Re: MPLS IDS question

["David W. Goodrum" <dgoodrum () nfr com>]

Just an FYI, but NFR's Sensors support MPLS.  Was there something 
specific you wanted out of the padding, or did you just want to make 
sure that the IDS could accurately parse traffic over MPLS connections?  
MPLS can have lots of stuff in the padding, which can be of variable 
length no set byte count unfortunately) which means that to properly 
handle it, the IDS engine must walk the entire packet to search for the 
end the MPLS data.  If you want a more technical discussion on how to 
monitor MPLS data with your IDS, I can point you to the correct NFR 
developers offline.

-dave

--
David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com
703.731.3765



Dobbelaere, David [NCSBE] wrote:

> Hi Pierre,
>
> The MPLS tunnel gets terminated at the CE (Customer Entry) router.
> If you put an NIDS/NIPS between your network and the CE then you don't need
> any MPLS protocol decoder on your NIDS to monitor traffic in the tunnel.
> On top you can enable IOS IDS feature set on the CE to be able to monitor
> the traffic towards the CE itself.
> I'm not an MPLS guru myself but this is the path I would follow unless you
> really need to monitor in the MPLS tunnel for some reason.
>
> rgdz,
> Chewy
>
>
> -----Original Message-----
> From: Pierre A. Cadieux [mailto:hobbit () theshire com] 
> Sent: Monday, April 04, 2005 6:50 PM
> To: focus-ids () securityfocus com
> Subject: MPLS IDS question
>
> Hello List,
>
> I was wondering if anyone has yet had the pleasure of rolling out an IDS to
> an MPLS environment?
>
> At this point it looks as if MPLS is one of the networking directions being
> used within my work environment, and I was hoping that someone has already
> tackled or at least identified any issues that should be considered when
> planning IDS deployment to monitor MPLS.
>
> I am not an MPLS expert, so just getting started with understanding what it
> is and does/does not provide as far as complexity.
>
> Any insight is appreciated.
>
> ->Pierre A. Cadieux CISSP
>
>
> --------------------------------------------------------------------------
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds vulnerabilities,
> applications and new hosts without the need for network scanning. 
> It also finds compromised systems with application-based intrusion
> detection. 
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> --------------------------------------------------------------------------
>
> --------------------------------------------------------------------------
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
> applications and new hosts without the need for network scanning. 
> It also finds compromised systems with application-based intrusion
> detection. 
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> --------------------------------------------------------------------------
>
>
>
>
> --------------------------------------------------------------------------
> Stop hurting your network!
>
> The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
> applications and new hosts without the need for network scanning. 
> It also finds compromised systems with application-based intrusion detection. 
> Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
> --------------------------------------------------------------------------
>
>  


--------------------------------------------------------------------------
Stop hurting your network!

The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------