IDS mailing list archives
Re: Asymmetric traffic/topology
From: Jeremy Bennett <jeremy () deities org>
Date: Fri, 9 Nov 2007 06:52:21 -0800
I cannot site specific marketing or survey data. What I shared was based on my own experience developing networking and security products including working on a commercial IPS product for over 5 years.
-J On Nov 8, 2007, at 8:37 PM, snort user wrote:
Jeremy, Do you have any reference for the information that you provided? Thanks On Nov 8, 2007 6:06 PM, Jeremy Bennett <jeremy () deities org> wrote:First there are three types of asymmetry in a network that can cause problems for some times of IPS devices. 1. Connection-level asymmetry: This is the case where a given TCP connection (up and down stream) is on a single network path but a separate, identical connection may follow a different path. This is very common and can cause problems for behavioral systems. 2. Flow-level asymmetry: This is the case where the upstream and downstream flows in a TCP connection may follow different paths. This can cause problems for behavioral systems and stateful packet- inspection. 3. Packet-level asymmetry: This is the case packets within a flow may be following different routes in a network. This can cause problems for any IPS except for the most basic packet-filter. Now in my experience, #1 is very common in medium to large enterprises that have built for scalability and redundancy. #2 is common in load-balanced server farms. #3 is not extremely common but does appear in some instances of a hot-hot redundancy deployment. -J On Nov 7, 2007, at 4:42 PM, snort user wrote:Greetings.I am sure that most of you know about the asymmetric traffic/ topologyproblem in relevance to IDS/IPS systems. ( By Asymmetric traffic/topology, I mean the case where client to server packets traverse a different path in your network compared to server to client packets. Hence the IDS/IPS see only one side of the conversation) I am trying to find out how wide this problem really is? Is it commonly seen in large / enterprise networks ? Any input is welcome. Thanks-------------------------------------------------------------------- ---- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.-------------------------------------------------------------------- -------------------------------------------------------------------------- --Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5? module=Form&action=impact&campaign=intro_sfwto learn more.---------------------------------------------------------------------- --
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Asymmetric traffic/topology snort user (Nov 08)
- RE: Asymmetric traffic/topology Bergen, Matt (Nov 09)
- RE: Asymmetric traffic/topology Srinivasa Addepalli (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology snort user (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology Ravi Chunduru (Nov 09)
- Re: Asymmetric traffic/topology Adam Powers (Nov 13)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 13)
- Re: Asymmetric traffic/topology Roland Dobbins (Nov 14)
- RE: Asymmetric traffic/topology Nelson Brito (Nov 27)
- Re: Asymmetric traffic/topology snort user (Nov 09)