IDS mailing list archives
RE: IDS\IPS that can handle one Gig
From: "Dave Hawkins" <DaveH () Radware com>
Date: Wed, 1 Jun 2005 11:31:47 -0400
I would tend to disagree with the notion that all 'industry' tests are bought-and-paid-for. NSS for example is a pretty rigorous test that includes many methods of mixing legit traffic with the attacks, and they're nice and thorough about testing for stability at gigabit speeds (at least in the case of their gigabit-IDS, their latest testing edition comes out soon). To my knowledge they're very well respected, and don't simply pass a vendor because they've been paid. Check out http://www.nss.co.uk/default.htm for more details on them. I do agree with Barrett though, be sure that the IPS you're paying for is going to address your primary needs. DDoS mitigation can be difficult, and not all vendors out there can provide protection against the myriad of attacks (ie, some can block SYN flooding, but not partially-completed handshakes). Some IPS devices that claim gigabit speeds have been shown to crumble in the face of relatively insignificant floods (like 20mbps), causing huge latency for the remaining legitimate traffic. If you're less concerned about DDoS and need more specific protocol support, make sure you fully understand the depth to which the IPS analyzes the protocol, or how broad their signature base is. If speed/lack of latency is your primary concern when adding a security device, make sure you find something that's ASIC-based, since most of the PC-style IPS devices tend to choke when you even attempt to approach 1-gig even on a single segment (not to mention devices that handle multiple segments in a single appliance). It wouldn't be a bad idea to mirror/span the traffic from your switch to the IPS first to see how many alerts your setup is currently triggering, and investigate for false-positives, before you put any device in-line. Mirroring a gig of traffic to the device can give you an idea of how well it will handle your network traffic (does the CPU flatline at 100%? How many packets get dropped due to over-utilization?). If mirroring isn't an option, see if you can try your test with the device in non-blocking report-only mode. Most vendors out there should allow you to test the device before you buy, or allow you to do some sort of bake-off competition. I could say a lot more on the subject since this is my job (I'm not a salesperson, I'm a security engineer). There ARE devices out there (our DefensePro included) that truly handle multi-gigs of traffic (single or multi-segment), so Barrett's experience may not encompass everything that's available. He's correct in that every network is a bit different, and you should be as informed as possible when you make your selection. Good luck! -Dave Hawkins Security Engineer, Radware http://www.radware.com/ -----Original Message----- From: Barrett G.Lyon [mailto:blyon () prolexic com] Sent: Thursday, May 26, 2005 5:26 PM To: Randall Jarrell Cc: focus-ids () securityfocus com Subject: Re: IDS\IPS that can handle one Gig Randall, At Prolexic we have tested, used, and worked with most current IPS platforms. They all make claims of "multi-gig" functionality, when in reality, each one can only handle those traffic levels in very specific lab conditions designed just to prove the point that they can actually pass a "gigabit" of traffic. When on a real network with who-knows-what flowing over the wire, gigabit speeds on an IPS doing useful stuff is rather hard to achieve. The definition of "gigabit" seems to very from vendor to vendor; some call their hardware multi-gigabit just because they have more than one GigE interface on the device: 4 GigE interfaces in that configuration means the device can do 4 gigabit - not 2 ingress/egress for a total of 2 gigabit, but a total of 4 gigabit. See: http://www.toplayer.com/content/cm/pr131.jsp for an example of the above. I'm sure every IPS vendor would be at 10 gigabit today if the 10 Gigabit ports were at a low cost, but then their processing engines would not support that packet rate and we would be where we are today with current 1 gigabit IPS devices. Further, to do a gigabit of traffic on a single link may not be that bright as well. One would hope that a gig of traffic would have been split across several gigabit interfaces all running at a lower average bandwidth so you can burst and allot for failures. What we are finding, to terminate and process more than one gigabit of traffic is difficult; some modern gigabit switches do not do "trunking" or OSPF load balanced multiple gige interfaces very well (destination mac addresses can be the same causing load balancing algorithms to do goofy stuff), so just having the capacity to do more than a gig can get rather tricky. When you put an IPS in-line with an already difficult environment ( or a pair of IPS devices) you run into state table synchronization issues, symmetrical routing problems, and a whole lot of other messy stuff. I could keep going on and on about IPS failures we have experienced but that would not do anyone any good. When it comes down to it, each device on the market seems to excel at one or two items and the rest of the "features" beyond what they are good at appear to mostly be bolt-on for marketing. Here are a few high-throughput IPS shopping tips: 1) Identify what the IPS is to do, if that's "everything" then you should adjust your expectations. a) If it's to do DDoS mitigation, what aspects of mitigation? No box can stop all of the attacks correctly, so don't expect to stop all of your problems with an IPS, in most cases they can cause more problems then you could imagine. b) If it's doing string matching, what exact signatures do you need - the less you run the more throughput you will see. 2) Understand your traffic and how the IPS will work with that traffic a) If your traffic is just HTTP stuff, your IPS could do well doing limited checks to add value. b) If your traffic is mixed (ISP) then good luck unless you are trying to stop a specific worm or rate limit stuff. c) If you are dealing with encryption, then an IPS can't do much for you, unless you are decrypting and re-encrypting your traffic. 3) Understand the underlying mechanism that the hardware uses to do its job. a) String matching may be good, but what about fragments? b) What type of algorithmic things does it do to your traffic? b) Does it do some sort of in-line tricks with the packets? 4) Never listen to sales people 5) Don't trust "industry" tests, they are just bought logos. Real world testing of a device takes many months and must meet criteria that nobody would ever expect (people build interesting networks out there.) I would suggest you do a demo and a bake off with your vendors as well. After you get a demo IPS units, go buy an Ixia and verify that the device will do what it says it will and _do not_ put it in-line with your production traffic as a test. In 100% of the cases we have worked with, the box performed much lower than it was advertised and in some cases a feature is just a ruleset that denies traffic rather than cleaning traffic. There are also "side effects" that are very unexpected with all the different IPS devices. A good expectation is that a gigabit IPS can do about 50% of line rate on most things and full line rate on some things. Good luck and happy shopping, -Barrett Barrett G. Lyon Founder & CTO Prolexic Technologies - The leaders in DDoS Security! ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: IDS\IPS that can handle one Gig, (continued)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Devdas Bhagat (Jun 04)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 05)
- Re: IDS\IPS that can handle one Gig Per Engelbrecht (Jun 01)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (Jun 01)
- RE: IDS\IPS that can handle one Gig THolman (Jun 01)
- Re: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- RE: IDS\IPS that can handle one Gig Dave Hawkins (Jun 01)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 04)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- RE: IDS\IPS that can handle one Gig Chris Harrington (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 06)
- IPS test criteria (was IDS\IPS that can handle one Gig) Bob Walder (Jun 07)
(Thread continues...)