Re: IDS on a load balanced BGP network
From: roy lo (roylo@sr2c.com)Date: 09/06/02
- Previous message: spyguy: "Re: Load balanced routers and IDS"
- In reply to: Ramesh Gupta: "RE: IDS on a load balanced BGP network"
- Next in thread: Greg Shipley: "Re: IDS on a load balanced BGP network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 06 Sep 2002 04:25:36 -0500 From: roy lo <roylo@sr2c.com> To: Ramesh Gupta <ramesh@intruvert.com>
I would second the ideal of having sensor in each location as well.
And I will give you another reason beside the ones that has already mention.
By having senor at each location it will better in the events of massive
x-mas tree style flood attack.
if one of your ISP/datacenter got hit with this style of attack it will
try to take out all nodes on the network. (as you might have know already)
In that case you can just shut that link off and reboot your *dead*
sensors/IDS (if it got hit hard enough).
While maintain the connection flow and monitor on the other line
unaffected (since it has its own sensors)
This ofcourse is not likly to happen, but I think it is still worth a
mention.
*I took assume you have separe router for those lines
Ramesh Gupta wrote:
>In this scenario, I would recommend deploying 2 sensors,
>one in each data center. The sensors should be deployed
>as close to the end hosts as possible at an aggregation
>point, montoring traffic on interior network path(s)
>(as far behind the edge routers as possible), where there
>is no possibility of asymmetric traffic.
>
>The sensors could be monitoring:
>
>1. Traffic from a SPAN port on a switch, if all the traffic
> passes through a single switch
>
>2. Traffic from a tap, if all the traffic is passing through
> a single full-duplex Ethernet link
>
>3. Traffic from multiple SPAN ports of multiple switches
> ot traffic from multiple taps on multiple full-duplex
> Ethernet links. In this case, the NIDS must have the
> ability to cluster ports (i.e. treat traffic from
> multiple ports as one aggregated traffic stream).
>
>IntruVert's IntruShield products support all of the above
>deployment modes for both 10/100 Ethernet links as well
>as Gigabit Ethernet links.
>
>
>
>Regards,
>
>Ramesh Gupta
>Founder, VP Engineering
>Intruvert Networks Inc.
>www.intruvert.com
>
>
>
>
>
>
>>-----Original Message-----
>>From: Ian Macdonald [mailto:secids@dirk.demon.co.uk]
>>Sent: Wednesday, September 04, 2002 9:23 AM
>>To: focus-ids@securityfocus.com
>>Subject: IDS on a load balanced BGP network
>>
>>
>>Has anyone ever come up with a solution for running a IDS
>>system on a BGP
>>network.
>>
>>If I have 2 datacenters that are linked together by a network
>>connection.
>>Each has its own ISP connection to the internet. BGP is used
>>to so that in
>>the case of a major failure at one site traffic for things like the web
>>servers can still come in via the other datacenter and travel via the
>>datacenter to datacenter link.
>>
>>My understanding is that with BGP the packets can come over
>>either link.
>>Does this mean that a season always comes in via the same ISP?
>>or could the
>>first packet come in via one ISP and the second packet go via
>>the other ISP?
>>If this is the case how can I set up an IDS to monitor the
>>traffic coming
>>into both data centers?
>>
>>Any bright ideas on this?
>>
>>Ian
>>
>>
>>
>
>
>
-- Roy Lo Freelance Consultant E-mail - roylo@sr2c.comSun Certified Network Administrator (SCNA) Sun Certified System Administrator (SCSA) Cisco Certified Network Associate (CCNA)
- Previous message: spyguy: "Re: Load balanced routers and IDS"
- In reply to: Ramesh Gupta: "RE: IDS on a load balanced BGP network"
- Next in thread: Greg Shipley: "Re: IDS on a load balanced BGP network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
