IDS mailing list archives
Re: IDS/IPS system with Foundry sFlow
From: Adam Powers <apowers () lancope com>
Date: Tue, 22 Apr 2008 15:58:51 -0400
There are only a small handful of companies that process native sFlow for security analysis purposes. Lancope's StealthWatch is one of those companies and yes, I am a Lancope employee. My feeling is that Lancope has the most in depth experience and understanding of sFlow security that's available today. The StealthWatch Xe for sFlow appliance is designed specifically for high speed sFlow analysis, storage, and processing - especially in a security context. Here's a few important subtleties regarding sFlow collector implementations that you may want to keep in mind: 1. Find out about sFlow deduplication. How and if they support it. This is probably the most important sFlow feature. If you don't deduplicate, you can't properly measure attack volume. Example: A simple 1000 SYN flood is underway from point A to B. There are 10 sFlow enabled devices in the path from A to B. The system that supports deduplication reports "1,000 packets per second!". The system without deduplication support reports "10,000 packets per second!!!". This double counting results in a sizable error and often an associated false positive. 2. Ask if they offer support for new sFlow features that allow for packet sampling exceptions. Sampling exceptions allow the switch to pick out certain important packets (such as the TCP SYN or SYN/ACK) and tag them as "extra samples" before they are exported. Lancope makes uses of these extra samples without impacting the natural sample rates of the sFlow exporter, improving the speed and accuracy of attack detection. Very cool. To vendors that don't support this feature, the extra samples are invisible and useless. 3. Pressure sFlow vendors about their use of native sFlow decodes vs. NetFlow conversions. Many vendors will convert the sFlow into NetFlow before processing, losing much of the useful information such as payload and Ethernet frame information. The StealthWatch sFlow collector actually opens the sFlow sample and decodes the Ethernet segment found within. Payload samples are saved and made searchable in the StealthWatch GUI. Nothing is lost in translation. 4. Definitely want to ask about INM integration and their partnerships/connections they have to the sFlow big guys (HP, Foundry, Extreme). For those of you that want it, and there are some believe it or not, StealthWatch integrates directly with IronView for automated and/or semi-automated mitigation (port disablement, vlan rewrite, etc). Good luck in your hunt, sFlow is super powerful but like gasoline to a car, it's only as useful as the technology that consumes it. -- Adam Powers Chief Technology Officer Lancope, Inc. On 4/21/08 3:42 PM, "Security Group" <secgro () gmail com> wrote:
Hello, We have got a network with an embedded support for sFlow technology. We also want to have a good IDS/IPS system. Does anyone know a good setup with our foundry? We noticed that Foundry got their own application called "IronView Network Manager", it is able to operate with snort. Does anyone know of this is a good solution? Or should we use an sFlow converter (e.g. InMon sFlow toolkit) that can work with snort? What are the other possibilities for IDS/IPS besides snort. It has to operate with the sFlow technology. Kind regards, Babel Timo ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw <http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int ro_sfw> to learn more. ------------------------------------------------------------------------
-- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 f. 678.302.8744 e. adam () lancope com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- IDS/IPS system with Foundry sFlow Security Group (Apr 22)
- Re: IDS/IPS system with Foundry sFlow Martin Roesch (Apr 22)
- RE: IDS/IPS system with Foundry sFlow Adamo, Alfonso (Apr 22)
- Re: IDS/IPS system with Foundry sFlow Adam Powers (Apr 22)
- RE: IDS/IPS system with Foundry sFlow Monk, Scott (Apr 24)
- Re: IDS/IPS system with Foundry sFlow Martin Roesch (Apr 25)
- RE: IDS/IPS system with Foundry sFlow Monk, Scott (Apr 25)
- Re: IDS/IPS system with Foundry sFlow Martin Roesch (Apr 22)
- Re: IDS/IPS system with Foundry sFlow Adam Powers (Apr 22)
- RE: IDS/IPS system with Foundry sFlow Otis DuPont (Apr 24)