regarding Back bone network

hi all,

Well this doubt is certainly not specific to any IDS but I just wanted to
put it to our Bro community.

In IDS scenario, we say that the sensors and main IDS server when deployed
communicate with each other. Now there is a special term known as
"backbone network" about which specialists say that the IDS does not rely
on the underlyting network, so that attackers cannot compromise upon the
messages transferred by IDS syatem.

What could be this back bone seems to be different from the
normal TCP/IP...or is it same and a different technique used .....

Can anyone throw some light on this topic?

Thanks and regards,

Mayank Bhatnagar
National Centre for Software Technology,
Bangalore, India.

It could be a private network ( a private LAN ). I don't think it uses any other suite other than
good ol' TCP/IP.

Mayank-Bhatnagar wrote:


I assume that these "specialists" are simply pointing out to the fact that if
the network-based IDS system is using the very network it is monitoring (the
"backbone network" ?) for its internal communication purposes, then it might
be silenced or otherwise hindered by a skillful attacker...
Thus, if your budget allows it, it is way better to have a separate (secure)
"control network". Your NIDS sensors are then connected in "read-only"
sniffer mode to the operational network, while they communicate with each
other or with the main IDS server through this control network. Please note
that "active-response" NIDS'es will require full read/write access to the
operational network as well.
The regular network will just be whatever it happens to be, -- TCP/IP or
other, -- but you're essentially free to decide what kind of control network
you want to set up. A non-TCP/IP network might be harder to break in as the
attacker might not be as familiar with it, but it would not be wise to
simply rely on this ! A TCP/IP network will be much easier to set up and you
won't have much trouble configuring your sensors for it.

Good luck,