IDS mailing list archives
RE: IDS\IPS that can handle one Gig
From: "Hovis, Chris" <Chris.Hovis () morgankeegan com>
Date: Mon, 6 Jun 2005 13:58:20 -0500
I believe Joel Snyder (Network World) has been working on something like this so you may want to get in touch with him -Chris
-----Original Message----- From: Ed Gibbs [mailto:ed () digitalconclave com] Sent: Monday, June 06, 2005 11:21 AM To: Chris Harrington; THolman () toplayer com; PPalmer () iss net; prashant () juniper net; focus-ids () securityfocus com Subject: Re: IDS\IPS that can handle one Gig You're absolutely right - there needs to be IPS test standards. I would like to propose putting together a forum, and defining what the IPS test standards should be - is anyone interested? I would like to see several members from each IPS vendor involved. The result is that we create a set of procedures that provide guidance, and help someone determine which IPS is best for their environment. Ed ----- Original Message ----- From: "Chris Harrington" <charrington () nitrosecurity com> To: <THolman () toplayer com>; <PPalmer () iss net>; <ed () digitalconclave com>; <prashant () juniper net>; <focus-ids () securityfocus com> Sent: Saturday, June 04, 2005 11:43 PM Subject: RE: IDS\IPS that can handle one GigLet's have another vendor weigh in :) See my comments in line.-----Original Message----- From: THolman () toplayer com [mailto:THolman () toplayer com] Sent: Friday, June 03, 2005 8:25 AM 1) Gigabit performance is irrelevant; it's the packets per second that count. Vendors cheat and claim 1Gb performance basedon largepacket sizes (not real world), or just add up the sizes ofall theirinterfaces.It would be nice if there was a standardized IPSperformance test withregards to packet size, traffic mix, etc. I don't see thathappeningunless ICSA does it for the NIPS certification. This wouldcut down onthe shady performance numbers that Tim refers to.2) In PC architecture, the PCI bus is the bottleneck, not the processor.That depends on what you are doing with the processor. If you are doing pattern matching in the CPU you could run out of CPUwell beforeyou run out of bus capacity. A PCI bus has a theoreticallimit of 1.05Gbps. A 16 lane PCI-Express bus is 80 Gbps. Several vendors are already shipping 10 Gig PCI-Express cards.3) An Intel processor has a large instruction set designed for workstation/server performance and GUI operations, and notfor packetprocessing.I would say that the processor designers didn't have any specific tasks in mind. It is a general purpose processor.4) An ASIC has a tiny instruction set in comparison,designed for aspecific task. So, a 3.2Ghz Intel processor forwarding/processing network traffic is on a par with a 133Mhz ASIC designed to do the same thing.I'm not an ASIC guy so I will take your word for it on thecomparison:)5) Processors can only do one thing at once. Thus, a networking device with several processors installed in parallel(ASICs OR Intel)is far more effective than a box with a single/dual processor.More processors gives you more flexibility in what getsprocessed where.6) Hard disks do not slow down performance. They lowerreliabilityas fail all the time (!). RAID would help, but I don't think any security vendor offers a RAID array as an integral part of their appliance, so cut to the chase, get the HDD off the inlineunit andplace on a separate management machine so we have a reliable distributed architecture that isn't put at risk by HDDfailure. Onthe same note, dual fans and power supplies also need to be considered.Hard drives do fail, no question there. I definitely disagree with your statement about vendors not having RAID. There are definitely vendors (other than us) who have drives in RAIDconfiguration, both 1and 5. I am not sure taking the drive off the device makesfor a morereliable distributed architecture. What if the link from the IPS to the Management machine goes down or the Syslog server dies? What if the hard drive in the Management machine fails? :) With nodrive onthe IPS your space to store events, system data, etc, is somewhat limited. How long before you have to start overwritingevent data onthe IPS? Same goes for dual fans and power supplies. There arevendors (againother than us) who have dual fans and hot swappable power supplies. Although these are generally found in the 500 mbps and up ranges. Don't forget fail open NIC's and bypass devices. Most vendors (including ASIC IPS') have them, at least as an option. Ifnot havinga hard drive is the path to reliability then why do vendors