April 04, 2001, 2:38 PM — Detecting hackers and intruders in switched-network environments is a challenge for all IT managers. Traditionally, administrators have had to attach external intrusion-detection systems (IDS) on mirrored switch ports to monitor network traffic, thereby using valuable port capacity.
Cisco's new Catalyst 6000 IDS Module, introduced last month, resides on a blade that plugs into a Catalyst 6006, 6009, 6506 or 6509 switch and lets you monitor network traffic directly from the switch's backplane. This product lets you monitor and report suspicious network traffic in real time on all seven network layers. What it doesn't do right now, though, is shun attacks.
Our performance tests showed that traffic is monitored and reported without noticeable degradation of switch performance. We determined that full monitoring of traffic occurs, even at wire speed (200M bit/sec, full duplex). This IDS performance is considerably higher than what we've observed on other IDS systems. We observed effective IDS monitoring at even higher throughputs -- up to 769.95M bit/sec -- on traffic traversing eight 10/100M bit/sec switch ports, but we note that this was done in a highly controlled environment using a consistent packet size (512-byte packets) that is not representative of "real-world" corporate network traffic. Still, the potential to effectively monitor traffic at levels way beyond those of any other IDS product we've tested is laudable.
The Catalyst 6000 IDS Module could detect all simulated attacks we sent through the switch almost instantaneously. As soon as an attack hit the target, a message was displayed on the Cisco Secure Policy Manager console.
Complexity vs. granularity trade-off
New security products offer a dizzying array of options for configuring security policies and options, but the trade-off is often a complex graphical user interface. The Catalyst 6000 IDS Module is no exception. Overall, it's a very robust system with a lot of configuration granularity. But for many IT managers, it's going to seem overly complex -- even to those who are already used to Cisco's command-line interface. Cisco provides templates to facilitate the configuration process, but these contained so many options that we often got lost navigating them.
The explanatory text used on the main log provides basic technical information about the type of attacks the product is designed to detect. While the information wouldn't be difficult for a "security geek" to interpret, the average IT manager might have trouble.