IDS mailing list archives
Re: IDS\IPS that can handle one Gig
From: Peter Schawacker <ps () tenablesecurity com>
Date: Tue, 31 May 2005 10:59:30 -0700 (PDT)
Hello Mr. Glass, Are you running 10Gbps to each host? Where are your choke points? If you have so many choke points that acquisition cost is too great, (more and more common these days) consider falling back to the host. More and more these days, I find it best to shift from HIPS to NIPS. High bandwidth utilization environments are often good HIPS candidates. Another option, and one that many organizations are beginning to favor, is to forget the current, "fashionable" notions of IPS and return to basics -- to focus more closely on vunerability and information management. I believe that if you have a comprehensive, continuous and meaningful flow of information about the environment and an effective vulnerability remediation program, the need for IPS appliances and agents (band-aids) can be reduced dramatically. P --- Jonathan Glass <jonathan.glass () gmail com> wrote:
Well, as a greedy IPS reseller, what would you recommend to handle 4 10Gig connections for real-time IPS/IDS protection? That's where we are, and we're having trouble finding ANY vendor who can come close to keeping up with us. Frankly, we find that we're about 18-24 months ahead of any vendors, and are wondering whether there's any benefit to a true IPS, or if we should stick to netflow analysis and deep-packet IDS (when capable of keeping up), and write scripts to block attacks. Your thoughts? Jonathan Glass InfoSecEngineer III Georgia Institute of Technology Andrew Plato wrote:DISCLAIMER: I am a greedy IPS reseller. ;-) Lots of IPSs can handle 1GB. TippingPoint 1200, 2400, or 5000 (5GB!) ISS G1000, G2000 FortiGate 1000 or better Juniper Etc. Lots of them fail at 1GB because that's abuttload-O-packets to handle.Especially if they're little UDP packets. The thingis, they can saythey're rated to 1GB because they can,theoretically handle 1GB. But,the only way to get there is with a paltry policyset that only checks afew things. If you need raw ungodly performance, you might wantto stick to theASIC-based IPSs. They tend to be faster and have amuch lower latency.This would be TippingPoint and Fortigate. I don'tthink McAfee usesASICs, but I don't know. ISS, Juniper, Symantec,Cisco, etc. are allsoftware running on some OS. ASICs also have the added benefit that they aremore secure as anappliance. Its almost totally impossible to crackan ASIC-based system.The OS-based IPSs usually run on-top of somehardened Linux or BSDkernel. Which means, its possible (althoughunlikely) that a rootexploit to the Linux kernel could turn yoursecurity appliance into aninsecurity appliance. ___________________________________ Andrew Plato, CISSP President/Principal Consultant Anitian Enterprise Security -----Original Message----- From: Randall Jarrell [mailto:rgj () msn com] Sent: Thursday, May 19, 2005 8:28 AM To: focus-ids () securityfocus com Subject: IDS\IPS that can handle one Gig Greetings, We are currently evaluating IDS\IPS vendors. Wehave tried two vendors,whom I will not name unless you ask me, that havemade claims that theycan handle a Gig of through put but actually startto fail around the300-500MB range. Could anyone share a success story of a vendor theyare using that ishandling this type of traffic? Thanks in advance, -RGJ
... -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: IDS\IPS that can handle one Gig, (continued)
- Re: IDS\IPS that can handle one Gig Frank Knobbe (Jun 08)
- Re: IDS\IPS that can handle one Gig Terry Vernon (Jun 08)
- Re: IDS\IPS that can handle one Gig Devdas Bhagat (Jun 04)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 01)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 04)
- Re: IDS\IPS that can handle one Gig Bob Walder (Jun 05)
- Re: IDS\IPS that can handle one Gig Per Engelbrecht (Jun 01)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (Jun 01)
- RE: IDS\IPS that can handle one Gig THolman (Jun 01)
- Re: IDS\IPS that can handle one Gig Peter Schawacker (Jun 01)
- RE: IDS\IPS that can handle one Gig Dave Hawkins (Jun 01)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 04)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 04)
- RE: IDS\IPS that can handle one Gig Chris Harrington (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 06)
(Thread continues...)