Re: IDS\IPS that can handle one Gig

["Ed Gibbs" <ed () digitalconclave com>]

You're absolutely right - there needs to be IPS test standards.  I would 
like to propose putting together a forum, and defining what the IPS test 
standards should be - is anyone interested?  I would like to see several 
members from each IPS vendor involved.  The result is that we create a set 
of procedures that provide guidance, and help someone determine which IPS is 
best for their environment.

Ed




----- Original Message ----- 
From: "Chris Harrington" <charrington () nitrosecurity com>
To: <THolman () toplayer com>; <PPalmer () iss net>; <ed () digitalconclave com>; 
<prashant () juniper net>; <focus-ids () securityfocus com>
Sent: Saturday, June 04, 2005 11:43 PM
Subject: RE: IDS\IPS that can handle one Gig


> Let's have another vendor weigh in :)  See my comments in line.
>
>
> > -----Original Message-----
> > From: THolman () toplayer com [mailto:THolman () toplayer com]
> > Sent: Friday, June 03, 2005 8:25 AM
> >
> > 1)  Gigabit performance is irrelevant; it's the packets per
> > second that count.  Vendors cheat and claim 1Gb performance
> > based on large packet sizes (not real world), or just add up
> > the sizes of all their interfaces.
>
> It would be nice if there was a standardized IPS performance test with
> regards to packet size, traffic mix, etc. I don't see that happening 
> unless
> ICSA does it for the NIPS certification. This would cut down on the shady
> performance numbers that Tim refers to.
>
> > 2)  In PC architecture, the PCI bus is the bottleneck, not
> > the processor.
>
> That depends on what you are doing with the processor. If you are doing
> pattern matching in the CPU you could run out of CPU well before you run 
> out
> of bus capacity. A PCI bus has a theoretical limit of 1.05 Gbps. A 16 lane
> PCI-Express bus is 80 Gbps. Several vendors are already shipping 10 Gig
> PCI-Express cards.
>
> > 3)  An Intel processor has a large instruction set designed
> > for workstation/server performance and GUI operations, and
> > not for packet processing.
>
> I would say that the processor designers didn't have any specific tasks in
> mind. It is a general purpose processor.
>
> > 4)  An ASIC has a tiny instruction set in comparison,
> > designed for a specific task.  So, a 3.2Ghz Intel processor
> > forwarding/processing network traffic is on a par with a
> > 133Mhz ASIC designed to do the same thing.
>
> I'm not an ASIC guy so I will take your word for it on the comparison :)
>
> > 5)  Processors can only do one thing at once.  Thus, a
> > networking device with several processors installed in
> > parallel (ASICs OR Intel) is far more effective than a box
> > with a single/dual processor.
>
> More processors gives you more flexibility in what gets processed where.
>
> > 6)  Hard disks do not slow down performance.  They lower
> > reliability as fail all the time (!).  RAID would help, but I
> > don't think any security vendor offers a RAID array as an
> > integral part of their appliance, so cut to the chase, get
> > the HDD off the inline unit and place on a separate
> > management machine so we have a reliable distributed
> > architecture that isn't put at risk by HDD failure.  On the
> > same note, dual fans and power supplies also need to be considered.
>
> Hard drives do fail, no question there. I definitely disagree with your
> statement about vendors not having RAID. There are definitely vendors 
> (other
> than us) who have drives in RAID configuration, both 1 and 5. I am not 
> sure
> taking the drive off the device makes for a more reliable distributed
> architecture. What if the link from the IPS to the Management machine goes
> down or the Syslog server dies? What if the hard drive in the Management
> machine fails? :)  With no drive on the IPS your space to store events,
> system data, etc, is somewhat limited. How long before you have to start
> overwriting event data on the IPS?
>
> Same goes for dual fans and power supplies. There are vendors (again other
> than us) who have dual fans and hot swappable power supplies. Although 
> these
> are generally found in the 500 mbps and up ranges.
>
> Don't forget fail open NIC's and bypass devices. Most vendors (including
> ASIC IPS') have them, at least as an option. If not having a hard drive is
> the path to reliability then why do vendors without hard drives have fail
> open NIC's? Because other components can and do fail as well.
>
> > 7)  Single-processor machines can easily FORWARD 64-byte
> > packets at 'multi-Gig' speeds.  They can do this as the
> > processor doesn't have to do anything with them.  As soon as
> > you add intensive operations to the packets in question,
> > bearing in mind there is only a single CPU that can only do
> > one thing at once, you introduce LATENCY plus reduce pps
> > performance DRASTICALLY.  This is where a parallel processing
> > architecture comes into it's own and takes leaps forward over
> > what a single-CPU box can do.
>
> You are assuming that the CPU is doing the packet processing. Many vendors
> are using network content accelerators and other processing cards to 
> offload
> the CPU intensive operations.
>
> > In conclusion:
> >
> > A box with one or two ASICs in is easily outperformed by a PC
> > with the latest Intel processor, fast network cards and a
> > good chunk of memory.
> > However, the PC is more prone to hard disk failure, which is
> > why you should never put one inline if uptime is critical.
> >
> > A box with several ASICs in will outperform ANY PC-based
> > solution, and ANY ASIC solution that relies only on one or
> > two processors.
>
> But at what cost in terms of price per Gigabit and flexibility? Adding new
> functionality to software is pretty easy....
>
> > ..and one comment to Ed with respect to McAfee/TippingPoint
> >
> > >both products really don't care if you have every signature and then
> > >some on.
> >
> > Yes they do.  If you turn on every signature check with these
> > IPS's, pps performance slows to a mediocre dribble...
>
> They do care. Look at some of the product reviews and you will see that
> vendor X has 2000 rules / filters / signatures but only 500 are on by
> default. I've witnessed a couple of ASIC IPS' that were brought to their
> knees when asked to store the offending packets. What about storing the 
> TCP
> stream involved with an event? Customers are asking about this...
>
> > Inline devices should NOT rely on REGEX signatures - by
> > nature, string searching is very resource intensive and best
> > left to a nice fast offline IDS running on an up-to-date PC
> > platform, where latency is not going to be an issue...
>
> There are PC platform IPS on the market that are under 100 microseconds 
> that
> do pattern matching.
>
> > Hope this helps - this isn't an all out war ASIC-based vs
> > PC-based, it's a question of architecture and suitability for
> > the job in hand!
>
> Definitely an interesting thread. I agree that it is about suitability.
>
> --Chris
>
> Christopher Harrington, CISSP
> Chief Technology Officer
> nitrosecurity
> o: 603.570.3931
> c: 603.969.0592
> e: charrington () nitrosecurity com
> w: www.nitrosecurity.com
> Skype: chrisharrington


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------