Re: Fw: Promiscuous vs Inline IDS

From: Paul Schmehl <pauls(at)utdallas.edu>
Date: Mon May 05 2003 - 18:20:00 EDT

Without knowing more, it's impossible to say. What's your persistent throughput? What speed processor would you be using? Do you plan to use load balancing? What IDS will you be using? Etc., etc.

Promiscuous mode does not affect throughput because it doesn't intrude on the packet stream. It "sits" beside it sniffing everything that goes by. You *can* experience packet loss, but that again depends on a number of factors.

Inline IDS can definitely create a bottleneck because all traffic has to pass through it (depending on where you put it, but I'm assuming you want it at the ingress/egress point of your network.) You need to plan well and be very aware of the capability of the device you decide to use.

--On Wednesday, April 30, 2003 04:40:37 PM +0400 Mustapha Huneyd <mhbengal@yahoo.com> wrote:

>
> I was wondering if there are tests conducted to show traffic (bottleneck)

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

---

Can you respond to attacks based on attack type, severity, source IP, destination IP, number of times attacked, or the time of day an attack occurs? No?
No wonder why you're swamped with false positives! Download a free 15-day trial of Border Guard and watch your false positives disappear.

http://www.securityfocus.com/StillSecure-focus-ids2

---

Received on Tue May 6 16:46:42 2003