RE: IDS\IPS that can handle one Gig

["Palmer, Paul (ISSAtlanta)" <PPalmer () iss net>]

Tim Holman states: "There is no slam intended in any of my posts, but I
would like to see vendors be a little more 'open' about their product
shortfalls so that customers at least get the chance to supplement the
solution with other protective measures."

Wow! I imagine that we are all anxiously awaiting your next post in
which you expound on all of the product shortfalls in the TopLayer
product line ;) And if you happen to forget a few, I am sure there are
plenty of extremely helpful people on this list willing to provide some
hints...

Seriously, is this really the direction that you want to take this
thread? You sound like you are hard selling TopLayer technology and by
inference implying that anything else is wholly inadequate ("The
content-based stuff works fine in most networks, but as soon as any
critical events occur, network administrators don't give a toss as to
the precise taste and colour of individual packets, and want
PROTECTION."). Are you actually claiming that the other IPS vendors
cannot provide protection from critical threats?

Tim Holman states: "There is no slam intended in any of my posts". I
cannot speak for your intent, but your post certainly seems to have its
fair share of slams.

It just seems to me that you are openly inviting hostility from the
other IPS vendors.

Paul

-----Original Message-----
From: THolman () toplayer com [mailto:THolman () toplayer com] 
Sent: Tuesday, June 07, 2005 7:55 AM
To: ghalleen () cisco com; THolman () toplayer com;
focus-ids () securityfocus com
Subject: RE: IDS\IPS that can handle one Gig


Hi Gary,

I disagree with your first point.  Test conditions are not clearly
stated in any publicly available Cisco literature - if you can offer me
a publicly available link (non-CCO) then you win!  :)

I am not contending your performance figures - 5000 connections per
second is quite a reasonable amount to assume on your average enterprise
network, but is certainly not sufficient for large enterprises, data
centres and ISPs.

Even in a small network, when worms decide to attempt propagation and
initiate a few hundred connections per second from each workstation - it
would only take 10-20 such infected machines to breach your 5000
connection per second limit and start causing problems.

Also, any DDOS attempt against a network protected by a device that is
only capable of 5000 connections per second will succeed.  A botnet of
1-200 devices would have a field day!

This is why it is important for an IPS to have rate-based, and not just
content-based protection.  The content-based stuff works fine in most
networks, but as soon as any critical events occur, network
administrators don't give a toss as to the precise taste and colour of
individual packets, and want PROTECTION.

There is no slam intended in any of my posts, but I would like to see
vendors be a little more 'open' about their product shortfalls so that
customers at least get the chance to supplement the solution with other
protective measures.

There is just too much mis-selling going on.  Customers are being sold
IPS's as an all-in-one security solution, only to find a few weeks or
months later that this is not the case.  These salesman should be shot,
as they're giving us ALL a bad name !  :)  

Regards,

Tim


-----Original Message-----
From: Gary Halleen [mailto:ghalleen () cisco com] 
Sent: 05 June 2005 09:22
To: THolman () toplayer com; focus-ids () securityfocus com
Subject: RE: IDS\IPS that can handle one Gig

If you Google as you've suggested, it's quite obvious that your message
is intended as a slam against our (Cisco's) products.  

1.)  Cisco bases our performance test on industry accepted standards
following the stringent NSS Group test criteria as well as our own
analysis of live network traffic indicative of typical enterprise
networks.  We clearly state the test conditions under which we reach our
performance metrics and they are legitimate and representative of
real-world situations.
 
2.)  The statement that 5000 cps equates to only 10 Mbps of throughput
is flawed and assumes that each newly established session only has a
delivery of 250 bytes of total payload per session.  This would be
equivalent to only establishment and teardown of the session with no
useful communication.  Our research indicates that an average session
contains between 10,000 and 25,000 bytes of information transferred.
> From these numbers (if you do the
math) you will find that the throughput of these useful sessions are
between 500 Mbps and 1 Gbps supporting Cisco's reported performance
claims.
 
3.) Cisco never disables "vital security features" such as fragment
reassembly, TCP stream reassembly, or HTTP deobfuscation when testing,
validating and reporting our IPS performance.  We don't take shortcuts
as
implied in this thread.   
 
The author of the original email is using inappropriate math to attempt
to make a self-serving statement around ASIC based technology and
TopLayer's performance supremacy.  

Gary
 

-----Original Message-----
From: THolman () toplayer com [mailto:THolman () toplayer com] 
Sent: Thursday, May 26, 2005 1:47 AM
To: focus-ids () securityfocus com
Subject: RE: IDS\IPS that can handle one Gig

Hi Randall,

Throughput is unimportant when it comes to choosing an IDS/IPS, and to
be honest, a bit of a bun fight when you place two vendors side by side
and start scouring their datasheets for practical information.

What is important, however, is the number of packets per second the
device can process, the maximum number of connections that such a device
keeps state for, and last but not least, the latency that such a device
will introduce into your network if placed inline.

The smaller the packets used in a test, the smaller the performance in
terms of megabits.  The larger the packets, the bigger the performance
in terms of megabits.  Unreliable, and totally abused by most vendors on
their datasheets.  It's quite easy to say 'we support 1000 Mbps', only
to say in small print the average packet size is 595 bytes.  You only
need to search Google for '1000 Mbps 595 bytes' and you'll soon find out
what I mean.. ;)

The vendor in question, although claiming Gigabit performance, can only
setup TCP connections at a rate of 5,000 per second - if you do the
math, you'll soon find out that this represents less that TEN MEGABITS
per second in 'throughput' terms.

Is it ethical to claim Gigabit performance, only for the potential end
user to run a number of tests with small packets sizes and find out this
is not the case?

The moral of the plot is to never trust a datasheet - either thoroughly
test the products before purchase, or look toward an independent testing
house, such as NSS (www.nss.co.uk), whom have the resources and
experience to regularly generate test results that count.

At TopLayer, we regularly deploy into Gigabit environments, and
encourage the customer to test (using Smartbits, Ixia or Spirent) for
piece of mind. Rest assured, each time they do this, we pass with flying
colours, and this is what makes us one of the top market leaders in
Gigabit IPS solutions.

Regards,

Tim


-----Original Message-----
From: Randall Jarrell [mailto:rgj () msn com]
Sent: 19 May 2005 16:28
To: focus-ids () securityfocus com
Subject: IDS\IPS that can handle one Gig

Greetings,

We are currently evaluating IDS\IPS vendors. We have tried two vendors,
whom I will not name unless you ask me, that have made claims that they
can handle a Gig of through put but actually start to fail around the
300-500MB range.

Could anyone share a success story of a vendor they are using that is
handling this type of traffic?

Thanks in advance,

-RGJ

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------