Re: Fw: Promiscuous vs Inline IDS
From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 05/06/03
- Previous message: Judy Novak: "Re: sidestep"
- In reply to: Mustapha Huneyd: "Fw: Promiscuous vs Inline IDS"
- Next in thread: Dener L. Martins: "Re: Fw: Promiscuous vs Inline IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 05 May 2003 17:20:00 -0500 To: Mustapha Huneyd <mhbengal@yahoo.com>, focus-ids@securityfocus.com
Without knowing more, it's impossible to say. What's your persistent
throughput? What speed processor would you be using? Do you plan to use
load balancing? What IDS will you be using? Etc., etc.
Promiscuous mode does not affect throughput because it doesn't intrude on
the packet stream. It "sits" beside it sniffing everything that goes by.
You *can* experience packet loss, but that again depends on a number of
factors.
Inline IDS can definitely create a bottleneck because all traffic has to
pass through it (depending on where you put it, but I'm assuming you want
it at the ingress/egress point of your network.) You need to plan well and
be very aware of the capability of the device you decide to use.
--On Wednesday, April 30, 2003 04:40:37 PM +0400 Mustapha Huneyd
<mhbengal@yahoo.com> wrote:
>
> I was wondering if there are tests conducted to show traffic (bottleneck)
> patterns for both INLINE & Promiscuous IDS. Also are there tests that
> highlight differences or similarities in capture patterns for both kinds
> of IDS? Basically I want to know if an Inline IDS would create a
> bottleneck in a Fast ethernet / GE network?.
>
> For e.g. SNORT inline vs ISS Realsecure or Cisco IDS
>
> Mustapha
>
>
> -------------------------------------------------------------------------
> ------ Can you respond to attacks based on attack type, severity, source
> IP, destination IP, number of times attacked, or the time of day an attack
> occurs? No?
> No wonder why you're swamped with false positives!
> Download a free 15-day trial of Border Guard and watch your false
> positives disappear.
>
> http://www.securityfocus.com/StillSecure-focus-ids2
> -------------------------------------------------------------------------
> ------
>
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
-------------------------------------------------------------------------------
Can you respond to attacks based on attack type, severity, source IP,
destination IP, number of times attacked, or the time of day an attack
occurs? No?
No wonder why you're swamped with false positives!
Download a free 15-day trial of Border Guard and watch your false
positives disappear.
http://www.securityfocus.com/StillSecure-focus-ids2
-------------------------------------------------------------------------------
- Previous message: Judy Novak: "Re: sidestep"
- In reply to: Mustapha Huneyd: "Fw: Promiscuous vs Inline IDS"
- Next in thread: Dener L. Martins: "Re: Fw: Promiscuous vs Inline IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
