IDS mailing list archives
RE: Asymmetric traffic/topology
From: "Bergen, Matt" <MBergen () mgmmirage com>
Date: Thu, 8 Nov 2007 11:00:29 -0800
Asymmetric communication is not generally preferred, but it is also not entirely uncommon on today's networks. Most of the experience I've had with this type of configuration relates to Internet multi-homing. For example, if a network pads their BGP prefix list to force communication to come in through one provider but outbound traffic is allowed to take the best path, a situation will exist where incoming traffic will take one path across the Internet but the return traffic to some hosts will take another. You also have to figure that, with the dynamic nature of modern networks, (including the Internet) asymmetric routing will occasionally popup and disappear depending on the decisions made by the specific routing protocols. The only way to completely avoid this is through static routes. As far as purposely creating an asymmetric configuration on a corporate network, I have never had a reason to do so, but I suppose there could be some situations where it might be necessary or useful.
From a network intrusion detection/prevention perspective, there is most
likely a point closer to the system/network you're trying to monitor where there is no asymmetry. For example, there is only one possible path at a time on an Ethernet network. Of course, all of this is fairly generic. Can you give more specific information? -- Matt -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of snort user Sent: Wednesday, November 07, 2007 4:42 PM To: focus-ids () securityfocus com Subject: Asymmetric traffic/topology Greetings. I am sure that most of you know about the asymmetric traffic/topology problem in relevance to IDS/IPS systems. ( By Asymmetric traffic/topology, I mean the case where client to server packets traverse a different path in your network compared to server to client packets. Hence the IDS/IPS see only one side of the conversation) I am trying to find out how wide this problem really is? Is it commonly seen in large / enterprise networks ? Any input is welcome. Thanks ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Asymmetric traffic/topology snort user (Nov 08)
- RE: Asymmetric traffic/topology Bergen, Matt (Nov 09)
- RE: Asymmetric traffic/topology Srinivasa Addepalli (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology snort user (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology Ravi Chunduru (Nov 09)
- Re: Asymmetric traffic/topology Adam Powers (Nov 13)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 13)
- Re: Asymmetric traffic/topology Roland Dobbins (Nov 14)
- RE: Asymmetric traffic/topology Nelson Brito (Nov 27)
- Re: Asymmetric traffic/topology snort user (Nov 09)