TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi,
Thanks for all recommendations.
I have to classify my situation more clearly.
I have asymmetric routing in both locally (in one data center) and remotely
( in two data centers ten miles away).
In local asymmetric routing, I can use your recommendations. But I am also
looking for a "cheap" solution, since Top Layer switch costs $10K, a good
Cisco switch costs $3K. I asked ISS technical support if I can use
multiple NICs to collect data and analyze it as one IDS engine's data.
ISS's answer is no, multiple NICs can be used, but they are treated as
separated IDS engines, then it could not solve asymmetric routing issue. I
believe Snort can do it according its document (multiple NICs for one IDS
engine), but I never try it. Did anyone try it?
In remote asymmetric routing, there is a high speed connection between site
A and site B, both A and B connect to site C (overseas). In site A, if a
user try to access site C, it will either go to site C directly or go to C
via site B. How could I use RealSecure to monitor our network? Does Top
Layer work in this situation? We don't have budget for a dedicate T1 line
to physically link two side (A and B) switches which connect to IDS. But we
do have a high speed connection between A and B, can I use it? I know I can
use it, but how can I use it securely? I don't want to mess up our
backbone.
Thanks for your help.
-Shiming
Charles Lindsay x 147 <[EMAIL PROTECTED]> on 01/02/2002 06:46:28 PM
To: "'Corporate Data Security Office'"
<[EMAIL PROTECTED]>
cc:
Subject: RE: Split route (Asymmetric route) impact on RealSecure
Can you SPAN both switches which carry the asymmetric traffic, and then
feed
them into a switch, and use that to feed your IDS engines? I guess the
question is how far apart are the points through which the asymmetric parts
of the path flow?
A lot of signatures depend on seeing both directions of traffic.
Chuck L.
-----Original Message-----
From: Corporate Data Security Office
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 02, 2002 4:36 PM
To: [EMAIL PROTECTED]
Subject: Split route (Asymmetric route) impact on RealSecure
Hi,
Our network is designed with load balance and redundant. In many areas,
there is split route or asymmetric route situation. RealSecure IDS sensors
can only capture partial network traffic for same TCP session. So, I have
a lot false positive alerts. I am looking for a solution to overcome this
problem.
I called ISS support, and was told there is no solution from ISS side. I
wonder that maybe somebody has same issue and have a solution already.
Thanks for any comments.
Thanks
-Shiming
