Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS/IPS system with Foundry sFlow

from [Adam Powers] Network Security [Permanent Link]
Subject: Re: IDS/IPS system with Foundry sFlow
Date: Tue, 22 Apr 2008 15:58:51 -0400 
There are only a small handful of companies that process native sFlow for
security analysis purposes. Lancope's StealthWatch is one of those companies
and yes, I am a Lancope employee.

My feeling is that Lancope has the most in depth experience and
understanding of sFlow security that's available today. The StealthWatch Xe
for sFlow appliance is designed specifically for high speed sFlow analysis,
storage, and processing - especially in a security context.

Here's a few important subtleties regarding sFlow collector implementations
that you may want to keep in mind:

1. Find out about sFlow deduplication. How and if they support it. This is
probably the most important sFlow feature. If you don't deduplicate, you
can't properly measure attack volume.

Example: A simple 1000 SYN flood is underway from point A to B. There are 10
sFlow enabled devices in the path from A to B. The system that supports
deduplication reports "1,000 packets per second!". The system without
deduplication support reports "10,000 packets per second!!!". This double
counting results in a sizable error and often an associated false positive.

2. Ask if they offer support for new sFlow features that allow for packet
sampling exceptions. Sampling exceptions allow the switch to pick out
certain important packets (such as the TCP SYN or SYN/ACK) and tag them as
"extra samples" before they are exported. Lancope makes uses of these extra
samples without impacting the natural sample rates of the sFlow exporter,
improving the speed and accuracy of attack detection. Very cool. To vendors
that don't support this feature, the extra samples are invisible and
useless.

3. Pressure sFlow vendors about their use of native sFlow decodes vs.
NetFlow conversions. Many vendors will convert the sFlow into NetFlow before
processing, losing much of the useful information such as payload and
Ethernet frame information. The StealthWatch sFlow collector actually opens
the sFlow sample and decodes the Ethernet segment found within. Payload
samples are saved and made searchable in the StealthWatch GUI. Nothing is
lost in translation.

4. Definitely want to ask about INM integration and their
partnerships/connections they have to the sFlow big guys (HP, Foundry,
Extreme). For those of you that want it, and there are some believe it or
not, StealthWatch integrates directly with IronView for automated and/or
semi-automated mitigation (port disablement, vlan rewrite, etc).

Good luck in your hunt, sFlow is super powerful but like gasoline to a car,
it's only as useful as the technology that consumes it.

-- 

Adam Powers
Chief Technology Officer
Lancope, Inc.


On 4/21/08 3:42 PM, "Security Group" <secgro@gmail.com> wrote:


Hello,

We have got a network with an embedded support for sFlow technology.
We also want to have a good IDS/IPS system. Does anyone know a good
setup with our foundry?

We noticed that Foundry got their own application called "IronView
Network Manager", it is able to operate with snort. Does anyone know
of this is a good solution? Or should we use an sFlow converter (e.g.
InMon sFlow toolkit) that can work with snort?

What are the other possibilities for IDS/IPS besides snort. It has to
operate with the sFlow technology.

Kind regards,

Babel Timo

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw
<http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int
ro_sfw> 
to learn more.
------------------------------------------------------------------------





-- 

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam@lancope.com


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS/IPS system with Foundry sFlow, Adamo, Alfonso
Next by Date:  Re: IDS/IPS system with Foundry sFlow, Adam Powers
Previous by Thread:  RE: IDS/IPS system with Foundry sFlow, Monk, Scott
Next by Thread:  RE: IDS/IPS system with Foundry sFlow, Otis DuPont
Indexes:  [Date] [Thread] [Top] [All Lists]