RE: Traffic Balancing on High-speed IDS
kgeorgiades_at_toplayer.com
Date: 07/23/03
- Previous message: Curt Purdy: "RE: Windows Open source/Freeware security tools"
- Maybe in reply to: Thiago Mello: "Traffic Balancing on High-speed IDS"
- Next in thread: Ken Seefried: "Re: FW: Traffic Balancing on High-speed IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: rgraham@iss.net, christian@whoop.org, focus-ids@securityfocus.com Date: Wed, 23 Jul 2003 11:55:43 -0400
The cleaner, most economical and easier way to do this is to use an IDS
Balancer (such as the Top Layer IDS Balancer).
It will save you money on the numnber of sensors that you need to use, you
can get redundancy on the IDS (if one IDS fails, the balancer will
distribute the traffic to the rest in the group), and the balancer will also
handle asymmetric flows.
Ken Georgiades
-----Original Message-----
From: Graham, Robert (ISS Atlanta)
To: Christian Kreibich; Focus IDS
Sent: 7/22/03 2:30 PM
Subject: RE: Traffic Balancing on High-speed IDS
The Symantec ManHunt and ISS Proventia 1204 have that XOR feature
built-in. For example, you can buy 4 Proventia boxes and hook them to 4
gigabit links.
Why this is different than 4 individual (non-teamed) sensors is when
those 4 links carry the same traffic, so a TCP packet in a connection
might arrive on any of the 4 interfaces. If you don't sniff all 4
networks with each box (then do the XOR trick), then you'll drop packets
in the middle of the connection.
(Proventia is the ISS RealSecure appliance, the model number 1204 means
it does 1.2 gbps across 4 interfaces).
-----Original Message-----
From: Christian Kreibich [mailto:christian@whoop.org]
Sent: Monday, July 21, 2003 10:54 AM
To: Focus IDS
Subject: Re: Traffic Balancing on High-speed IDS
Hi,
On Thu, 2003-07-17 at 15:59, Thiago Mello wrote:
> Hi,
>
> Im developing a IDS based on Sensor for High-Speed Networks, and Im
> reading some paper about distributing the traffic for IDS sensors.
>
> I want of you some opinions on how the best way to distribute the
> traffic to the sensors, and distribute guaranteeing the attacks, such
as
> DDoS. Some links, papers, are also welcome.
look for papers on monitoring of high-speed networks. You want a scheme
that stripes the flows across your sensors, making sure that each flow
is kept intact -- n-valued hash functions, based for example on XORs of
IP addresses come to mind. You can sometimes push the resulting filters
down into the firmware of the card so you don't pollute the PCI buses on
the sensors. Hth.
http://citeseer.nj.nec.com/565810.html
http://www.ist-scampi.org/publications/deliverables/D0.1.pdf
The second one also mentions TopLayer's product.
Cheers,
Christian.
--
________________________________________________________________________
http://www.whoop.org
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Curt Purdy: "RE: Windows Open source/Freeware security tools"
- Maybe in reply to: Thiago Mello: "Traffic Balancing on High-speed IDS"
- Next in thread: Ken Seefried: "Re: FW: Traffic Balancing on High-speed IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
