RE: IDS\IPS that can handle one Gig

["Dave Hawkins" <DaveH () Radware com>]

I would tend to disagree with the notion that all 'industry' tests are
bought-and-paid-for. NSS for example is a pretty rigorous test that
includes many methods of mixing legit traffic with the attacks, and
they're nice and thorough about testing for stability at gigabit speeds
(at least in the case of their gigabit-IDS, their latest testing edition
comes out soon).  To my knowledge they're very well respected, and don't
simply pass a vendor because they've been paid.  Check out
http://www.nss.co.uk/default.htm for more details on them.

I do agree with Barrett though, be sure that the IPS you're paying for
is going to address your primary needs.  DDoS mitigation can be
difficult, and not all vendors out there can provide protection against
the myriad of attacks (ie, some can block SYN flooding, but not
partially-completed handshakes).  Some IPS devices that claim gigabit
speeds have been shown to crumble in the face of relatively
insignificant floods (like 20mbps), causing huge latency for the
remaining legitimate traffic.  If you're less concerned about DDoS and
need more specific protocol support, make sure you fully understand the
depth to which the IPS analyzes the protocol, or how broad their
signature base is.

If speed/lack of latency is your primary concern when adding a security
device, make sure you find something that's ASIC-based, since most of
the PC-style IPS devices tend to choke when you even attempt to approach
1-gig even on a single segment (not to mention devices that handle
multiple segments in a single appliance).  It wouldn't be a bad idea to
mirror/span the traffic from your switch to the IPS first to see how
many alerts your setup is currently triggering, and investigate for
false-positives, before you put any device in-line.  Mirroring a gig of
traffic to the device can give you an idea of how well it will handle
your network traffic (does the CPU flatline at 100%?  How many packets
get dropped due to over-utilization?).  If mirroring isn't an option,
see if you can try your test with the device in non-blocking report-only
mode.  Most vendors out there should allow you to test the device before
you buy, or allow you to do some sort of bake-off competition.

I could say a lot more on the subject since this is my job (I'm not a
salesperson, I'm a security engineer).  There ARE devices out there (our
DefensePro included) that truly handle multi-gigs of traffic (single or
multi-segment), so Barrett's experience may not encompass everything
that's available.  He's correct in that every network is a bit
different, and you should be as informed as possible when you make your
selection.

Good luck!

-Dave Hawkins
Security Engineer, Radware
http://www.radware.com/


 

-----Original Message-----
From: Barrett G.Lyon [mailto:blyon () prolexic com] 
Sent: Thursday, May 26, 2005 5:26 PM
To: Randall Jarrell
Cc: focus-ids () securityfocus com
Subject: Re: IDS\IPS that can handle one Gig

Randall,

At Prolexic we have tested, used, and worked with most current IPS
platforms.  They all make claims of "multi-gig" functionality, when in
reality, each one can only handle those traffic levels in very specific
lab conditions designed just to prove the point that they can actually
pass a "gigabit" of traffic.  When on a real network with who-knows-what
flowing over the wire, gigabit speeds on an IPS doing useful stuff is
rather hard to achieve.

The definition of "gigabit" seems to very from vendor to vendor;  some
call their hardware multi-gigabit just because they have more than one
GigE interface on the device:  4 GigE interfaces in that configuration
means the device can do 4 gigabit - not 2 ingress/egress for a total of
2 gigabit, but a total of 4 gigabit.
     See: http://www.toplayer.com/content/cm/pr131.jsp for an example of
the above.

I'm sure every IPS vendor would be at 10 gigabit today if the 10 Gigabit
ports were at a low cost, but then their processing engines would not
support that packet rate and we would be where we are today with current
1 gigabit IPS devices.

Further, to do a gigabit of traffic on a single link may not be that
bright as well.  One would hope that a gig of traffic would have been
split across several gigabit interfaces all running at a lower average
bandwidth so you can burst and allot for failures.

What we are finding, to terminate and process more than one gigabit of
traffic is difficult; some modern gigabit switches do not do "trunking" 
or OSPF load balanced multiple gige interfaces very well (destination
mac addresses can be the same causing load balancing algorithms to do
goofy stuff), so just having the capacity to do more than a gig can get
rather tricky.  When you put an IPS in-line with an already difficult
environment ( or a pair of IPS devices) you run into state table
synchronization issues, symmetrical routing problems, and a whole lot of
other messy stuff.

I could keep going on and on about IPS failures we have experienced but
that would not do anyone any good.  When it comes down to it, each
device on the market seems to excel at one or two items and the rest of
the "features" beyond what they are good at appear to mostly be bolt-on
for marketing.


Here are a few high-throughput IPS shopping tips:

1) Identify what the IPS is to do, if that's "everything" then you
should adjust your expectations.
    a)  If it's to do DDoS mitigation, what aspects of mitigation?  No
box can stop all of the attacks correctly, so don't expect to stop all
of your problems with an IPS, in most cases they can cause more problems
then you could imagine.
    b)  If it's doing string matching, what exact signatures do you need
- the less you run the more throughput you will see.

2) Understand your traffic and how the IPS will work with that traffic
    a) If your traffic is just HTTP stuff, your IPS could do well doing
limited checks to add value.
    b) If your traffic is mixed (ISP) then good luck unless you are
trying to stop a specific worm or rate limit stuff.
    c) If you are dealing with encryption, then an IPS can't do much for
you, unless you are decrypting and re-encrypting your traffic.

3) Understand the underlying mechanism that the hardware uses to do its
job.
    a) String matching may be good, but what about fragments?
    b) What type of algorithmic things does it do to your traffic?
    b) Does it do some sort of in-line tricks with the packets?

4) Never listen to sales people

5) Don't trust "industry" tests, they are just bought logos.  Real world
testing of a device takes many months and must meet criteria that nobody
would ever expect (people build interesting networks out there.)


I would suggest you do a demo and a bake off with your vendors as well. 
  After you get a demo IPS units, go buy an Ixia and verify that the
device will do what it says it will and _do not_ put it in-line with
your production traffic as a test.  In 100% of the cases we have worked
with, the box performed much lower than it was advertised and in some
cases a feature is just a ruleset that denies traffic rather than
cleaning traffic.  There are also "side effects" that are very
unexpected with all the different IPS devices.  A good expectation is
that a gigabit IPS can do about 50% of line rate on most things and full
line rate on some things.

Good luck and happy shopping,

-Barrett



Barrett G. Lyon
Founder & CTO
Prolexic Technologies - The leaders in DDoS Security!


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------