If when you say "Behavior-based System" you're referencing any of the
NetFlow-based products then you're not quite right.
Behavior-based NetFlow products overcome the asymmetry problem by
reassembling flows from multiple routers along disparate data paths.
If we have a situation such as:
Client -> R1 -> R2 -> R3 -> Server
Client <- R1 <- R4 <- R3 <- Server
..in this case the path is R1 to R2 to R3 in one direction and R3 to R4 to
R1 on the return path. Classic asymmetric L3 routing. NetFlow gets around
this problem because R1, R2, R3, and R4 are all sending their NetFlow
exports to a single collector where the unidirectional flows are merged and
processed into a "bi-flow" that would look more like...
Client <-> R1 <-> R2,R4 <-> R3 <-> Server
Analysis can then be performed on the bidirectional flow without fear of
asymmetry issues. All that's required is that you enable NetFlow on the
correct devices (the more the merrier IMO).
On 11/8/07 6:06 PM, "Jeremy Bennett" <jeremy@deities.org> wrote:
First there are three types of asymmetry in a network that can cause
problems for some times of IPS devices.
1. Connection-level asymmetry: This is the case where a given TCP
connection (up and down stream) is on a single network path but a
separate, identical connection may follow a different path. This is
very common and can cause problems for behavioral systems.
2. Flow-level asymmetry: This is the case where the upstream and
downstream flows in a TCP connection may follow different paths. This
can cause problems for behavioral systems and stateful packet-
inspection.
3. Packet-level asymmetry: This is the case packets within a flow may
be following different routes in a network. This can cause problems
for any IPS except for the most basic packet-filter.
Now in my experience, #1 is very common in medium to large
enterprises that have built for scalability and redundancy. #2 is
common in load-balanced server farms. #3 is not extremely common but
does appear in some instances of a hot-hot redundancy deployment.
-J
On Nov 7, 2007, at 4:42 PM, snort user wrote:
Greetings.
I am sure that most of you know about the asymmetric traffic/topology
problem in relevance to
IDS/IPS systems.
( By Asymmetric traffic/topology, I mean the case where client to
server packets traverse a different path
in your network compared to server to client packets. Hence the
IDS/IPS see only one side of the conversation)
I am trying to find out how wide this problem really is?
Is it commonly seen in large / enterprise networks ?
Any input is welcome.
Thanks
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?
module=Form&action=impact&campaign=intro_sfw
to learn more.
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
o_sfw
to learn more.
------------------------------------------------------------------------
--
Adam Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam@lancope.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
