RE: IDS\IPS that can handle one Gig

["Gary Halleen" <ghalleen () cisco com>]

If you Google as you've suggested, it's quite obvious that your message is
intended as a slam against our (Cisco's) products.  

1.)  Cisco bases our performance test on industry accepted standards
following the stringent NSS Group test criteria as well as our own analysis
of live network traffic indicative of typical enterprise networks.  We
clearly state the test conditions under which we reach our performance
metrics and they are legitimate and representative of real-world situations.
 
2.)  The statement that 5000 cps equates to only 10 Mbps of throughput is
flawed and assumes that each newly established session only has a delivery
of 250 bytes of total payload per session.  This would be equivalent to only
establishment and teardown of the session with no useful communication.  Our
research indicates that an average session contains between 10,000 and
25,000 bytes of information transferred.  From these numbers (if you do the
math) you will find that the throughput of these useful sessions are between
500 Mbps and 1 Gbps supporting Cisco's reported performance claims.
 
3.) Cisco never disables "vital security features" such as fragment
reassembly, TCP stream reassembly, or HTTP deobfuscation when testing,
validating and reporting our IPS performance.  We don't take shortcuts as
implied in this thread.   
 
The author of the original email is using inappropriate math to attempt to
make a self-serving statement around ASIC based technology and TopLayer's
performance supremacy.  

Gary
 

-----Original Message-----
From: THolman () toplayer com [mailto:THolman () toplayer com] 
Sent: Thursday, May 26, 2005 1:47 AM
To: focus-ids () securityfocus com
Subject: RE: IDS\IPS that can handle one Gig

Hi Randall,

Throughput is unimportant when it comes to choosing an IDS/IPS, and to be
honest, a bit of a bun fight when you place two vendors side by side and
start scouring their datasheets for practical information.

What is important, however, is the number of packets per second the device
can process, the maximum number of connections that such a device keeps
state for, and last but not least, the latency that such a device will
introduce into your network if placed inline.

The smaller the packets used in a test, the smaller the performance in terms
of megabits.  The larger the packets, the bigger the performance in terms of
megabits.  Unreliable, and totally abused by most vendors on their
datasheets.  It's quite easy to say 'we support 1000 Mbps', only to say in
small print the average packet size is 595 bytes.  You only need to search
Google for '1000 Mbps 595 bytes' and you'll soon find out what I mean.. ;)

The vendor in question, although claiming Gigabit performance, can only
setup TCP connections at a rate of 5,000 per second - if you do the math,
you'll soon find out that this represents less that TEN MEGABITS per second
in 'throughput' terms.

Is it ethical to claim Gigabit performance, only for the potential end user
to run a number of tests with small packets sizes and find out this is not
the case?

The moral of the plot is to never trust a datasheet - either thoroughly test
the products before purchase, or look toward an independent testing house,
such as NSS (www.nss.co.uk), whom have the resources and experience to
regularly generate test results that count.

At TopLayer, we regularly deploy into Gigabit environments, and encourage
the customer to test (using Smartbits, Ixia or Spirent) for piece of mind.
Rest assured, each time they do this, we pass with flying colours, and this
is what makes us one of the top market leaders in Gigabit IPS solutions.

Regards,

Tim


-----Original Message-----
From: Randall Jarrell [mailto:rgj () msn com]
Sent: 19 May 2005 16:28
To: focus-ids () securityfocus com
Subject: IDS\IPS that can handle one Gig

Greetings,

We are currently evaluating IDS\IPS vendors. We have tried two vendors, whom
I will not name unless you ask me, that have made claims that they can
handle a Gig of through put but actually start to fail around the 300-500MB
range.

Could anyone share a success story of a vendor they are using that is
handling this type of traffic?

Thanks in advance,

-RGJ

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------