Sunday, February 24, 2008

Asymmetric Routing - Security Devices

It appears that asymmetric routing is very common in Enterprise networks. It was a surprise for me when I first heard about this few years back.

When packets of a connection take different routes in networks, then the network has asymmetric routing problem. Any stateful security device will have problem with this. Stateful security devices expect all packets of connections pass through them - Client to Server and Server to Client packets. If packets belonging to one leg of connections don't pass through, these devices fail to parse the protocol states and report them as 'attacks'. For example, if second packet of TCP connection (TCP Packet with SYN+ACK flag - First packet from Server to Client) is received by security device and not the first packet (TCP packet with SYN flag only - Client to Server packet), then the security device (firewall) treats this as an 'attack' or reconnaissance attempt by attacker. Typically these packets are dropped. Hence, the connections are not established, even though they are genuine.

Many times, this asymmetric problem is observed in Enterprise core networks, but not on Enterprise Edge. It is observed that this problem is not so much in large Enterprises as security administrators work with network administrators to fix the network. In SME markets, security device vendors can't expect them to fix their network problems immediately. Security device vendors are expected to have work around in their devices while administrators fix the problems over time.

Some security device vendors support feature 'Bypass Security processing'. This feature allows users to configure multiple bypass records with each record taking pair of networks. Any traffic having source IP address and destination IP address falling in any of bypass records is forwarded or switched immediately, without any security analysis. Forwarding or switching decision is taken whether the security device is operating in route mode or bridge mode.

As a security administrator, it is better to look for security devices that have bypass flexibility.

No comments: