IDS/IPS system with Foundry sFlow
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
IDS/IPS system with Foundry sFlow
by Security Group
::
Rate this Message:
Hello,
We have got a network with an embedded support for sFlow technology. We also want to have a good IDS/IPS system. Does anyone know a good setup with our foundry? We noticed that Foundry got their own application called "IronView Network Manager", it is able to operate with snort. Does anyone know of this is a good solution? Or should we use an sFlow converter (e.g. InMon sFlow toolkit) that can work with snort? What are the other possibilities for IDS/IPS besides snort. It has to operate with the sFlow technology. Kind regards, Babel Timo ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: IDS/IPS system with Foundry sFlow
by Martin Roesch
::
Rate this Message:
When you say "with sFlow" do you mean analyze the sFlow records or
analyze the packets on the wire and correlate it with the sFlow data? -- Sent from my iPhone On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> wrote: > Hello, > > We have got a network with an embedded support for sFlow technology. > We also want to have a good IDS/IPS system. Does anyone know a good > setup with our foundry? > > We noticed that Foundry got their own application called "IronView > Network Manager", it is able to operate with snort. Does anyone know > of this is a good solution? Or should we use an sFlow converter (e.g. > InMon sFlow toolkit) that can work with snort? > > What are the other possibilities for IDS/IPS besides snort. It has to > operate with the sFlow technology. > > Kind regards, > > Babel Timo > > --- > --------------------------------------------------------------------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: IDS/IPS system with Foundry sFlow
by Adamo, Alfonso
::
Rate this Message:
I believe sFlow will only forward sampled data, not all packets.
-----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Martin Roesch Sent: April 22, 2008 2:19 PM To: Security Group Cc: focus-ids@... Subject: Re: IDS/IPS system with Foundry sFlow When you say "with sFlow" do you mean analyze the sFlow records or analyze the packets on the wire and correlate it with the sFlow data? -- Sent from my iPhone On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> wrote: > Hello, > > We have got a network with an embedded support for sFlow technology. > We also want to have a good IDS/IPS system. Does anyone know a good > setup with our foundry? > > We noticed that Foundry got their own application called "IronView > Network Manager", it is able to operate with snort. Does anyone know > of this is a good solution? Or should we use an sFlow converter (e.g. > InMon sFlow toolkit) that can work with snort? > > What are the other possibilities for IDS/IPS besides snort. It has to > operate with the sFlow technology. > > Kind regards, > > Babel Timo > > --- > --------------------------------------------------------------------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to n=intro_sfw > to learn more. > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: IDS/IPS system with Foundry sFlow
by Adam Powers
::
Rate this Message:
There are only a small handful of companies that process native sFlow for
security analysis purposes. Lancope's StealthWatch is one of those companies and yes, I am a Lancope employee. My feeling is that Lancope has the most in depth experience and understanding of sFlow security that's available today. The StealthWatch Xe for sFlow appliance is designed specifically for high speed sFlow analysis, storage, and processing - especially in a security context. Here's a few important subtleties regarding sFlow collector implementations that you may want to keep in mind: 1. Find out about sFlow deduplication. How and if they support it. This is probably the most important sFlow feature. If you don't deduplicate, you can't properly measure attack volume. Example: A simple 1000 SYN flood is underway from point A to B. There are 10 sFlow enabled devices in the path from A to B. The system that supports deduplication reports "1,000 packets per second!". The system without deduplication support reports "10,000 packets per second!!!". This double counting results in a sizable error and often an associated false positive. 2. Ask if they offer support for new sFlow features that allow for packet sampling exceptions. Sampling exceptions allow the switch to pick out certain important packets (such as the TCP SYN or SYN/ACK) and tag them as "extra samples" before they are exported. Lancope makes uses of these extra samples without impacting the natural sample rates of the sFlow exporter, improving the speed and accuracy of attack detection. Very cool. To vendors that don't support this feature, the extra samples are invisible and useless. 3. Pressure sFlow vendors about their use of native sFlow decodes vs. NetFlow conversions. Many vendors will convert the sFlow into NetFlow before processing, losing much of the useful information such as payload and Ethernet frame information. The StealthWatch sFlow collector actually opens the sFlow sample and decodes the Ethernet segment found within. Payload samples are saved and made searchable in the StealthWatch GUI. Nothing is lost in translation. 4. Definitely want to ask about INM integration and their partnerships/connections they have to the sFlow big guys (HP, Foundry, Extreme). For those of you that want it, and there are some believe it or not, StealthWatch integrates directly with IronView for automated and/or semi-automated mitigation (port disablement, vlan rewrite, etc). Good luck in your hunt, sFlow is super powerful but like gasoline to a car, it's only as useful as the technology that consumes it. -- Adam Powers Chief Technology Officer Lancope, Inc. On 4/21/08 3:42 PM, "Security Group" <secgro@...