[unisog] IDS INFO

Peter Van Epp vanepp at sfu.ca
Thu Aug 30 18:38:54 GMT 2001

	One not of caution with this (but not a reason to not do it necessarily)
is that if the TopLayer and the server both have gig links and the attacker can
arrange to be on the gig link and cause his attack flow to use more than 100 
megs of bandwith, packet loss (and possible hiding of the attack) is possible
(if not necessarily likely) due to the bandwith limitation of the 100 monitor
port. There are situations where this would be an important consideration and 
in any case it should be factored in to the risk analysis.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

> > We are trying to fiugure out a way to gather IDS data via gigabit LX taps,
> > but it seems that there are a number of obticles. Apparently, you will
> > loose lower level errors if you use port-mirroring on a switch, not to
> > mention the amount of data that is lost due to light splitting. Does any
> > one have any suggestions or information as to how this might be done? 
> You might want to look at the TopLayer switches, which can parcel out
> flows to multiple IDS boxes on 100baseT ports.  They have a switch
> with 2 gig ports and 12 100mb ports.  It does mean you need multiple
> IDS boxes, but that may help handle the load in the long run and allow
> you to sent certain types of packets (http for example) to a specific
> IDS box.  TopLayer calls this feature "Flow Mirror".  The switch also
> has some attack mitigation features to filter out common attacks such
> as land, smurf, fraggle, UDP bombs, SYN floods, bogus fragment
> offsets, etc.  See http://www.toplayer.com/ for more info.
> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
> University of California, Irvine       phone:       949-824-6926
> Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list