I'm working on a IPS design in a fully redundant DC that is almost impossible to force symmetrical flows. My question is when using assymetric mode for TCP reassembly - what exactly is lost? Below is the list I've come up with so far:
1. TCP Normalization. (No big deal in my case because the ASA provides alot of this same functionality)
2. Anomaly Detection. With assymetric mode this should be set to Inactive.
I'm also including a diagram that depicts my situation.
don't forget that if the IPS sees half of the traffic, and if the attack pattern is in the other half that the IPS doesn't see, then of course the sensor can't detect the attack.
so asymetric traffic lowers the effectivness of the IPS, and makes it unreliable in always detecting the attacks it should. also attack patterns spread across several tcp segments might not be detected. if one segment is seen by the IPS while another is not.
Thanks for the response. In our design, the only time we would really see asymmetric traffic is if one of the 4270's link's went down. If we lose an entire 4270 we are still ok - just an individual link is when we could encounter asymmetric flows. I'd really like to design around that, but it seems the only way would to have a services block layer where via STP we can rely on the traffic always going to one switch. vPC with all it's benefits does lose you a predictable traffic path.