TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hi, I am ex ISS, but now work for TopLayer Networks, and we have a solution ... TopLayer's new IDS Balancer is designed specifically for this task. It utilises a technology called Flow Mirroring, which will take split sessions (or flows), such as when using taps or asymmetrical routed traffic, and re-combine them back to their original stream before passing them to the IDS. So it is possible either to take the RX and TX ports from a tap and plug them in; and/ or take SPAN ports from routers configured to route asymmetrically in the IDS Balancer. The IDSB then works out the individual streams of data and sends them to the relevant ports with the IDS. So if you have 4 inputs (from two taps) and two Network Sensors on the mirrored ports. As the first packet in the 1st stream of data comes in it will be sent to the first IDS, as the 1st packet of the 2nd stream comes in - it will be sent to the 2nd IDS. As the 2nd packet of the 1st stream comes in it will be sent to the 1st IDS, and the 2nd packet in the 2nd stream will be sent to the 2nd IDS - and so forth. This process is essential to complex IDS implementations - as the IDS needs to see all of the packets in a stream if it is to make a proper diagnosis of an attack. It is also worth mentioning that it is possible to do this by application (so send all HTTP to one IDS, and only have a policy for HTTP attacks running on that IDS; send all other data to the second IDS; oh and drop all SSL traffic as the it is useless to NIDS and only wastes resource) If you would like some further information on this please contact me or see http://www.toplayer.com/products/hardware/IDS_Balancer.html - or talk to your local ISS SE or Partner as most are now aware of this solution Regards Simon ________________________________________________ Simon Edwards Technical Evangelist Top Layer Networks US Office : 508 870 1300 x230 UK Office : +(44) 1252 748509 UK Mobile: +(44) 7971 959170 www: www.TopLayer.com <http://www.TopLayer.com> email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> "Perfecting the Art of Network Security" ---------------------------------------------------------------------------- -------- -----Original Message----- From: Account, BMONB Information Security [mailto:[EMAIL PROTECTED]] Sent: 03 January 2002 15:36 To: [EMAIL PROTECTED] Subject: RE: Split route (Asymmetric route) impact on RealSecure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I'm not sure how well this would work in your situation but it might be worth investigating... We are using network taps which have separate ports for each direction of traffic. This meant that our sensor would only see half of a conversation (similar to your problem). To overcome this, we put bot outputs into a 100Mb hub and then also plugged the sensor into the hub which can then see both directions of the communication. Perhaps you can tap both sides of your load balanced network into a hub and then put your sensor into the hub. I guess this assumes your load balancing design is fairly simple. Good luck. Steve -----Original Message----- From: Corporate Data Security Office [mailto:[EMAIL PROTECTED]] Sent: January 2, 2002 4:36 PM To: [EMAIL PROTECTED] Subject: Split route (Asymmetric route) impact on RealSecure TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi, Our network is designed with load balance and redundant. In many areas, there is split route or asymmetric route situation. RealSecure IDS sensors can only capture partial network traffic for same TCP session. So, I have a lot false positive alerts. I am looking for a solution to overcome this problem. I called ISS support, and was told there is no solution from ISS side. I wonder that maybe somebody has same issue and have a solution already. Thanks for any comments. Thanks -Shiming <FONT SIZE = 1>************************************************************************** ** This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. Unless otherwise stated, opinions expressed in this e-mail are those of the author and are not endorsed by the author's employer.</FONT>
