This is possible to use ADS to address this kind of stuff, but AFAIK an IPS
miles / kilometers away from the other traffic cannot do protection - please
keep in mind that asymmetric traffic / routing doesn't mean you have a
traffic flowing in one room an the other right next door.
I've seen some issues around this topic and just as a remind: IPS is any
device which can block instantaneously, without any required outsider
technology, any malicious traffic between two points (source and target),
and IPS falls in the middle of this traffic. It doesn't matter if it is a
network IPS or a host IPS. IPS is placed in the flow of traffic, so it can
be able to stop threads before they reach the destination. Otherwise you
have an IDS or ADS.
Back to the main topic, asymmetric traffic is possible to be a problem in a
IPS environment. IPS is a singular technology and needs to see / check all
the content of traffic, and it is very different from Firewall technology
which needs to see only the headers. So image the following network:
USA ------- FW ------- IPS -------+------------------
|| | Corporate Network
Brazil ------- FW ------- IPS -------+------------------
What we can see is an asymmetric traffic that can come / go thru both USA
internet connection and / or Brazil internet connection. To maintain the
state of connections for Firewalls you just have a simple configuration and
the headers can be copied from USA to Brazil and vice-versa. It is not a
huge amount of data to transfer, but when we are talking about content
maintenance it can be as high as your total internet connection bandwidth.
To prevent / protect the malicious traffic before it reaches the
destination, and that is exactly what IPS does, you should copy all the
traffic from USA IPS to Brazil IPS.
My 2 cents.
Nelson Brito (f.k.a. stderr)
Sekure SDI's Member since 1999
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Roland Dobbins
Sent: Wednesday, November 14, 2007 3:40 AM
To: focus-ids@securityfocus.com
Subject: Re: Asymmetric traffic/topology
On Nov 13, 2007, at 11:28 AM, Jeremy Bennett wrote:
What I meant was systems that are attempting to extract
flow data by
watching the traffic itself.
These must be placed at appropriate points in the topology,
yes, if the infrastructure itself doesn't support NetFlow
export. nfdump would be an example of the type of system
you're describing; for example, Adam's Lancope collectors can
also generate flows from RSPAN or copy/capture VACL
destination ports, if necessary.
The disadvantage of this mode of operation is that a) it
doesn't scale well, as you indicate, and b) one loses the
input and output ifindex information, and thus the traceback
functionality is impeded.
--------------------------------------------------------------
---------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
-- Elvis Presley
--------------------------------------------------------------
----------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impa
ct&campaign=intro_sfw
to learn more.
--------------------------------------------------------------
----------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