> wrote: > Hello, > > We have got a network with an embedded support for sFlow technology. > We also want to have a good IDS/IPS system. Does anyone know a good > setup with our foundry? > > We noticed that Foundry got their own application called "IronView > Network Manager", it is able to operate with snort. Does anyone know > of this is a good solution? Or should we use an sFlow converter (e.g. > InMon sFlow toolkit) that can work with snort? > > What are the other possibilities for IDS/IPS besides snort. It has to > operate with the sFlow technology. > > Kind regards, > > Babel Timo > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw > <http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int > ro_sfw> > to learn more. > ------------------------------------------------------------------------ > > -- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 f. 678.302.8744 e. adam@... ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: IDS/IPS system with Foundry sFlow
by Adam Powers
::
Rate this Message:
I have seen snort sFlow integrations done a few times times with varying degrees of success. Definitely worth exploring as it doesn't cost ya much other than your time. Problems with sample rates and TCP state are the biggest barriers for serious content inspection. 1 in 128 is about the lowest most vendors recommend and even at that low sample rate your already at 99%+ packet loss from snort's perspective. Specially tuned sigs can be crafted to deal with the sparse content but I'm not sure how many of other exist. I'm sure Marty can comment. BTW: Snort syslog can be fed into the StealthWatch sFlow collector for contextual reporting and event association. On 4/22/08 2:18 PM, "Martin Roesch" <roesch@...> wrote: > When you say "with sFlow" do you mean analyze the sFlow records or > analyze the packets on the wire and correlate it with the sFlow data? > > -- > Sent from my iPhone > > On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> wrote: > >> Hello, >> >> We have got a network with an embedded support for sFlow technology. >> We also want to have a good IDS/IPS system. Does anyone know a good >> setup with our foundry? >> >> We noticed that Foundry got their own application called "IronView >> Network Manager", it is able to operate with snort. Does anyone know >> of this is a good solution? Or should we use an sFlow converter (e.g. >> InMon sFlow toolkit) that can work with snort? >> >> What are the other possibilities for IDS/IPS besides snort. It has to >> operate with the sFlow technology. >> >> Kind regards, >> >> Babel Timo >> >> --- >> --------------------------------------------------------------------- >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw >> <http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in >> tro_sfw> >> to learn more. >> --- >> --------------------------------------------------------------------- >> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw > <http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int > ro_sfw> > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: IDS/IPS system with Foundry sFlow
by Odoggz
::
Rate this Message:
You can still use 'snort' or rather the technology by Sourcefire, but get it
included as an embedded/bundled solution. Nokia IP###s (290, 390 etc) are good for that and more. So I'd check Nokia because they've made some great moves since 2007 on FW, IPS and IDS. -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Security Group Sent: Monday, April 21, 2008 3:42 PM To: focus-ids@... Subject: IDS/IPS system with Foundry sFlow Hello, We have got a network with an embedded support for sFlow technology. We also want to have a good IDS/IPS system. Does anyone know a good setup with our foundry? We noticed that Foundry got their own application called "IronView Network Manager", it is able to operate with snort. Does anyone know of this is a good solution? Or should we use an sFlow converter (e.g. InMon sFlow toolkit) that can work with snort? What are the other possibilities for IDS/IPS besides snort. It has to operate with the sFlow technology. Kind regards, Babel Timo ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: IDS/IPS system with Foundry sFlow
by Monk, Scott
::
Rate this Message:
Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView can
export all data in real time to a pcap format that snort (locally or remotely) can read and then send alerts back to the IronView console. Also Lancope has a StealWatch XE for sFlow. Thanks, Scott -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Martin Roesch Sent: Tuesday, April 22, 2008 1:19 PM To: Security Group Cc: focus-ids@... Subject: Re: IDS/IPS system with Foundry sFlow When you say "with sFlow" do you mean analyze the sFlow records or analyze the packets on the wire and correlate it with the sFlow data? -- Sent from my iPhone On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> wrote: > Hello, > > We have got a network with an embedded support for sFlow technology. > We also want to have a good IDS/IPS system. Does anyone know a good > setup with our foundry? > > We noticed that Foundry got their own application called "IronView > Network Manager", it is able to operate with snort. Does anyone know > of this is a good solution? Or should we use an sFlow converter (e.g. > InMon sFlow toolkit) that can work with snort? > > What are the other possibilities for IDS/IPS besides snort. It has to > operate with the sFlow technology. > > Kind regards, > > Babel Timo > > --- > --------------------------------------------------------------------- > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to n=intro_sfw > to learn more. > --- > --------------------------------------------------------------------- > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: IDS/IPS system with Foundry sFlow
