RE: Asymmetric traffic/topology

["Nelson Brito" <nbrito () sekure org>]

This is possible to use ADS to address this kind of stuff, but AFAIK an IPS
miles / kilometers away from the other traffic cannot do protection - please
keep in mind that asymmetric traffic / routing doesn't mean you have a
traffic flowing in one room an the other right next door.

I've seen some issues around this topic and just as a remind: IPS is any
device which can block instantaneously, without any required outsider
technology, any malicious traffic between two points (source and target),
and IPS falls in the middle of this traffic. It doesn't matter if it is a
network IPS or a host IPS. IPS is placed in the flow of traffic, so it can
be able to stop threads before they reach the destination. Otherwise you
have an IDS or ADS.

Back to the main topic, asymmetric traffic is possible to be a problem in a
IPS environment. IPS is a singular technology and needs to see / check all
the content of traffic, and it is very different from Firewall technology
which needs to see only the headers. So image the following network:

    USA ------- FW ------- IPS -------+------------------
                ||                    | Corporate Network
 Brazil ------- FW ------- IPS -------+------------------

What we can see is an asymmetric traffic that can come / go thru both USA
internet connection and / or Brazil internet connection. To maintain the
state of connections for Firewalls you just have a simple configuration and
the headers can be copied from USA to Brazil and vice-versa. It is not a
huge amount of data to transfer, but when we are talking about content
maintenance it can be as high as your total internet connection bandwidth.

To prevent / protect the malicious traffic before it reaches the
destination, and that is exactly what IPS does, you should copy all the
traffic from USA IPS to Brazil IPS.

My 2 cents.

Nelson Brito (f.k.a. stderr)
Sekure SDI's Member since 1999
 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of Roland Dobbins
> Sent: Wednesday, November 14, 2007 3:40 AM
> To: focus-ids () securityfocus com
> Subject: Re: Asymmetric traffic/topology
>
>
> On Nov 13, 2007, at 11:28 AM, Jeremy Bennett wrote:
>
> > What I meant was systems that are attempting to extract 
> flow data by 
> > watching the traffic itself.
>
> These must be placed at appropriate points in the topology, 
> yes, if the infrastructure itself doesn't support NetFlow 
> export.  nfdump would be an example of the type of system 
> you're describing; for example, Adam's Lancope collectors can 
> also generate flows from RSPAN or copy/capture VACL 
> destination ports, if necessary.
>
> The disadvantage of this mode of operation is that a) it 
> doesn't scale well, as you indicate, and b) one loses the 
> input and output ifindex information, and thus the traceback 
> functionality is impeded.
>
> --------------------------------------------------------------
> ---------
> Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice
>
>                 -- Elvis Presley
>
>
>
> --------------------------------------------------------------
> ----------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world 
> attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
> to learn more.
> --------------------------------------------------------------
> ----------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------