Re: IDS\IPS that can handle one Gig

[Peter Schawacker <ps () tenablesecurity com>]

Hello Mr. Glass,

Are you running 10Gbps to each host?  Where are your
choke points?  If you have so many choke points that
acquisition cost is too great, (more and more common
these days) consider falling back to the host.  More
and more these days, I find it best to shift from HIPS
to NIPS.  High bandwidth utilization environments are
often good HIPS candidates.  

Another option, and one that many organizations are
beginning to favor, is to forget the current,
"fashionable" notions of IPS and return to basics --
to focus more closely on vunerability and information
management.  I believe that if you have a
comprehensive, continuous and meaningful flow of
information about the environment and an effective
vulnerability remediation program, the need for IPS
appliances and agents (band-aids) can be reduced
dramatically.  

P

--- Jonathan Glass <jonathan.glass () gmail com> wrote:
> Well, as a greedy IPS reseller, what would you
> recommend to handle 4 
> 10Gig connections for real-time IPS/IDS protection? 
> That's where we 
> are, and we're having trouble finding ANY vendor who
> can come close to 
> keeping up with us.  Frankly, we find that we're
> about 18-24 months 
> ahead of any vendors, and are wondering whether
> there's any benefit to a 
> true IPS, or if we should stick to netflow analysis
> and deep-packet IDS 
> (when capable of keeping up), and write scripts to
> block attacks.  Your 
> thoughts?
>
> Jonathan Glass
> InfoSecEngineer III
> Georgia Institute of Technology
>
> Andrew Plato wrote:
>
> > DISCLAIMER: I am a greedy IPS reseller. ;-)
> >
> > Lots of IPSs can handle 1GB.
> >
> > TippingPoint 1200, 2400, or 5000 (5GB!) 
> > ISS G1000, G2000
> > FortiGate 1000 or better
> > Juniper
> > Etc. 
> >
> > Lots of them fail at 1GB because that's a
> buttload-O-packets to handle.
> > Especially if they're little UDP packets. The thing
> is, they can say
> > they're rated to 1GB because they can,
> theoretically handle 1GB. But,
> > the only way to get there is with a paltry policy
> set that only checks a
> > few things.  
> >
> > If you need raw ungodly performance, you might want
> to stick to the
> > ASIC-based IPSs. They tend to be faster and have a
> much lower latency.
> > This would be TippingPoint and Fortigate. I don't
> think McAfee uses
> > ASICs, but I don't know. ISS, Juniper, Symantec,
> Cisco, etc. are all
> > software running on some OS.  
> >
> > ASICs also have the added benefit that they are
> more secure as an
> > appliance. Its almost totally impossible to crack
> an ASIC-based system.
> > The OS-based IPSs usually run on-top of some
> hardened Linux or BSD
> > kernel. Which means, its possible (although
> unlikely) that a root
> > exploit to the Linux kernel could turn your
> security appliance into an
> > insecurity appliance.
> >
> > ___________________________________
> > Andrew Plato, CISSP
> > President/Principal Consultant
> > Anitian Enterprise Security
> >
> >
> >
> > -----Original Message-----
> > From: Randall Jarrell [mailto:rgj () msn com] 
> > Sent: Thursday, May 19, 2005 8:28 AM
> > To: focus-ids () securityfocus com
> > Subject: IDS\IPS that can handle one Gig
> >
> > Greetings,
> >
> > We are currently evaluating IDS\IPS vendors. We
> have tried two vendors,
> > whom I will not name unless you ask me, that have
> made claims that they
> > can handle a Gig of through put but actually start
> to fail around the
> > 300-500MB range.
> >
> > Could anyone share a success story of a vendor they
> are using that is
> > handling this type of traffic?
> >
> > Thanks in advance,
> >
> > -RGJ
...

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------