Just to chime in about potential problems at the physical layer. I've seen these type of problems on numerous occasions. At the trivial extreme there may exist a NIC duplex mismatch or speed mismatch, or in the case of all NICS set to auto-auto, the devices can have issues negotiating the speed/duplex. I think generally the guidance out there will tell you to nail up the ports on both sides but this isn't a solution in all cases. At the more complex extreme there are many port stats that can indicate subtle issues. Corrupt packets, out of sequence packets, retransmits, or dropped packets can all mean a field-day for an IPS.

You would think this would be picked up relatively quickly but it's a recurring issue in my world. It's important to know that this sort of negotiation/renegotiation may only present itself under heavy traffic volume or a specific type of traffic (MTU issues and so on). What's more is that upon investigation, the stats on a port on one side of the connection may look relatively clean whereas the port on the other side of the connection can be struggling.

It can be tough to get a provider to dig into this when it "seems" to be working at least for some or for the majority of the time. It's even more interesting when the two ends of the link are owned by different companies.

Matt Fitzgerald, P.Eng
Security Architect

CAE Professional Services
36 Solutions Drive
Suite 200
Halifax, NS
B3S1N2
Tel. 902-420-3070 x2127
Fax: 902-420-3087
Matthew.Fitzgerald (at) cae (dot) com [email concealed]

CONFIDENTIALITY NOTICE
This e-mail message is intended only for the above named recipient(s) and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you have received this message in error or are not the named recipient(s), please immediately notify the sender, delete this email message without making a copy and do not disclose or relay this e-mail message to anyone.

-----Original Message-----
From: Joel Esler [mailto:joel.esler (at) me (dot) com [email concealed]]
Sent: February 15, 2011 11:25 AM
To: JiPi DiNi
Cc: Joel Jaeggli; Matthew Fitzgerald; Andrew Plato; Shang Tsung; focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: IDS causing troubles

On Feb 14, 2011, at 1:28 PM, JiPi DiNi wrote:

> If inline it has to be a bypass switch not a tap.
>
> an IPS with a TAP is an IDS.
> an IPS with a bypass switch configured inline can block on traffic.

You might want to clarify this statement a bit more, for instance, there are tap vendors that make devices called "Vmode" taps, which is essentially an inline tap, the traffic goes through the tap, and sent through an IPS, however if the IPS fails, the vmode tap "fails open" sending the traffic straight through.

This may be what you meant about a bypass switch, but just clarifying the terminology.

--
Joel Esler
http://www.joelesler.net

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]