|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jeremy Bennett (jeremy
deities.org)
Date: Tue Nov 13 2007 - 13:28:43 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
NetFlow (and sflow) nicely overcomes the asymmetry by using the
routers to gather flow data. What I meant was systems that are
attempting to extract flow data by watching the traffic itself.
-J
On Nov 9, 2007, at 2:47 PM, Adam Powers wrote:
> If when you say "Behavior-based System" you're referencing any of the
> NetFlow-based products then you're not quite right.
>
> Behavior-based NetFlow products overcome the asymmetry problem by
> reassembling flows from multiple routers along disparate data paths.
>
> If we have a situation such as:
>
> Client -> R1 -> R2 -> R3 -> Server
>
> Client <- R1 <- R4 <- R3 <- Server
>
> ..in this case the path is R1 to R2 to R3 in one direction and R3
> to R4 to
> R1 on the return path. Classic asymmetric L3 routing. NetFlow gets
> around
> this problem because R1, R2, R3, and R4 are all sending their NetFlow
> exports to a single collector where the unidirectional flows are
> merged and
> processed into a "bi-flow" that would look more like...
>
> Client <-> R1 <-> R2,R4 <-> R3 <-> Server
>
> Analysis can then be performed on the bidirectional flow without
> fear of
> asymmetry issues. All that's required is that you enable NetFlow on
> the
> correct devices (the more the merrier IMO).
>
>
>
>
> On 11/8/07 6:06 PM, "Jeremy Bennett" <jeremydeities.org> wrote:
>
>> First there are three types of asymmetry in a network that can cause
>> problems for some times of IPS devices.
>>
>> 1. Connection-level asymmetry: This is the case where a given TCP
>> connection (up and down stream) is on a single network path but a
>> separate, identical connection may follow a different path. This is
>> very common and can cause problems for behavioral systems.
>>
>> 2. Flow-level asymmetry: This is the case where the upstream and
>> downstream flows in a TCP connection may follow different paths. This
>> can cause problems for behavioral systems and stateful packet-
>> inspection.
>>
>> 3. Packet-level asymmetry: This is the case packets within a flow may
>> be following different routes in a network. This can cause problems
>> for any IPS except for the most basic packet-filter.
>>
>> Now in my experience, #1 is very common in medium to large
>> enterprises that have built for scalability and redundancy. #2 is
>> common in load-balanced server farms. #3 is not extremely common but
>> does appear in some instances of a hot-hot redundancy deployment.
>>
>>
>> -J
>>
>> On Nov 7, 2007, at 4:42 PM, snort user wrote:
>>
>>> Greetings.
>>>
>>> I am sure that most of you know about the asymmetric traffic/
>>> topology
>>> problem in relevance to
>>> IDS/IPS systems.
>>> ( By Asymmetric traffic/topology, I mean the case where client to
>>> server packets traverse a different path
>>> in your network compared to server to client packets. Hence the
>>> IDS/IPS see only one side of the conversation)
>>>
>>> I am trying to find out how wide this problem really is?
>>> Is it commonly seen in large / enterprise networks ?
>>>
>>> Any input is welcome.
>>>
>>> Thanks
>>>
>>> --------------------------------------------------------------------
>>> --
>>> --
>>> Test Your IDS
>>>
>>> Is your IDS deployed correctly?
>>> Find out quickly and easily by testing it
>>> with real-world attacks from CORE IMPACT.
>>> Go to http://www.coresecurity.com/index.php5?
>>> module=Form&action=impact&campaign=intro_sfw
>>> to learn more.
>>> --------------------------------------------------------------------
>>> --
>>> --
>>>
>>
>>
>> ---------------------------------------------------------------------
>> ---
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to
>> http://www.coresecurity.com/index.php5?
>> module=Form&action=impact&campaign=intr
>> o_sfw
>> to learn more.
>> ---------------------------------------------------------------------
>> ---
>>
>
>
> --
>
> Adam Powers
> Chief Technology Officer
> Lancope, Inc.
> c. 678.725.1028
> f. 678.302.8744
> e. adamlancope.com
>
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?
> module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ----------------------------------------------------------------------
> --
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]