Frequently Asked Questions About IDSB


Why is network monitoring essential?

Monitoring is required to protect against a  of myriad network-based attacks that threaten to steal sensitive information and/or disrupt the business. Monitoring is also essential to ensure network uptime and employee, partner and customer access to business applications. Enterprises also use network monitoring for capacity planning to anticipate and prepare for growing traffic demands and improving end-user SLAs. Network monitoring for all these purposes has become more difficult and intricate with the increased diversity and complexity of application traffic and the growing use of performance-sensitive applications, such as VoIP and video.

What does IDSB do?

Corero's Intelligence Distribution Balancer aggregates network traffic from multiple segments or VLANS, replicates and filters it, and sends copies to one or more groups of network monitoring devices, often different types of monitoring devices performing various security and operational functions. The IDS Balancer provides a cost-effective solution by aggregating multiple network segments, providing for redundancy, and scalable growth, as future traffic loads increase.

Is IDSB cost effective?

Deploying security and traffic monitoring and analysis sensors on each network segment is costly and inefficient. Indeed, such deployments may be cost-prohibitive in large, complex enterprise network environments.

Customers have reported significant cost savings, in some cases 80%, by streamlining the deployment of their various network monitoring tools with Corero's IDSB appliances. Aggregating the traffic from multiple network segments provides immediate savings, since fewer sensors are required to examine the traffic. For example, if you want to monitor six GigE segments you can use six GigEsensors, or  use one "aggregation device" IDSB and one GigE sensor. In this simple example, IDSB Corero's family of high-performance ASIC based IDSB appliances  provide the same coverage as  multiple sensors and huge savings by offering aggregation for both Fast Ethernet and GigE networks,

How does streamlined deployment improve security?

The cost of deploying multiple sensors on each network segment is often cost-prohibitive, forcing organizations to settle for limited deployments on selected segments. This significantly increases risk from cyber attacks, which result in costly data breaches (Ponemon Institute pegs the average cost of a single data breach at $7.2 million!) and/or network disruptions from distributed denial-of-service (DDoS) attacks that can bring business to a halt. Inefficient monitoring can result in failure to anticipate, detect and swiftly react to network problems which can impact performance and, in turn, the business.

Why is aggregating and filtering traffic for multiple sensor types important?

It is very common for enterprises to use different types of sensors, each one optimized for different types of traffic and different purposes. Corero's IDSB can filter the traffic by IP address and/or the type of application, thus enabling the sensors to be optimized. In addition, the IDS can create "carbon copies" of either the whole or portion of the traffic, which can be delivered to different sensor groups. This functionality is very useful for delivering the same traffic to different types of sensors.

How does IDSB's "intelligent load balancing" differ from other balancing solutions that deal with multiple sensor environments?

Some balancing devices use "packet" based technology, balancing the traffic by looking at each packet and distributing the traffic to the various sensors. The problem with this approach is that you might end up with part of a flow going to one sensor, and the rest going to a different one. Since most sensors monitor traffic by looking at the whole flow, this will cause the sensor to malfunction and produce erratic results. The Corero IDSB is a stateful flow-based device, which load balances the traffic based on the flows (conversations between hosts on a network). The relationship between a packet and a flow as it relates to the communication between two systems, can be compared to the conversation between two people. A packet represents a word or phrase in the conversation, whereas a flow represents the whole conversation.

What types of network monitoring tools does IDSB work with?

IDSB has a very wide range of network monitoring use cases. Among these are network analyzers, network IDSes, VoIP recorders, forensics, content inspection engines (such as DLP), Rmon probes, network detection systems and more.

VoIP recording is a good example. Companies record huge volumes of digital calls for quality assurance, legal protection, compliance, etc. The problem is that VoIP recorders have a limit on how many "calls" they can record at a time due to processing speed, disk speed, and network speed of the computers on which the VoIP-based recording software runs. IDSB "listens" to all the VoIP-based phone call setups, and then distributes copies the VoIP call traffic, on a call-by-call basis to a group of VoIP recorders. Among transparent load balancers, only IDSB has this level of call-by-call granularity.

Asymmetric routing is problematic. How does IDSB deal with this?

Placement of monitoring sensors creates a challenging problem in networks with asymmetric routes. To be effective, a sensor needs to see the entire data flow between any two end points. When traffic enters via one route and leaves via another, the sensor will only see half of the communication. As a result, a serious attack may go undetected or protocol anomalies may be falsely reported.

IDSB eliminates the challenge of deploying monitoring sensors in asymmetric networks, providing complete network coverage. IDSB uses Flow Mirror patented technology to match entire flows before passing the traffic to the sensor. This is an imperative feature when monitoring 100% of the network traffic is mandated by law or governance.

What about high availability?

With a typical monitoring deployment, each sensor is installed singly, monitoring a separate portion of the network. When a sensor fails, attacks or intrusions on the portion of the network monitored by that sensor are missed. Corero's IDSB distributes traffic across a group of sensors. If one monitoring sensor in the group fails, the remaining sensors pick up the load without impacting the monitoring operation

What ROI can I expect? 

There are several ways that you can realize tangible and rapid return on investment capitalizing on the benefits of using an IDSB deployment, including:

  • Reducing your capital, maintenance and operations expenditure for all types of network monitoring solutions.
  • Simplifying the management of your monitoring solutions.
  • Enabling simultaneous monitoring for different applications, such as security and network troubleshooting.
  • Scaling your monitoring solutions, and enabling the sensors to sustain the volume of traffic to be monitored.
  • Add N+1 redundancy for your monitoring sensors.