TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Good thought Steve. Of course, the hub may have some contention issues, so you might want one of the small NetGear switches. From the sound of Shiming's setup, there should be no over-subscription problems -- 100 Mb ought to be more than sufficient. The problem Shiming seemed to be concerned about was tapping the "triangular" network and (A->B->C in one direction, and C->A in the other). I got the impression that the "tap-points" would be geographically dispersed, and setting up a WAN link just for the tap, so that you could get it to the hub would be expensive. You are right, of course -- the problem is to get the two directions of every flow to one place so that the IDS can make sense out of each of them. C. -----Original Message----- From: Account, BMONB Information Security [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 03, 2002 10:36 AM To: [EMAIL PROTECTED] Subject: RE: Split route (Asymmetric route) impact on RealSecure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I'm not sure how well this would work in your situation but it might be worth investigating... We are using network taps which have separate ports for each direction of traffic. This meant that our sensor would only see half of a conversation (similar to your problem). To overcome this, we put both outputs into a 100Mb hub and then also plugged the sensor into the hub which can then see both directions of the communication. Perhaps you can tap both sides of your load balanced network into a hub and then put your sensor into the hub. I guess this assumes your load balancing design is fairly simple. Good luck. Steve -----Original Message----- From: Corporate Data Security Office [mailto:[EMAIL PROTECTED]] Sent: January 2, 2002 4:36 PM To: [EMAIL PROTECTED] Subject: Split route (Asymmetric route) impact on RealSecure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, Our network is designed with load balance and redundant. In many areas, there is split route or asymmetric route situation. RealSecure IDS sensors can only capture partial network traffic for same TCP session. So, I have a lot false positive alerts. I am looking for a solution to overcome this problem. I called ISS support, and was told there is no solution from ISS side. I wonder that maybe somebody has same issue and have a solution already. Thanks for any comments. Thanks -Shiming <FONT SIZE = 1>************************************************************************** ** This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. Unless otherwise stated, opinions expressed in this e-mail are those of the author and are not endorsed by the author's employer.</FONT>
