... > resources to properly analyze security reports, ... > replace the IDS products. ... since these same vendors compete with your ... Basing IPS entirely on IDS and making the offspring a single product is ...
    (Focus-IDS)
  • Re: On IDS Evasion, Vulnerabilities, and Vendor Hype
    ... On IDS Evasion, Vulnerabilities, and Vendor Hype ... encoding, unlike %u encoding." ... How long was it before some vendors ... > vulnerability. ...
    (Focus-IDS)
  • On IDS Evasion, Vulnerabilities, and Vendor Hype
    ... On IDS Evasion, Vulnerabilities, and Vendor Hype ... IDS vendors sometimes must completely rewrite parts of their engines ... Eeye cast the first stone with their advisory %u encoding IDS bypass ... vulnerability. ...
    (Focus-IDS)
  • On IDS Evasion, Vulnerabilities, and Vendor Hype
    ... On IDS Evasion, Vulnerabilities, and Vendor Hype ... IDS vendors sometimes must completely rewrite parts of their engines ... Eeye cast the first stone with their advisory %u encoding IDS bypass ... vulnerability. ...
    (Bugtraq)
  • RE: Intrusion Prevention
    ... but the same is true for all commecrcial vendors ... >sometimes we're told that we cannot see the testing methodology upfront. ... >This dumbfounds me for all the reasons that MJR already ... IDS testing is too easy to inadvertently (and sometimes ...
    (Focus-IDS)