SHARE
Security / April 28, 2016

How Asymmetric Routing Can Screw Up Security

Updated November 8, 2020.

Asymmetric Routing Is an Efficient Way to Direct Network Packet Flow. Unfortunately, for Your Security Tools That Demand Visibility to Do Their Job Effectively, Asymmetric Routing Can Be Like Listening to Only Half of a Conversation.

Hearing half a phone conversation is like trying to solve a riddle. For instance, you might hear this:

     Hey.
     …
     Totally. Life in the Fast Lanes.
     …
     Yes. 100 percent.
     …
     You got it. It’s going to be epic.
     …
     Don’t forget your plaid pants and the balloons. I’ve got the blindfold.

You’re left thinking your buddies have planned a lame bowling party for your birthday. But what’s really going on is this:

     Hey
     You ready for Friday night?
     Totally. Life in the Fast Lanes.
     Huh? I’m confused. He hates bowling. Are you joking?
     Yes. 100 percent.
     Wait? Is he right in front of you?
     You got it. It’s going to be epic.
     Now I get it. Okay, we’ll see you Friday, backstage, Metallica for the big b-day surprise.
     Don’t forget your plaid pants and the balloons. I’ve got the blindfold.

Hearing only half a conversation is not only confusing and annoying, but it’s a lot of work. And, in a way, it’s a bit like what happens with asymmetric routing.

Protect your network with complete visibility. Click here to learn how.

What Is Asymmetric Routing?

Many companies, especially those with large networks, use asymmetric TCP/IP routing. And what is asymmetric routing? Asymmetric routing is when network packets leave via one path and return via a different path (unlike symmetric routing, in which packets come and go using the same path). This approach makes sense from an efficiency and redundancy perspective; but from a security perspective, asymmetric routing leaves a lot to be desired.

The Problem with Asymmetric Routing

To visualize and address the potential problems with asymmetric routing, picture an organization that has one router on the top floor of its corporate headquarters; another on the ground floor. The top floor router sends internet traffic out. The ground floor router receives it back. If an employee makes a connection to an internet site, the request goes out through the top floor router, into the data center, through web proxies, and on to the target page. The incoming return flow from the page, however, comes back through the ground floor router. In this scenario, it’s impossible for anomaly and intrusion detection tools to do their job because they are only seeing half a conversation.

Security teams could log into multiple security tools to attempt to pull together packet streams and stitch together conversations to see what happened. But, as with your buddy’s call, it’s laborious and, often, confounding. Even if security tools could see that half the flows were here, half were there, the amount of traffic (so much on networks today) begins to confuse them. A balance between asymmetric-routing advantages, and the improved security of symmetric routing, may be the answer.

Striking the Right Balance with Asymmetric Routing

The GigaSECURE Security Delivery Platform (SDP) helps organizations maintain the benefits of asymmetric routing without compromising security.

Tapped into all the right places in the network, the GigaSECURE SDP sees all traffic (regardless of its destination or the routers it traverses) and reassembles asymmetric conversations into a single stream that can be fed to any security tool. What’s more, it enables organizations to use fewer security solutions. For example, instead of a policy that demands two DDoS protection devices (one for the top floor router and one for the bottom floor router), an organization could attach a single DDoS tool to GigaSECURE and be able to receive all clean network flows.

Get the whole conversation with GigaSECURE to solve the asymmetric routing security problem.

Otherwise, you could wind up being the guy who helps spend $14M to deploy a slew of malware detection and next-gen firewalls that can’t prevent breaches because they can’t see all the traffic. Or worse, the guy who shows up to a Metallica concert in your Livin’ on a Spare bowling shirt.


}
Back to top