IDS mailing list archives

RE: Asymmetric traffic/topology

From: "Bergen, Matt" <MBergen () mgmmirage com>
Date: Thu, 8 Nov 2007 11:00:29 -0800

Asymmetric communication is not generally preferred, but it is also not
entirely uncommon on today's networks. Most of the experience I've had
with this type of configuration relates to Internet multi-homing. For
example, if a network pads their BGP prefix list to force communication
to come in through one provider but outbound traffic is allowed to take
the best path, a situation will exist where incoming traffic will take
one path across the Internet but the return traffic to some hosts will
take another.

You also have to figure that, with the dynamic nature of modern
networks, (including the Internet) asymmetric routing will occasionally
popup and disappear depending on the decisions made by the specific
routing protocols. The only way to completely avoid this is through
static routes.

As far as purposely creating an asymmetric configuration on a corporate
network, I have never had a reason to do so, but I suppose there could
be some situations where it might be necessary or useful.

From a network intrusion detection/prevention perspective, there is most

likely a point closer to the system/network you're trying to monitor
where there is no asymmetry. For example, there is only one possible
path at a time on an Ethernet network. 

Of course, all of this is fairly generic. Can you give more specific
information?

--
Matt


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of snort user
Sent: Wednesday, November 07, 2007 4:42 PM
To: focus-ids () securityfocus com
Subject: Asymmetric traffic/topology

Greetings.

I am sure that most of you know about the asymmetric traffic/topology
problem in relevance to
IDS/IPS systems.
( By Asymmetric traffic/topology, I mean the case where client to
server packets traverse a different path
in your network compared to server to client packets. Hence the
IDS/IPS see only one side of the conversation)

I am trying to find out how wide this problem really is?
Is it commonly seen in large / enterprise networks ?

Any input is welcome.

Thanks

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Asymmetric traffic/topology snort user (Nov 08)
- RE: Asymmetric traffic/topology Bergen, Matt (Nov 09)
- RE: Asymmetric traffic/topology Srinivasa Addepalli (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
  - Re: Asymmetric traffic/topology snort user (Nov 09)
    - Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
  - Re: Asymmetric traffic/topology Ravi Chunduru (Nov 09)
  - Re: Asymmetric traffic/topology Adam Powers (Nov 13)
    - Re: Asymmetric traffic/topology Jeremy Bennett (Nov 13)
    - Re: Asymmetric traffic/topology Roland Dobbins (Nov 14)
    - RE: Asymmetric traffic/topology Nelson Brito (Nov 27)