without hard drives have fail open NIC's? Because other componentscan and do fail as well.7) Single-processor machines can easily FORWARD 64-bytepackets at'multi-Gig' speeds. They can do this as the processordoesn't haveto do anything with them. As soon as you add intensiveoperations tothe packets in question, bearing in mind there is only asingle CPUthat can only do one thing at once, you introduce LATENCYplus reducepps performance DRASTICALLY. This is where a parallel processing architecture comes into it's own and takes leaps forwardover what asingle-CPU box can do.You are assuming that the CPU is doing the packet processing. Many vendors are using network content accelerators and other processing cards to offload the CPU intensive operations.In conclusion: A box with one or two ASICs in is easily outperformed by a PC with the latest Intel processor, fast network cards and a good chunk of memory. However, the PC is more prone to hard disk failure, whichis why youshould never put one inline if uptime is critical. A box with several ASICs in will outperform ANY PC-based solution, and ANY ASIC solution that relies only on one or two processors.But at what cost in terms of price per Gigabit andflexibility? Addingnew functionality to software is pretty easy......and one comment to Ed with respect to McAfee/TippingPointboth products really don't care if you have everysignature and thensome on.Yes they do. If you turn on every signature check withthese IPS's,pps performance slows to a mediocre dribble...They do care. Look at some of the product reviews and you will see that vendor X has 2000 rules / filters / signatures butonly 500 areon by default. I've witnessed a couple of ASIC IPS' thatwere broughtto their knees when asked to store the offending packets.What aboutstoring the TCP stream involved with an event? Customers are asking about this...Inline devices should NOT rely on REGEX signatures - by nature, string searching is very resource intensive and best leftto a nicefast offline IDS running on an up-to-date PC platform,where latencyis not going to be an issue...There are PC platform IPS on the market that are under 100 microseconds that do pattern matching.Hope this helps - this isn't an all out war ASIC-based vsPC-based,it's a question of architecture and suitability for thejob in hand!Definitely an interesting thread. I agree that it is aboutsuitability.--Chris Christopher Harrington, CISSP Chief Technology Officer nitrosecurity o: 603.570.3931 c: 603.969.0592 e: charrington () nitrosecurity com w: www.nitrosecurity.com Skype: chrisharrington-------------------------------------------------------------- ------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------- ------------
Morgan Keegan & Co., Inc. DOES NOT ACCEPT ORDERS AND/OR INSTRUCTIONS REGARDING YOUR ACCOUNT BY E-MAIL. Transactional details do not supersede normal trade confirmations or statements. The information contained in this transmission is privileged and confidential. It is intended for the use of the individual or entity named above. The information contained herein is based on sources we believe reliable but is not considered all-inclusive. Opinions are our current opinions only and are subject to change without notice. Offerings are subject to prior sale and/or change in price. Prices, quotes, rates and yields are subject to change without notice. Morgan Keegan & Co., Inc., member NYSE, NASD and SIPC, is a registered broker-dealer subsidiary of Regions Financial Corporation. Investments are NOT FDIC INSURED, NOT BANK GUARANTEED and MAY LOSE VALUE. Morgan Keegan & Co., Inc. reserves the right to monitor all electronic correspondence. http://www.morgankeegan.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: IDS\IPS that can handle one Gig, (continued)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- RE: IDS\IPS that can handle one Gig Chris Harrington (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 06)
- IPS test criteria (was IDS\IPS that can handle one Gig) Bob Walder (Jun 07)
- RE: IDS\IPS that can handle one Gig Gary Halleen (Jun 06)
- RE: IDS\IPS that can handle one Gig Hovis, Chris (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 07)
- RE: IDS\IPS that can handle one Gig Edward Sohn (Jun 08)
- RE: IDS\IPS that can handle one Gig Barrett G . Lyon (Jun 08)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 08)
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 10)
- Re: RE: IDS\IPS that can handle one Gig ian . bamford (Jun 10)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)