IDS mailing list archives
RE: IDS\IPS that can handle one Gig
From: Barrett G.Lyon <blyon () prolexic com>
Date: Tue, 7 Jun 2005 09:19:19 -0700
Oh boy another long reply... ;)
1) Gigabit performance is irrelevant; it's the packets per second thatcount. Vendors cheat and claim 1Gb performance based on large packet sizes(not real world), or just add up the sizes of all their interfaces.
I agree, however, you would hope the PPS rates match the throughput of the gigabit circuit. 64-Byte packets should be in the 2.2 million PPS rate for a GigE. If my carrier can provide that PPS rate I should be able to process at that rate. Maybe the top rating of an IPS should be limited to the lowest PPS situation it can process? If the hardware can do a 1.2 million SYN/sec rate then it should only be rated at around 500 Mbps and not a full GigE? However, some devices may be great at some mitigation and bad at others, does that mean we should state that the device is only X at X PPS rate? I think the consumers of IPS devices expect that all mitigation/processing is at the PPS line rate of the circuit, so this is where IPS vendors can get in trouble with marketing and overstating what it is they are doing.
2) In PC architecture, the PCI bus is the bottleneck, not the processor.
It's not just PC vs network hardware, this is a cultural shift in security we are talking about...
In the last 3 years there has been a major shift from doing security as a application to security as a network device. This change is due to performance and general integration of security with the network. The major problem with this change is traditionally the network guys were not security guys and the security guys were not network guys - it is pretty apparent when you compare a security conference to a networking conference or security device GUI to a network device CLI... or a PC to a network appliance. Ideologically, networks guys connect and security guys restrict - strange combination.
The other problem is that security devices now have to talk network jive more like a router/switch should be. Doing OSPF with something like a chokepoint, or trying to incorporate a PC with single power supplies and things like hard drives (that Mr. Holman pointed out) that have a potential to take down the network is a very terrifying idea to a network guy, but maybe an okay idea for a security guy. With networks and attacks in the wild pushing traffic levels over the 4 gig (7+ million PPS) mark, squishing data over a PCI/PCIx bus is also something of a bad idea (issue #2 with Mr. Holman's email).
So, the race is on and the people with PC architecture software are trying to become network based security devices, and the network device world is trying to become security devices. When there is a race things get sloppy, so we are seeing a lot of products that have features that don't work or features that are just there to be there. So, when someone is saying you have to compromise a security function for health of the network or performance, sometimes that is just fine because that function may not have been doing anything anyway.
The way I see it, (to rip off Richard Stiennon) firewalls are dead... It's easy to setup a line speed ACL that acts like a firewall and have an application security device like an IPS behind that ACL. The new model is not having a single firewall but having something of a security based network, where each part of the network is doing as it should be doing, its job... rather than everything. No single point of security, and no single point of security to fail, no single vendor to fail -- every part of the network working together to perform security operations. Active redundancy in the network and the security is a neat idea and devices like IPS will help people achieve that.
With the intrusion prevention network/secure net (whatever you call it) only using part of a device's functionality may be absolutely fine. The traditional swiss army knife firewall is a thing of the past - with a swiss army knife, using each knife tool all at once may be the wrong way to go. You also don't cut down a tree with the small swiss army knife saw, you use a chain saw. You don't buy the swiss army knife over the chain saw because it's got everything, you buy what's good for the job.
Oh, and don't play with chain saws in the data center, that's a bad idea too. :)
-Barrett -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- Re: IDS\IPS that can handle one Gig, (continued)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 04)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Nick Black (Jun 07)
- Re: IDS\IPS that can handle one Gig Mike Frantzen (Jun 06)
- Re: IDS\IPS that can handle one Gig Ed Gibbs (Jun 06)
- IPS test criteria (was IDS\IPS that can handle one Gig) Bob Walder (Jun 07)
- RE: IDS\IPS that can handle one Gig Gary Halleen (Jun 06)
- RE: IDS\IPS that can handle one Gig Hovis, Chris (Jun 07)
- RE: IDS\IPS that can handle one Gig THolman (Jun 07)
- RE: IDS\IPS that can handle one Gig Edward Sohn (Jun 08)
- RE: IDS\IPS that can handle one Gig Barrett G . Lyon (Jun 08)
- RE: IDS\IPS that can handle one Gig Palmer, Paul (ISSAtlanta) (Jun 08)
- RE: IDS\IPS that can handle one Gig Andrew Plato (Jun 10)
- Re: RE: IDS\IPS that can handle one Gig ian . bamford (Jun 10)