Inside outside addresses

[carter at qosient.com]

Hey Olaf,
FYI, the additions to racluster allow you to aggregate whole days worth of data that preserve the mac/[ip,vlan,mpls,tos,whatever] pairings, so you can not only do the outside/inside test, but test for things like changes in routing, vlan forwarding/access control, and little things like DHCP reassignments, and DiffServ performance.  

So, aggregating an entire day, then doing the mapping test usually goes faster than per record testing, and allows you to collect aggregates, rather than raw data, when you want to do this for a large number of sites/hosts from a single machine.

Just some thoughts,

Carter

Carter Bullard
QoSient LLC
150 E. 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax  

-----Original Message-----
From: Olaf Gellert <olaf.gellert at intrusion-lab.net>
Date: Thu, 14 Sep 2006 10:26:45 
To:Darren Spruell <phatbuckett at gmail.com>
Cc:Argus <argus-info at lists.andrew.cmu.edu>
Subject: Re: [ARGUS] Graph of the Week at http://qosient.com/argus

Maybe I should clarify this:
> One example of a security check is this (we have been doing it for
> many years now): We compare if any packet with an inside IP
> address has the MAC-address of our router interface. That way we
> notice IP-spoofing (or check if our firewall really does what it
> should do: keep these packets out).
>   
"inside IP address" -> "inside source IP address

So packets are suspicious that have an inside source IP
address, but the MAC indicates that the router forwarded
them (of course you have to exclude the normal IP of the
router address).

Olaf