By: Chris Calabrese
Background and Introduction
The IDS world has finally gotten its arms around switched LAN's, but what about networks with redundant components? How do you know you're seeing all the attacks?
This paper examines common forms of network redundancy, strategies for placing network IDS probes in redundant networks, and the effectiveness of those strategies.
The goal here is to allow a single IDS probe to see all the traffic associated with a particular attack from one host to another regardless of how many packets the attack takes, how many network-level "sessions" the attack takes, or what network paths the packets traverse.
Redundant Network Elements
The following table gives a taxonomy of redundant network elements we'll consider in this paper: