RE: ASIC Based IPS

["Brian Smith" <bsmith () tippingpoint com>]

Hi Tim!  Good post; let me add my 2 cents.

The key to performance is parallelism, and processing network data is an
inherently (and extremely) parallel problem.  Most of the processing an
IPS performs on each network stream can be done in parallel, which is
why ASIC based IPSs can run so fast.

There are 2 ways to achieve parallelism: break long operations into
multiple, shorter steps (pipelining), or do operations on several pieces
of data at once (MIMD).  Pipelining allows you to reduce the clock cycle
on each stage, which increases overall utilization of the functional
units, but it also tends to increase latency because the timing on each
stage is determined by the slowest stage in the pipeline and because
there's overhead transmitting the data from one stage to the next.  In
general, deeper pipelines lead to higher throughput and higher latency,
not lower latency.  Take this to an extreme: the latency of a
million-stage pipeline, for example.  Even if each stage is 1 usec, it
would take a packet 1 second to run through the box, but you could do a
million packets/sec.   MIMD is theoretically better, but you hit the
limit because you run out of space on the chip.  A million-way parallel
MIMD would require a million units capable of doing all the processing.
Throughput could be very high with low latency, but the chip would be
the size of a hummer (and consume more power).

In practice, most architectures use a combination of techniques.  For
instance, TopLayer uses 6 ASICS (I'm ignoring the PHYS, standard switch
processors, and other off-the-shelf glue); TippingPoint IPS uses 3 (two
FPGAs and a network processor).  Clearly, the chip-to-chip processing is
both systems is pipelined.  Since data must be passed from one stage to
the next, the chip-to-chip communication channel must be higher
(sometimes much higher -- ours is 20 Gbps in our 5 Gbps model) than the
bandwidth of the IPS.  Our on-chip processing is a combination of
pipelining and MIMD parallelism.  I imagine yours is the same.

There is a multitude of reasons a PC-based architectures don't work as
well.  First, the CPU is fundamentally single threaded (the CPU is only
launching one to two instructions per clock), so it can't exploit any of
the parallelism.  Second, the instruction set is not optimized for
processing network data, so it takes more instructions than it should to
decode protocols.  Third, the architectures are not terrific at network
I/O (although PCI-X has helped this situation a lot).  Fourth, the same
CPU that's doing network packet processing is also doing management.
For instance, when a CPU based IPS blocks an attack it also sends an
alert to the management console.  While it's generating this alert, it's
not processing traffic.  This involves pulling the relevant data out of
the packet, formatting an SNMP trap or whatever the communication
mechanism involves, possibly writing the data to disk, and so on.  These
are not cheap operations.  This architecture means that the latency and
throughput of PC-based IPSs is demonstrably impacted under heavy attack
load.

My point is that it's not because the PC is using a single chip that's
the problem, it's because the chip doesn't have any network session
level parallelism and isn't customized for this task.

Your comment about the FPGAs is right on.  The threat landscape is
constantly changing, and a fixed-function ASIC will have difficulty
changing with the landscape.  Witness how long it's taken NetScreen to
integrate the OneSecure technology into it's firewall ASIC (2.5 years
and counting). I imagine one day we'll figure out exactly the right set
of composable primitives for IPS, much as CPUs have figured out the
right instructions for general-purpose computing.  When that happens, it
will be possible to build a fixed ASIC security processor and program it
like a CPU.  No one is even close to doing that today, from what I've
seen.  FPGAs are the way to go, for now.

        Brian Smith
        TippingPoint, a division of 3com

-----Original Message-----
From: THolman () toplayer com [mailto:THolman () toplayer com] 
Sent: Wednesday, March 30, 2005 4:00 PM
To: siddharth.phadnis () impetus co in; focus-ids () securityfocus com
Subject: RE: ASIC Based IPS

Hi Sid,

Just because an IPS device uses an ASIC or two, does NOT mean it is very
fast.

The key to speed and low latency is ARCHITECTURE.

For example, a device that uses a single ASIC to process all network
data
will not be much faster than a PC using a single Intel processor.
The benefits of speed come about when you start using ASICs in parallel
-
so, one ASIC to carry out L2 checks, one ASIC to carry out L3 checks and
so
forth.  Furthermore, such a device needs a backplane and network
processors
that support such a design.

A good, parallel-ASIC design thus enables vendors to claim high speed
and
low latency.

Another very important point to consider is whether or not the vendor
uses
off-the-shelf general network ASICs (which offer good network level
L2/L3/L4
performance), or use ASICs that are designed from the ground up to
handle
the very different nature of L5-L7 packet contents.

It is also important to consider whether or not there is a dedicated
ASIC
on-board to handle each of the separate functions that you would expect
from
an IPS, instead of cramming multiple functions into two or three ASICs
and
thus affecting latency and performance.

What you should also look for is a device which uses FPGAs - these are
in
effect programmable ASICs (as off the shelf ASICs are read-only, FPGAs
are
the writable versions that allow direct coding of the processors).  Use
of
FPGAs enable vendors to keep their devices up-to-date and relevant to
the
current network security landscape.  The ability to write a
signature/protocol check into machine code and put it on a processor has
a
HUGE impact on the performance of the device as opposed to one that uses
either standard ASICs or PC-based hardware.

Gartner's Seven Key Selection Criteria for Network IPS should also
assist
you in selecting an IPS.  Although performance is important, this
details 6
other criteria that are crucial in product selection.

Hope this helps !

Cheers,

Tim

Tim Holman
Security Consultant (EMEA)
Top Layer Networks Inc

 
-----Original Message-----
From: Siddharth Phadnis [mailto:siddharth.phadnis () impetus co in] 
Sent: 29 March 2005 12:27
To: IDS FOCUS
Subject: ASIC Based IPS

Hi everyone,

Currently a lot of IPS vendors talk about their devices being very fast 
being based on ASIC. Just out of curiosity, I would be glad if someone 
could point me towards how all the signatures and analysis/blocking 
software works from ASIC and how does that affect the latency which is 
introduced into traffic because I believe the full packet payload will 
have to be inspected in case of application layer anomalies.

Thanks and Regards,
Sid.


------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Stop hurting your network!

The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------