Re: NIDS/NIPS implications on HSRP

• Previous message: Shaiful: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Maybe in reply to: Brian Blankenship: "NIDS/NIPS implications on HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 24 Aug 2004 19:55:35 -0000
To: focus-ids@securityfocus.com

>From what I have been reading, HSRP Hello packets are what determines a
>failover, and that those should only be flowing between the routers through
>the switch. This would work fine. Cisco says that if a device (such as an
>IDS/IPS) inline keeps the line protocol up, HSRP will not failover.
>
Your theory is right, HSRP/VRRP/whatever packets should be the determing factor. Cisco is doing something wrong of they depend on the line protocol failing as well as the "hello" packets being dropped.

Similiar technology is used in 802.1D spanning tree. If the topology packets show a loop or a different path, the topology map in each device is changed. If packets don't make it, the network graph is redrawn.

As to what we do: We have a daemon that monitors the link status for silly problems like this. In the event link is lost on interface A, we power down interface B, and poll for link to come back on A. Powering down an interface has the obvious effect of making whatever is off of that interface lose line protocol.

A little bit of hysteresis is necessary because line protocol negotiation can take a significant amount of time. Also, line protocol integrity on some line cards can "flap" when there is not, in fact, any valid link.

--Jason Wright
  NFR Security

--------------------------------------------------------------------------
FREE Network Security Webinar - How to implement IPSec security into VPN appliances
 
New threats and vulnerabilities require new high-performance IPSec VPN solutions for network protection.
Join the security experts from SafeNet on August 26 at 1:00 PM (Eastern), and learn how to successfully integrate IPSec security into VPN processors and appliances to provide powerful yet cost-effective VPN solutions for your customers.
Register now:

http://www.securityfocus.com/sponsor/SafeNet_focus-ids_040817
--------------------------------------------------------------------------

• Previous message: Shaiful: "Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)"
• Maybe in reply to: Brian Blankenship: "NIDS/NIPS implications on HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?) ... as a layer 7 firewall, and not compared to an IDS." ... > FREE Network Security Webinar - How to implement IPSec ... > cost-effective VPN solutions for your customers. ... FREE Network Security Webinar - How to implement IPSec security into VPN appliances ... (Focus-IDS) Re: Political Analysis of Security Products ... > bee collected nor has any evidence of such a backdoor ever really been ... send several packets to ports on the target system. ... be used for booth sides of the security game. ... (Pen-Test) Re: Protocol Analysis ... Subject: Protocol Analysis ... Concerned about Web Application Security? ... testing and vulnerability management needs. ... most comprehensive solutions to meet your application security penetration ... (Pen-Test) Re: Network hardware IPS ... Setting up a complete security with all the currently available tools ... snort_inline uses libipq to queue the packets to user space. ... >Captus Networks IPS 4000 ... (Focus-IDS) [fw-wiz] UNSUBSCRIBE ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ... (Firewall-Wizards)