Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Asymmetric traffic/topology

from [Jeremy Bennett] Network Security [Permanent Link]
Subject: Re: Asymmetric traffic/topology
Date: Tue, 13 Nov 2007 11:28:43 -0800
NetFlow (and sflow) nicely overcomes the asymmetry by using the routers to gather flow data. What I meant was systems that are attempting to extract flow data by watching the traffic itself.

-J
On Nov 9, 2007, at 2:47 PM, Adam Powers wrote:

If when you say "Behavior-based System" you're referencing any of the
NetFlow-based products then you're not quite right.

Behavior-based NetFlow products overcome the asymmetry problem by
reassembling flows from multiple routers along disparate data paths.

If we have a situation such as:

Client -> R1 -> R2 -> R3 -> Server

Client <- R1 <- R4 <- R3 <- Server

..in this case the path is R1 to R2 to R3 in one direction and R3 to R4 to
R1 on the return path. Classic asymmetric L3 routing. NetFlow gets around
this problem because R1, R2, R3, and R4 are all sending their NetFlow
exports to a single collector where the unidirectional flows are merged and
processed into a "bi-flow" that would look more like...

Client <-> R1 <-> R2,R4 <-> R3 <-> Server

Analysis can then be performed on the bidirectional flow without fear of
asymmetry issues. All that's required is that you enable NetFlow on the
correct devices (the more the merrier IMO).




On 11/8/07 6:06 PM, "Jeremy Bennett" <jeremy@deities.org> wrote:

First there are three types of asymmetry in a network that can cause
problems for some times of IPS devices.

1. Connection-level asymmetry: This is the case where a given TCP
connection (up and down stream) is on a single network path but a
separate, identical connection may follow a different path. This is
very common and can cause problems for behavioral systems.

2. Flow-level asymmetry: This is the case where the upstream and
downstream flows in a TCP connection may follow different paths. This
can cause problems for behavioral systems and stateful packet-
inspection.

3. Packet-level asymmetry: This is the case packets within a flow may
be following different routes in a network. This can cause problems
for any IPS except for the most basic packet-filter.

Now in my experience, #1 is very common in medium to large
enterprises that have built for scalability and redundancy. #2 is
common in load-balanced server farms. #3 is not extremely common but
does appear in some instances of a hot-hot redundancy deployment.


-J

On Nov 7, 2007, at 4:42 PM, snort user wrote:

Greetings.

I am sure that most of you know about the asymmetric traffic/ topology
problem in relevance to
IDS/IPS systems.
( By Asymmetric traffic/topology, I mean the case where client to
server packets traverse a different path
in your network compared to server to client packets. Hence the
IDS/IPS see only one side of the conversation)

I am trying to find out how wide this problem really is?
Is it commonly seen in large / enterprise networks ?

Any input is welcome.

Thanks

-------------------------------------------------------------------- --
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?
module=Form&action=impact&campaign=intro_sfw
to learn more.
-------------------------------------------------------------------- --
--



--------------------------------------------------------------------- ---
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5? module=Form&action=impact&campaign=intr
o_sfw
to learn more.
--------------------------------------------------------------------- ---



--

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam@lancope.com


---------------------------------------------------------------------- --
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5? module=Form&action=impact&campaign=intro_sfw
to learn more.
---------------------------------------------------------------------- --



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPS & IPv6, Adam Powers
Next by Date:  RE: IPS & IPv6, Alan Shimel
Previous by Thread:  Re: Asymmetric traffic/topology, Adam Powers
Next by Thread:  Re: Asymmetric traffic/topology, Roland Dobbins
Indexes:  [Date] [Thread] [Top] [All Lists]