IDS mailing list archives
RE: IDS\IPS that can handle one Gig
From: "Prashant Khandelwal" <prashant () juniper net>
Date: Mon, 30 May 2005 10:33:15 +0530
Adding to this conversation one relevant point would be, Policies which are pushed on the sensor makes big difference in the performance of the box. E.g.: If Fragmentation and reassembly turned off it can be observed that box performs better as it does not need to take care of tiny fragmented packets (In real life having such policies doesn't make any sense). Over all One should know the Claimed performance figures with avg packet size ,What type of traffic was used for achieving that particular performance figure ,What kind of policies were pushed on the sensor. This can really help to know how a particular IPS can fit in your network environment. My 2 cents Cheers Prashant -----Original Message----- From: THolman () toplayer com [mailto:THolman () toplayer com] Sent: Thursday, May 26, 2005 2:17 PM To: focus-ids () securityfocus com Subject: RE: IDS\IPS that can handle one Gig Hi Randall, Throughput is unimportant when it comes to choosing an IDS/IPS, and to be honest, a bit of a bun fight when you place two vendors side by side and start scouring their datasheets for practical information. What is important, however, is the number of packets per second the device can process, the maximum number of connections that such a device keeps state for, and last but not least, the latency that such a device will introduce into your network if placed inline. The smaller the packets used in a test, the smaller the performance in terms of megabits. The larger the packets, the bigger the performance in terms of megabits. Unreliable, and totally abused by most vendors on their datasheets. It's quite easy to say 'we support 1000 Mbps', only to say in small print the average packet size is 595 bytes. You only need to search Google for '1000 Mbps 595 bytes' and you'll soon find out what I mean.. ;) The vendor in question, although claiming Gigabit performance, can only setup TCP connections at a rate of 5,000 per second - if you do the math, you'll soon find out that this represents less that TEN MEGABITS per second in 'throughput' terms. Is it ethical to claim Gigabit performance, only for the potential end user to run a number of tests with small packets sizes and find out this is not the case? The moral of the plot is to never trust a datasheet - either thoroughly test the products before purchase, or look toward an independent testing house, such as NSS (www.nss.co.uk), whom have the resources and experience to regularly generate test results that count. At TopLayer, we regularly deploy into Gigabit environments, and encourage the customer to test (using Smartbits, Ixia or Spirent) for piece of mind. Rest assured, each time they do this, we pass with flying colours, and this is what makes us one of the top market leaders in Gigabit IPS solutions. Regards, Tim -----Original Message----- From: Randall Jarrell [mailto:rgj () msn com] Sent: 19 May 2005 16:28 To: focus-ids () securityfocus com Subject: IDS\IPS that can handle one Gig Greetings, We are currently evaluating IDS\IPS vendors. We have tried two vendors, whom I will not name unless you ask me, that have made claims that they can handle a Gig of through put but actually start to fail around the 300-500MB range. Could anyone share a success story of a vendor they are using that is handling this type of traffic? Thanks in advance, -RGJ ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- ------------------------------------------------------------------------ -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ -- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: IDS\IPS that can handle one Gig, (continued)
- Re: IDS\IPS that can handle one Gig Byron L. Sonne (May 24)
- Re: IDS\IPS that can handle one Gig Konstantin V. Gavrilenko (May 24)
- Re: IDS\IPS that can handle one Gig Barrett G . Lyon (May 28)
- Re: IDS\IPS that can handle one Gig Surasak H. (May 24)
- IDS\IPS that can handle one Gig Brian Blankenship (May 24)
- RE: IDS\IPS that can handle one Gig Andrew Plato (May 28)
- Re: IDS\IPS that can handle one Gig Jonathan Glass (May 31)
- Re: IDS\IPS that can handle one Gig James Blake (May 28)
- RE: IDS\IPS that can handle one Gig THolman (May 28)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (May 31)