FAQ: See http://www.ticm.com/kb/faq/idsfaq.html IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html HELP: Having problems.. Then email questions to ids-owner@uow.edu.au NOTE: You MUST remove this line from reply messages as it will be filtered. SPAM: DO NOT send unsolicted mail to this list. USUB: email "unsubscribe ids" to majordomo@uow.edu.au --------------------------------------------------------------------------- Jerry, I've been told by Cisco that they're in planning stages for an integration that would put NetRanger in a strategic logic location to facilitate this - on a card resident in the router, I believe. I also read that ISS is planning similar RealSecure capability in partnership with Nortel. I'm pasting in the "InternetWeek" article to support this claim. Good luck. InternetWeek Nov 23, 1998 p7(1) ------------------------------ Security Spans Switch Ports (Nortel Networks, Internet Security Systems Inc will integrate ISS' RealSecure intrusion detection system with Nortel's Passport 6000 switches )(Company Business and Marketing) Author Yasin, Rutrell Full Text Internet Security Systems Inc. and Nortel Networks are working together to give IT managers products that can detect and respond to attacks across switched networks with a single tool. The companies last week said they will integrate ISS' RealSecure intrusion detection system with Nortel's Passport 6000 switches to give IT managers stronger end-to-end network security mechanisms. Processing Power Their alliance is meant to overcome a limitation that's common to widely used network security products: Intrusion detection systems typically have limited processing capacity to analyze the large IP data streams moving through switch ports. As a result, IT managers have been forced to place an intrusion detection engine on every segment or switch port to exert tighter control. But this can be an expensive and cumbersome task. The ISS/Nortel pact, however, will let Nortel users monitor all traffic through the switch with a single RealSecure engine. That's because ISS and Nortel are developing links between RealSecure and NetSentry, which is Passport software that views packets coming through all switch ports. NetSentry can send copies of all packets to an external RealSecure engine, according to Charles Meyers, ISS' vice president of corporate and business development. IT managers can then "see traffic in multiple switch ports, [whereas before] they could only see one segment at a time," he said. Network administrators welcome any security tools that give them a better view of traffic in switched networks. "There's a larger need for something that gathers information across switched ports and VLANs," said Tony Brocato, a senior systems engineer at the Injured Workers Insurance Fund, a user of Cabletron switches. "In a switched environment, you cannot detect intrusions on switch ports unless you are on that port," Brocato said. RMON agent software can be placed on ports to give IT managers some sense of where traffic is coming from and its destination, but there's still a need for tools that "allow [an IT manager] to see what's going on," he said. A bundled software product is slated to debut during the first quarter of 1999, Meyers said. Deeper integration will come in the second half of the year when RealSecure is incorporated into the backplane of Passport switches-essentially making intrusion detection an integral part of the switch. This higher level of integration will be generic enough so other network vendors can incorporate intrusion detection into their products, according to Meyers. The Nortel pact is part of the Adaptive Network Security Alliance that ISS launched last month. Backed by 40 vendors-including Compaq, Hewlett-Packard and 3Com-the alliance will provide users with tools to respond to security breaches quickly and efficiently. SECURING SWITCHED NETWORKS The fusion between ISS's RealSecure intrusion detection system and Nortel's Passport product line will let Nortel users monitor their switched networks for suspicious activity. Details: Q1 1999 Vendors will ship a bundled software product that detects attacks from any and all switch ports Q4 1999 Tighter integration embeds intrusion detection technology within switched networks Source: ISS Copyright (c) 1998 CMP Media Inc. ------------------------------ Company Internet Security Systems Inc. Northern Telecom Ltd. Product RealSecure (Network security software) Northern Telecom Magellan Passport (Network switch) Topic Company licensing agreement Network security software Network switch ****************************** Security Spans Switch Ports InternetWeek: Nov 23, 1998 COPYRIGHT 1998 CMP Publications, Inc. ****************************** -- Jay > -----Original Message----- > From: Jerry Dixon Jr [SMTP:jerry@jdixon.com] > Sent: Saturday, March 20, 1999 8:59 AM > To: Ids > Subject: IDS: Network Intrusion Detection > -------------------------------------------------------------------------- > - > > Well since the list is starting to show signs of life I figured I'll > fire something off ;-) > > Basically I've begun to evaluate IDS products....the problem that we > are seeing is that we are in the world of fast ethernet and a switched > topology with multiple VLANS. These two things do not work well with > trying to implement an IDS product without getting a box for every > broadcast domain (essentially a segment). My question is does anyone > know of a solution that would not be cost prohibitive in this > environment and one that would not degrade performance as well. We're > looking at RealSecure, Network Ranger, and CyberCop. Any input or > insight would be greatly beneficial to our analysis of IDS. > I also go ahead and throw this into the arena...we're utilizing Kane > for our NT Environment for Host Level IDS but the problem we run into > is that it is consistently two to three days behind churning through > all the logs. We have a very large scale NT environment and it is > only going to continue to grow. What we are thinking about doing is > setting up multiple auditor servers to try and split the load up. > > Jerry