IDS mailing list archives
RE: Multi-Processor based solutions
From: Surya Batchu <suryak_batchu () yahoo com>
Date: Sat, 25 Mar 2006 19:07:38 -0800 (PST)
Thank you for the quick answer. Though this approach works for many deployments, the load balancing may not be proper i.e some CPUs get overloaded. This functionality is challenging in multi-functional devices where some traffic is IPsec'ed and some not. Also, there may be conflicting requirements such as overlapping selectors among the traffic anomaly policies. In IPsec case, some traffic falling in the traffic anomaly policy may not go to the same CPU as clear traffic as IPsec tunnel itself may be owned some other CPU. It seems to me that traffic anomaly is at best best effort in multi-CPU environments. Any comments... Surya --- "Biswas, Proneet" <pbiswas () ipolicynetworks com> wrote:
Hi Surya, There could be multiple methods of handling these issues based on the kind of architecture desired. One of the most common methods deployed is some kind of load balancing based on the IP tuple. Let us say we want to handle the case of DoS attacks on particular servers. In this case, you could direct all packets belonging to a particular Destination IP to a particular CPU. The other mechanism could be load balancing based on protocols. Say all traffic anomalies related to HTTP are handled on a particular CPU. There could be more advanced load balancing algorithms too. Thanks Proneet. -----Original Message----- From: Surya Batchu [mailto:suryak_batchu () yahoo com] Sent: Wednesday, March 22, 2006 7:04 AM To: focus-ids () securityfocus com Subject: Multi-Processor based solutions I understand signature based detection and prevention works fine in Multi processor solutions. Does anybody have any experience on traffic anomaly based intrusion detection and rate control? I wonder how effective this would be as different connections belonging to a policy may end up in different CPUs. Surya __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Multi-Processor based solutions Surya Batchu (Mar 23)
- <Possible follow-ups>
- RE: Multi-Processor based solutions Biswas, Proneet (Mar 27)
- RE: Multi-Processor based solutions Surya Batchu (Mar 27)