RE: IDS on a load balanced BGP network

From: SEdwards@toplayer.com
Date: 09/06/02


From: SEdwards@toplayer.com
To: ccalvert@securedaemon.net, secids@dirk.demon.co.uk
Date: Fri, 6 Sep 2002 07:22:04 -0400 

Chris is right, we can certainly help.

If you take SPAN ports from your two routers and run them back into one of
our IDS Balancers then the balancer will re-augment the traffic before
passing it to the IDS. The challenge you have is if a data stream is split
between the two ISPs (so half the packets come from one ISP, the other half
from the other) and you connect an IDS to each router - then you could have
an attack split between the two IDS's such that neither see the real attack.

Using the IDSB you can feed in data from anywhere in the network (switches,
taps, asymmetrically routed networks etc.), and the balancer will organise
the flows - so that each complete flow is sent to the same IDS.

In addition we can also add a lot more functionality not seen in sensors,
like High Availability and Redundancy

Let me know if you would like more info

Regards

Simon

________________________________________________
Simon Edwards
Technical Evangelist
Top Layer Networks
US Office : + 1 508 870 1300 (x230)
US Mobile : + 1 617 953 8764
UK Office : + 44 1483 243 549
UK Mobile : + 44 7971 959170
www: www.TopLayer.com
email: sedwards@toplayer.com
  
"Perfecting the Art of Network Security"
----------------------------------------------------------------------------
--------

-----Original Message-----
From: Chris Calvert [mailto:ccalvert@securedaemon.net]
Sent: 05 September 2002 14:41
To: Ian Macdonald
Cc: focus-ids@securityfocus.com
Subject: Re: IDS on a load balanced BGP network

Hi Ian

Comments inline:

On Wed, 2002-09-04 at 10:22, Ian Macdonald wrote:
> Has anyone ever come up with a solution for running a IDS system on a BGP
> network.

TopLayer might be a solution for this. You can mirror the flow from
both connections.

http://www.toplayer.com/Products/ids_balancer.html

Hook up your IDS sensors of choice, and away you go!

Regards,

Chris



Relevant Pages

  • RE: Traffic Balancing on High-speed IDS
    ... most economical and easier way to do this is to use an IDS ... Balancer. ... It will save you money on the numnber of sensors that you need to use, ... Traffic Balancing on High-speed IDS ...
    (Focus-IDS)
  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)
  • Re: "false positive" inanity
    ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
    (Focus-IDS)
  • Re: Secure Network Design (DMZ, LAN, etc)
    ... I'd like one outside the firewall and one ... I assumed I could make the first IDS ... should I have the IDS listening on the 192.168.1.0/24 network as well (web ... >Since the whole world will need access to your web servers, ...
    (Security-Basics)
  • Re: Need some information on HIDS!
    ... I have already invoked such a scenario in some of my previous IDS ... What I had in mind is something like encrypting the whole ... network traffic, to prevent sniffing from intruders (let's say wall-to-wall ... analysing and displaying logs. ...
    (Focus-IDS)