IDS mailing list archives

RE: Traffic Balancing on High-speed IDS

From: kgeorgiades () toplayer com
Date: Wed, 23 Jul 2003 11:55:43 -0400

 The cleaner, most economical and easier way to do this is to use an IDS
Balancer (such as the Top Layer IDS Balancer).

It will save you money on the numnber of sensors that you need to use, you
can get redundancy on the IDS (if one IDS fails, the balancer will
distribute the traffic to the rest in the group), and the balancer will also
handle asymmetric flows.

Ken Georgiades

-----Original Message-----
From: Graham, Robert (ISS Atlanta)
To: Christian Kreibich; Focus IDS
Sent: 7/22/03 2:30 PM
Subject: RE: Traffic Balancing on High-speed IDS

The Symantec ManHunt and ISS Proventia 1204 have that XOR feature
built-in. For example, you can buy 4 Proventia boxes and hook them to 4
gigabit links.

Why this is different than 4 individual (non-teamed) sensors is when
those 4 links carry the same traffic, so a TCP packet in a connection
might arrive on any of the 4 interfaces. If you don't sniff all 4
networks with each box (then do the XOR trick), then you'll drop packets
in the middle of the connection.

(Proventia is the ISS RealSecure appliance, the model number 1204 means
it does 1.2 gbps across 4 interfaces).


-----Original Message-----
From: Christian Kreibich [mailto:christian () whoop org]
Sent: Monday, July 21, 2003 10:54 AM
To: Focus IDS
Subject: Re: Traffic Balancing on High-speed IDS


Hi,

On Thu, 2003-07-17 at 15:59, Thiago Mello wrote:

Hi,

Im developing a IDS based on Sensor for High-Speed Networks, and Im
reading some paper about distributing the traffic for IDS sensors.

I want of you some opinions on how the best way to distribute the
traffic to the sensors, and distribute guaranteeing the attacks, such

as

DDoS. Some links, papers, are also welcome.


look for papers on monitoring of high-speed networks. You want a scheme
that stripes the flows across your sensors, making sure that each flow
is kept intact -- n-valued hash functions, based for example on XORs of
IP addresses come to mind. You can sometimes push the resulting filters
down into the firmware of the card so you don't pollute the PCI buses on
the sensors. Hth.

http://citeseer.nj.nec.com/565810.html
http://www.ist-scampi.org/publications/deliverables/D0.1.pdf

The second one also mentions TopLayer's product.

Cheers,
Christian.
-- 
________________________________________________________________________
                                                    http://www.whoop.org


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

RE: Traffic Balancing on High-speed IDS kgeorgiades (Jul 23)
- <Possible follow-ups>
- Re: FW: Traffic Balancing on High-speed IDS Ken Seefried (Jul 24)
- RE: Traffic Balancing on High-speed IDS Michael Mastrole (Jul 25)
- RE: Traffic Balancing on High-speed IDS kgeorgiades (Jul 28)