[AusNOG] IDS / IPS Experience
Edwin Groothuis
edwin at mavetju.org
Thu Dec 1 21:08:17 EST 2011
When a IPS/IDS device (any in-path device to be honest) with fail-to-wire capabilities is in production, you will have two Ethernet links: One on the "inside" link, one on the "outside" link.
When the NIC fails to wire, these Ethernet links will have to be setup again, this time between the device on the "inside" link and the device on the "outside" link.
It is the time it takes to setup the Ethernet link again which will cause the packet loss.
So far I have seen:
- All back within seconds (no spanning tree enabled on the connected devices, interface were set to a fixed speed/duplex (yes this is before gigabit networks))
- All back within seconds (no spanning tree enabled on the connected devices, interface were set to autonegotiation).
- All back in 10-30 seconds (spanning tree enabled on the connected devices)
- Came back with a lot of errors (different speed/duplex settings on the connected devices)
- Never came back (wrong cables, incompatible speed/duplex settings on the connected devices)
Packets will be lost with an in-path device, it is up to the higher layer protocols to recover from it. TCP is very good at it on its own, the rest needs help from the application.
Hook up the device when it is off to make sure the network is working.
Turn on the device and make sure the network is working. If not, fix it and make sure it still works when the device is off after the change.
Interfaces set to Fail to block are a different story, you will have no network connectivity through it unless you have redundancy around it.
Edwin
On 01/12/2011, at 00:18 , Eric Appelboom wrote:
> Hi, Depends on the vendor, McAfee Intrusheilds (I-Series) for example are usually installed with external fail-open kits.
> The originals (white leds) were supplied by netoptics (they do taps as well) they would kick in without a network interruption when upgrading appliance firmware or removing the sensor. The newer kits (blue leds) do drop stateless protocols (icmp/udp and the like) however TCP pauses as packets are retransmitted. Typically no longer than 1-2 seconds.
>
> Have not deployed any M-Series appliances to date. Checkpoint IPS-1, Radware DefensePro have internal failopen switches which makes RMA'ing and an appliance challenging.
> Eric
>
>
> On Wed, Nov 30, 2011 at 2:46 PM, <mants at tpg.com.au> wrote:
> Hi,
>
> Just wondering if anyone want's to share their experience regarding IDS /IPS
> solution related to traffic handling during hardware power cycle. Did you see
> any packet/s drops during and after? and why?
>
> Cheers,
> Amante
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> --
> Eric Appelboom MInfoSysSecurity CISA CISM CRISC CISSP-ISSAP CSSLP CGEIT C|EH CCSA CCSE CCNA(SECURITY) SEC+ MCSA(SECURITY) MCSE MCTS MCITP ITIL TOGAF
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20111201/6b7eed59/attachment.html>
More information about the AusNOG
mailing list