IDS mailing list archives
Re: IDS\IPS that can handle one Gig
From: James Blake <jblake () tippingpoint com>
Date: 25 May 2005 10:02:45 -0000
In-Reply-To: <BAY103-DAV2CDA0AE7EB5D8601EB25EBA080 () phx gbl>
From: "Randall Jarrell" <rgj () msn com> To: <focus-ids () securityfocus com> Subject: IDS\IPS that can handle one Gig Date: Thu, 19 May 2005 08:28:13 -0700 We are currently evaluating IDS\IPS vendors. We have tried two
vendors, whom
I will not name unless you ask me, that have made claims that they
can
handle a Gig of through put but actually start to fail around the
300-500MB
range. Could anyone share a success story of a vendor they are using that is handling this type of traffic? Thanks in advance, -RGJ
As Kos mentions in a follow-up posting below, TippingPoint have a range of products that cover from 50 Mbps to 5 Gbps aggregate bandwidth (they apply the filters in both directions, so you can have 5 Gbps total). The 2400 appliance will do the job. I hear what you are saying about IPSes either failing open or failing closed when you start to push them to their limits. This is mainly due to the fact that a lot of them are extensions of IDS architectures, and IDSes were designed to take all the time in the world analysing as no real-time decisions needed to be taken. IPSes on the other hand require very quick decisions, so any form of buffering increases the latency (so much so that under strain some time-sensitive applications like Fibre Channel over IP, Ethernet Encapsulated Fibre Channel and VoIP can fail), also any architecture with buffering is open to DoS. Have a look at http://tomahawk.sourceforge.net - this is an Open Source project that TippingPoint released. It allows you to build a PC- based IPS testing engine that can pump out about 300 Mbps, the architecture allows you to strap multiple Tomahawks together so you can push the capacity well above 1 Gbps. TippingPoint released this into the public domain so that coders can see the test are not rigged, but anyone is free to use this tool to push any IPS they are evaluating over 1 Gbps and see how it reacts. I would recommend having a look at the TippingPoint appliances, but I would as I am their Senior Sales Engineer for the UK ;-) Good luck with the testing! James -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS\IPS that can handle one Gig Randall Jarrell (May 19)
- Re: IDS\IPS that can handle one Gig Joel Esler (May 24)
- Re: IDS\IPS that can handle one Gig Byron L. Sonne (May 24)
- Re: IDS\IPS that can handle one Gig Konstantin V. Gavrilenko (May 24)
- Re: IDS\IPS that can handle one Gig Barrett G . Lyon (May 28)
- Re: IDS\IPS that can handle one Gig Surasak H. (May 24)
- <Possible follow-ups>
- IDS\IPS that can handle one Gig Brian Blankenship (May 24)
- RE: IDS\IPS that can handle one Gig Andrew Plato (May 28)
- Re: IDS\IPS that can handle one Gig Jonathan Glass (May 31)
- Re: IDS\IPS that can handle one Gig James Blake (May 28)
- RE: IDS\IPS that can handle one Gig THolman (May 28)
- RE: IDS\IPS that can handle one Gig Prashant Khandelwal (May 31)