I am truely amazed that nobody explained the differences.
1) A hub is, generally, a dumb device. EVERY packet coming in a port is sent out
EVERY other port.
Therefore, the IDS system would see the packet.
2) A switch is, generally, a smart device. EVERY packet coming in a port DOES
NOT go out EVENRY other port.
A switch keeps internal records of what devices are located via which port.
So when a packet comes in,
the switch will only send it out the port the destination device is located
on.
This would cause the IDS system to recceive pretty much nothing as nobody
will be sending data directly
to the switch.
Hope this helps..
Art Coble <[EMAIL PROTECTED]> on 11/15/99 02:58:57 AM
To: YANG YINAN <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
cc: (bcc: Jerry Kendall/Inc/Celestica)
Subject: Re: hubs vs switches
I believe that the issues are that:
1. With a switch the IDS cannot see the traffic on the other ports.
You can watch other hosts traffic by port monitoring or spanning.
This can be worked around on Cisco switches by spanning other
ports (CAT 5500) or monitoring ports (CAT 2900). On the 2900
you can't monitor across VLANs. So if you have three VLANs and
you want to monitor every port, you would need 3 IDS's.
I am not sure if a CAT 5500 can span across VLANs.
Some switch makers don't have a spanning or port monitoring option.
In this case you'd need a hub.
2. More dropped packets by the IDS in a switched environment.
I am fairly new to IDS implementation but these the are issues I've
had to deal with. Personally, I'd try and make it work on a
switch. Putting a hub between a router and switch is not
ideal. It could add some latency and it is another point
of failure.
My 2 cents. Hope it helps -Art
At 10:02 AM 11/15/99 +1100, you wrote:
>
>Hi,
>
>I'm just wondering Why IDS equipment must be connected to a hub and cannot
>be connected to a switch?
>
>My understanding of IDS is working at Network layer, so what's
>differences of using a hub or a switch with IDS in a FW environment?
>
>Can anyone point me to a right direction?
>
>Cheers
>
>YY
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
===========================================
Art Coble
Lucent - Netcare Professional Services
Senior Network Consultant
Email: [EMAIL PROTECTED]
Page: 800 INS 1 INS
=============================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
att1.eml
