Although current intrusion-detection and -prevention products rely on specialized security software or programs to inspect individual packets or network flows, the future of IDP is as a function within the network switch itself.

Innovative network switch vendors are driving this trend by building IDP capability directly into their switches. One advantage of this approach is that the switches already process every packet and flow across a network. They also have built-in redundancy and backup capabilities, which separate IDP appliances lack.

Because a network is responsible for examining every packet that passes across the network, it follows that there are clear performance benefits from integrating network security within switches. In most IDP implementations, a switch is responsible for mirroring specific traffic to network-based sensors for inspection against signatures. Port mirroring is a key feature of a switch that lets IDPs focus on the traffic most likely to contain threats, such as an e-mail or Web page

Network switches also provide flow accounting data that can be reported to a security analysis system. Load-balancing features, such as the IETF's 802.3ad protocol, also are leveraged by mirroring specific traffic flows to specific sensors, to keep flow intelligence in context within each sensor. Each of these switch features is integral to the IDP process. Furthermore, enterprise-class, chassis-based switches provide redundancy features that eliminate single points of failure on a network. All these factors point to the logical progression of moving the critical IDP function on board switches.

Some switches provide more detailed accounting data than others. Packetsampling techniques record information for only a subset of all the packets passing through a switch. Some switches record statistics for every packet passing through. Switches with only packet-sampling capabilities may not detect all types of security threats, but they can detect many types of worms, distributed denial-of-service events and port scans. Switches that provide statistics on every packet deliver maximum security visibility and generally match the monitoring capabilities of stand-alone, flow-monitoring anomaly-detection systems. Another benefit of having statistics on all packets is improved forensics capabilities, which can be used to replay an attack to determine exactly what occurred and the extent that network assets were compromised and by whom.