IDS mailing list archives

RE: Asymmetric traffic/topology

From: "Srinivasa Addepalli" <srao () intoto com>
Date: Thu, 8 Nov 2007 13:43:31 -0800


Based on the feedback which we got from our customers on security products,
it appears that this is not un-common, especially in SME deployments. We
don't see this issue if security devices are deployed at the edge though.
When deployment happens in the core of Enterprise networks, these scenarios
are observed.

Stateful security devices fail in these cases as they don't see all packets
of session and due to this they may even drop packets. For example, stateful
security device drops SYN+ACK packet if it did not see SYN packet before. 

Due to customer demand, we had to add 'Bypass security processing'
functionality to bypass packets on configured networks to satisfy these
deployments. Of course the default behavior does not bypass any security
processing.

Srini


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of snort user
Sent: Wednesday, November 07, 2007 4:42 PM
To: focus-ids () securityfocus com
Subject: Asymmetric traffic/topology

Greetings.

I am sure that most of you know about the asymmetric traffic/topology
problem in relevance to
IDS/IPS systems.
( By Asymmetric traffic/topology, I mean the case where client to
server packets traverse a different path
in your network compared to server to client packets. Hence the
IDS/IPS see only one side of the conversation)

I am trying to find out how wide this problem really is?
Is it commonly seen in large / enterprise networks ?

Any input is welcome.

Thanks

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw 
to learn more.
------------------------------------------------------------------------


********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s) 
and may contain confidential, proprietary and privileged information. Any unauthorized review, 
use, disclosure or distribution is prohibited. If you are not the intended recipient, 
please immediately notify the sender by reply email and destroy all copies of the original message. 
Thank you.
 
Intoto Inc. 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Asymmetric traffic/topology snort user (Nov 08)
- RE: Asymmetric traffic/topology Bergen, Matt (Nov 09)
- RE: Asymmetric traffic/topology Srinivasa Addepalli (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
  - Re: Asymmetric traffic/topology snort user (Nov 09)
    - Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
  - Re: Asymmetric traffic/topology Ravi Chunduru (Nov 09)
  - Re: Asymmetric traffic/topology Adam Powers (Nov 13)
    - Re: Asymmetric traffic/topology Jeremy Bennett (Nov 13)
    - Re: Asymmetric traffic/topology Roland Dobbins (Nov 14)
    - RE: Asymmetric traffic/topology Nelson Brito (Nov 27)