IDS mailing list archives
RE: Asymmetric traffic/topology
From: "Srinivasa Addepalli" <srao () intoto com>
Date: Thu, 8 Nov 2007 13:43:31 -0800
Based on the feedback which we got from our customers on security products, it appears that this is not un-common, especially in SME deployments. We don't see this issue if security devices are deployed at the edge though. When deployment happens in the core of Enterprise networks, these scenarios are observed. Stateful security devices fail in these cases as they don't see all packets of session and due to this they may even drop packets. For example, stateful security device drops SYN+ACK packet if it did not see SYN packet before. Due to customer demand, we had to add 'Bypass security processing' functionality to bypass packets on configured networks to satisfy these deployments. Of course the default behavior does not bypass any security processing. Srini -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of snort user Sent: Wednesday, November 07, 2007 4:42 PM To: focus-ids () securityfocus com Subject: Asymmetric traffic/topology Greetings. I am sure that most of you know about the asymmetric traffic/topology problem in relevance to IDS/IPS systems. ( By Asymmetric traffic/topology, I mean the case where client to server packets traverse a different path in your network compared to server to client packets. Hence the IDS/IPS see only one side of the conversation) I am trying to find out how wide this problem really is? Is it commonly seen in large / enterprise networks ? Any input is welcome. Thanks ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Asymmetric traffic/topology snort user (Nov 08)
- RE: Asymmetric traffic/topology Bergen, Matt (Nov 09)
- RE: Asymmetric traffic/topology Srinivasa Addepalli (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology snort user (Nov 09)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 09)
- Re: Asymmetric traffic/topology Ravi Chunduru (Nov 09)
- Re: Asymmetric traffic/topology Adam Powers (Nov 13)
- Re: Asymmetric traffic/topology Jeremy Bennett (Nov 13)
- Re: Asymmetric traffic/topology Roland Dobbins (Nov 14)
- RE: Asymmetric traffic/topology Nelson Brito (Nov 27)
- Re: Asymmetric traffic/topology snort user (Nov 09)