IDS mailing list archives
RE: IPS Reliability/Availability
From: "Mike Barkett" <mbarkett () nfr com>
Date: Wed, 15 Mar 2006 20:21:14 -0500
-----Original Message----- From: j [mailto:y8k0vt3p () yahoo com] Sent: Wednesday, March 15, 2006 9:58 AM To: Mike Barkett; focus-ids () securityfocus com Subject: RE: IPS Reliability/Availability --- Mike Barkett <mbarkett () nfr com> wrote:I'm wondering why CPU cluster technology that youare deploying isconsidered new in comparison to ASIC/FPGA/NPtechnology.Primarily because it is newer than thosetechnologies. Can you offer anyexamples in which this approach was applied tobundled network securitypoint solutions prior to the advent of ASICs?If you consider firewall to be a bundled network security point solutions, here is an example: http://www.foundrynet.com/services/documentation/siFWLB/ServerIron_FWLB_VP N.html
Well, personally, I don't consider them bundled in the same sense I meant. Perhaps "integrated" would have been a better choice of words? I have worked with various FWLB and IDSLB solutions for many years, and every one of them has had more than its share of caveats, flaws, chicken wire, scotch tape, bubblegum, wood glue, man-weeks of professional services, and rackspace hogging equipment, not to mention an astronomical price tag. The RISC based solution we are discussing is markedly different in that it has none of the above, and it relies less on load balancing than traditional "sandwich" solutions. I only ever liked those FWLB/IDSLB solutions for 2 reasons: 1. They gave me an excuse to play with tons of assorted new technologies, and 2. They gave me job security, because I was one of the few who knew how to implement them properly at the time. The Enterprise Series sensor is just one box that fits into the existing NFR architecture, so sadly, the above two reasons do not hold true for it. :)
However, it also has several nasty properties,especially in the IDSspace. In addition, the problems get nastier with adding more CPUs to the cluster, so there are alimit how many CPUs you can put in a cluster.For starters, if your load balancing scheme isbased on TCP/UDP portnumbers, you'll have a hard time detecting evensimple port scan.JackThis might be partially true if the load balancingassumption were correct,but at least in the one implementation (NFR) withwhich I am familiar, it is not.Can you enumerate some of the inherent "nastyproperties" to which you allude? It's hard to be specific without knowing the details of load balancing. However, let me try to list a few issues: - Increased latencies and jitter in case of inline deployment. - Burst loss. For example, try to do a deep inspection without loss of a large TCP window of a single TCP session sent by a server or a test device over a gige interface. What's max burst you can process without loss ? - If traffic from a malicious source is distributed to several CPUs, it will take you much longer or even impossible to detect the attack and start dropping malicious traffic.
It's certainly understandable that you'd be skeptical about the numbers being thrown around. You're not the only one. And it's true that a poorly implemented distribution scheme will suffer from the problems you mention. These are not new concerns, however, and the equipment and software that we use to tackle the speed problem are specifically designed to handle these challenges. As someone said on a previous thread (or was it this thread?), let's wait until the third party numbers come out before passing judgement. And until then, we stand firmly behind our appliance ratings. -MAB ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: RE: IPS Reliability/Availability y8k0vt3p (Mar 11)
- RE: RE: IPS Reliability/Availability Mike Barkett (Mar 14)
- <Possible follow-ups>
- RE: IPS Reliability/Availability Mike Barkett (Mar 16)
- RE: IPS Reliability/Availability j (Mar 16)