Firewall Wizards mailing list archives
Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Thu, 15 Aug 2002 09:00:59 +0200
Crispin Harris wrote:
Crispin Cowan wrote:Ryan Russel wrote:I think a more interesting question is: if GIDS is the new "firewall", then why did firewalls running on top end PCs max at 100mbps or so with just a few dozen rules and terribly simply filtering capabilities... while a GIDS with much more interesting filterinag capabilities and a few thousand rules can also do the same? Did PCs just get that much faster?I agree with the comment that it's because people tolerate NIDS failing open, where as they would not tolerate that from a classical firewall.I doubt that this is the entirety of the answer. Efficient code will be part of it, hardware accelleration may also help, and of course, algorithm & process design will make a massive difference. Marcus or one of the other listmembers who deal with high bandwidth packet inspection and/or transfer may be able give us a better idea
High bandwidth IDSing I know very little about. High bandwidth firewalling (stateful inspection) I know more about. So, just in case someone's interested, here goes: Single 33Mhz/32bit PCI bus with 3 100mbps NICs: - Large packets saturate the buses before you reach 300mbit throughput (that is 300 mbps in and 300 mbps out) - Small packets (sorry don't remember the number) PCI-X buses with gigabit NICs on recent mobos: - Large packets: >4gbps (again, 4gbps in and 4gbps out) - Small packets: at least 0.5m packets/sec And, yes, this is software-on-PC. No hardware acceleration stuff going on. BUT an IDS told to look at L7 data of pretty much all packets won't be doing this well of course, and hardware acceleration where you only upload headers to RAM won't help squat if you need to look at L7 data. /Mikael Olsson -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 13)
- <Possible follow-ups>
- RE: GIDS, Intrusion Prevention: A Firewall by Any Other Name Crispin Harris (Aug 13)
- Re: GIDS, Intrusion Prevention: A Firewall by Any Other Name Mikael Olsson (Aug 15)