by Martin Roesch
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Hi Scott, 1-in-32 sampling is going to limit what you can do as far as layer 7 analysis to straight attack signatures, you won't be able to take advantage of Snort's ability to define state machines using the rules language's flowbits feature and do protocol-based analysis and detection. It'll work but you'll be pretty limited if I understand what you're saying. -Marty On Apr 23, 2008, at 9:44 AM, Monk, Scott wrote: > Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView > can > export all data in real time to a pcap format that snort (locally or > remotely) can read and then send alerts back to the IronView console. > Also Lancope has a StealWatch XE for sFlow. > > Thanks, > Scott > > > -----Original Message----- > From: listbounce@... [mailto:listbounce@... > ] > On Behalf Of Martin Roesch > Sent: Tuesday, April 22, 2008 1:19 PM > To: Security Group > Cc: focus-ids@... > Subject: Re: IDS/IPS system with Foundry sFlow > > When you say "with sFlow" do you mean analyze the sFlow records or > analyze the packets on the wire and correlate it with the sFlow data? > > -- > Sent from my iPhone > > On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> > wrote: > >> Hello, >> >> We have got a network with an embedded support for sFlow technology. >> We also want to have a good IDS/IPS system. Does anyone know a good >> setup with our foundry? >> >> We noticed that Foundry got their own application called "IronView >> Network Manager", it is able to operate with snort. Does anyone know >> of this is a good solution? Or should we use an sFlow converter (e.g. >> InMon sFlow toolkit) that can work with snort? >> >> What are the other possibilities for IDS/IPS besides snort. It has to >> operate with the sFlow technology. >> >> Kind regards, >> >> Babel Timo >> >> --- >> --------------------------------------------------------------------- >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw >> to learn more. >> --- >> --------------------------------------------------------------------- >> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFIEixdqj0FAQQ3KOARApLRAJ0X/rYNI4WTcelBKG1li4m031ghgwCfSW4j k6ktTYGjd/wuhxWv2r7WkkU= =LQ7+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: IDS/IPS system with Foundry sFlow
by Monk, Scott
::
Rate this Message:
You are correct as it is a sampled flow analysis. For 100% traffic you
would either need to be able to use Netflow (not supported on Foundry equipment) or a network tap as I am not a big fan of span (mirror) ports. We prefer the Datacom singlestream taps for our Snort IDS servers. Thanks, Scott -----Original Message----- From: Martin Roesch [mailto:roesch@...] Sent: Friday, April 25, 2008 2:09 PM To: Monk, Scott Cc: Security Group; focus-ids@... Subject: Re: IDS/IPS system with Foundry sFlow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott, 1-in-32 sampling is going to limit what you can do as far as layer 7 analysis to straight attack signatures, you won't be able to take advantage of Snort's ability to define state machines using the rules language's flowbits feature and do protocol-based analysis and detection. It'll work but you'll be pretty limited if I understand what you're saying. -Marty On Apr 23, 2008, at 9:44 AM, Monk, Scott wrote: > Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView > can > export all data in real time to a pcap format that snort (locally or > remotely) can read and then send alerts back to the IronView console. > Also Lancope has a StealWatch XE for sFlow. > > Thanks, > Scott > > > -----Original Message----- > From: listbounce@... > ] > On Behalf Of Martin Roesch > Sent: Tuesday, April 22, 2008 1:19 PM > To: Security Group > Cc: focus-ids@... > Subject: Re: IDS/IPS system with Foundry sFlow > > When you say "with sFlow" do you mean analyze the sFlow records or > analyze the packets on the wire and correlate it with the sFlow data? > > -- > Sent from my iPhone > > On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@...> > wrote: > >> Hello, >> >> We have got a network with an embedded support for sFlow technology. >> We also want to have a good IDS/IPS system. Does anyone know a good >> setup with our foundry? >> >> We noticed that Foundry got their own application called "IronView >> Network Manager", it is able to operate with snort. Does anyone know >> of this is a good solution? Or should we use an sFlow converter (e.g. >> InMon sFlow toolkit) that can work with snort? >> >> What are the other possibilities for IDS/IPS besides snort. It has to >> operate with the sFlow technology. >> >> Kind regards, >> >> Babel Timo >> >> --- >> --------------------------------------------------------------------- >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to > > n=intro_sfw >> to learn more. >> --- >> --------------------------------------------------------------------- >> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFIEixdqj0FAQQ3KOARApLRAJ0X/rYNI4WTcelBKG1li4m031ghgwCfSW4j k6ktTYGjd/wuhxWv2r7WkkU= =LQ7+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
| Free Forum Powered by Nabble | Forum Help |