Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Robert Graham (robert_david_grahamyahoo.com)
Date: Thu Jan 25 2001 - 15:05:28 CST
FAQ IDS: http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
FAQ NIDS: http://www.ticm.com/kb/faq/idsfaq.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
From: Richard Johnson
>Our network guys just pointed out to me that we'll see the same packets
>or more in some cases, just with different MAC addresses and VLAN tags, as
>routers forward traffic across backup links that happen to be VLANs that
>transit the same physical link. Ignoring the VLAN tags in such cases could
>cause false worries about replays or spoofing.
>Is it a problem in practice? Dunno.
Very perceptive. Network ICE is extremely state-based, which means that such
a scenario can cause headaches. I know we did extensive testing and tweaking
of signatures for this case (e.g. the DNS spoof sig doesn't trigger if the
two packets are the same), but it has been over a year since we last looked
at the problem. (I.e. I bet you'll experience a couple of false positives
for which you'll have to turn off the signatures until we fix them).
>The mirroring would involve spanning the trunk port's inbound and/or
>traffic. We don't (yet :-) have multiple trunk lines to run into one
>just a small number of VLANs on one trunk.
Ah. I misunderstood what you meant by mirroring.
The interswitch links can be "mirrored" for fault-tolerance: i.e. you put
two 100-mbps between the switches, and if one fails, the switches will
automatically detect that and use the other 100-mbps.
However, you meant "port mirroring" or copying traffic, so that whatever
goes out one port also goes out the mirror port.
Network ICE officially doesn't support seeing only one side of the traffic.
The problem is that we are extremely state-based. For example, if we see an
HTTP attack, we really want to see the HTTP response in order to diagnose if
the attack succeeded. We recently fixed a but whereby in some rare cases you
wouldn't see the attack at all if you only monitored the inbound connection
(though normally you see it, delayed, and without the return code). [Note
that the engineers have spent a lot of time on this configuration because it
could be used as an attack, but the corporate support people don't want to
deal with the operational issues that will result].
However, it is extremely easy to tap directly into the interswitch trunk
rather than mirror it. There are a number of vendors (NetOptics, Shomiti)
that sell full-duplex taps. They are extraordinarly reliable (e.g. you
remove power, they still work). A lot of our customers use these for
monitoring switched traffic (though usually between a router/firewall and a
switch, not ISL trunks).
As a side note, this is one of the areas where open source solutions like
Snort shine. I'll bet it also supports VLAN tagging, and if not, you can add
it. Snort is also completely stateless and has exceedingly few signatures
that care about response traffic, so wouldn't be as unhappy seeing only one
side of the traffic.
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com