Focus on IDS
IDS causing troubles Feb 01 2011 09:53AM
Shang Tsung (shangtsung71 gmail com) (9 replies)
Re: IDS causing troubles Feb 03 2011 10:32AM
Udo Sprotte (Udo Sprotte t-online de)
Re: IDS causing troubles Feb 02 2011 10:59PM
Paul Palmer (b paul palmer gmail com)
RE: IDS causing troubles Feb 02 2011 06:33AM
alex cc technion ac il
RE: IDS causing troubles Feb 02 2011 04:06AM
Alex Nepolian cognizant com
Re: IDS causing troubles Feb 02 2011 12:04AM
Antônio Arruda Neto (anetoarruda gmail com)
Re: IDS causing troubles Feb 01 2011 09:41PM
Jeff Ames (jeffames nemesissolutions co uk)
Re: IDS causing troubles Feb 01 2011 08:50PM
Shwetabh Sharma (shwetabhsharma gmail com) (1 replies)
RE: IDS causing troubles Feb 04 2011 06:35AM
IT_H_Security (IT_H_Security MahindraSatyamBPO com)
Re: IDS causing troubles Feb 01 2011 08:48PM
JiPi DiNi (jipidini gmail com)
RE: IDS causing troubles Feb 01 2011 08:26PM
Andrew Plato (andrew plato anitian com) (1 replies)
Re: IDS causing troubles Feb 11 2011 07:41AM
Joel Jaeggli (joelja bogus com) (2 replies)
RE: IDS causing troubles Feb 12 2011 06:39PM
Bob-Buel (bob buel org) (1 replies)
SV: IDS causing troubles Feb 15 2011 07:39AM
Anders Petrén (anders certezza net)
RE: IDS causing troubles Feb 11 2011 06:23PM
Matthew Fitzgerald (matthew fitzgerald cae com) (2 replies)
Re: IDS causing troubles Feb 14 2011 05:21PM
Curt Purdy (infosysec gmail com)
Re: IDS causing troubles Feb 11 2011 07:14PM
Joel Jaeggli (joelja bogus com) (2 replies)
Re: IDS causing troubles Feb 15 2011 03:23PM
Joel Esler (joel esler me com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:21PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:28PM
Joel Esler (joel esler me com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:49PM
Curt Purdy (infosysec gmail com) (1 replies)
Re: IDS causing troubles Feb 18 2011 02:51PM
Joel Esler (joel esler me com)
Re: IDS causing troubles Feb 14 2011 06:28PM
JiPi DiNi (jipidini gmail com) (1 replies)
Re: IDS causing troubles Feb 15 2011 03:25PM
Joel Esler (joel esler me com) (2 replies)
Re: IDS causing troubles Feb 19 2011 03:47AM
Ichilov (zivi radware com)
RE: IDS causing troubles Feb 15 2011 04:08PM
Matthew Fitzgerald (matthew fitzgerald cae com)
Just to chime in about potential problems at the physical layer. I've seen these type of problems on numerous occasions. At the trivial extreme there may exist a NIC duplex mismatch or speed mismatch, or in the case of all NICS set to auto-auto, the devices can have issues negotiating the speed/duplex. I think generally the guidance out there will tell you to nail up the ports on both sides but this isn't a solution in all cases. At the more complex extreme there are many port stats that can indicate subtle issues. Corrupt packets, out of sequence packets, retransmits, or dropped packets can all mean a field-day for an IPS.

You would think this would be picked up relatively quickly but it's a recurring issue in my world. It's important to know that this sort of negotiation/renegotiation may only present itself under heavy traffic volume or a specific type of traffic (MTU issues and so on). What's more is that upon investigation, the stats on a port on one side of the connection may look relatively clean whereas the port on the other side of the connection can be struggling.

It can be tough to get a provider to dig into this when it "seems" to be working at least for some or for the majority of the time. It's even more interesting when the two ends of the link are owned by different companies.

Matt Fitzgerald, P.Eng
Security Architect

CAE Professional Services
36 Solutions Drive
Suite 200
Halifax, NS
B3S1N2
Tel. 902-420-3070 x2127
Fax: 902-420-3087
Matthew.Fitzgerald (at) cae (dot) com [email concealed]

CONFIDENTIALITY NOTICE
This e-mail message is intended only for the above named recipient(s) and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you have received this message in error or are not the named recipient(s), please immediately notify the sender, delete this email message without making a copy and do not disclose or relay this e-mail message to anyone.

-----Original Message-----
From: Joel Esler [mailto:joel.esler (at) me (dot) com [email concealed]]
Sent: February 15, 2011 11:25 AM
To: JiPi DiNi
Cc: Joel Jaeggli; Matthew Fitzgerald; Andrew Plato; Shang Tsung; focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: IDS causing troubles

On Feb 14, 2011, at 1:28 PM, JiPi DiNi wrote:

> If inline it has to be a bypass switch not a tap.
>
> an IPS with a TAP is an IDS.
> an IPS with a bypass switch configured inline can block on traffic.

You might want to clarify this statement a bit more, for instance, there are tap vendors that make devices called "Vmode" taps, which is essentially an inline tap, the traffic goes through the tap, and sent through an IPS, however if the IPS fails, the vmode tap "fails open" sending the traffic straight through.

This may be what you meant about a bypass switch, but just clarifying the terminology.

--
Joel Esler
http://www.joelesler.net

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus