IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 10Gbps IPS - what you need to know

From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Thu, 5 Mar 2009 10:12:19 -0800
I understand that there is no need for sending the traffic through
inspection if there are no signatures/rules for the traffic. I also
can understand if user is given choice of skipping the traffic through
IPS inspection via configuration for certain protocols or network
segments.    I feel it is fooling  buyers if same traffic with attack
pattern is stopped when there is less load and passed when the system
is under load. Do you think that it is known to end users from
vendors' documentation?

Thanks
Ravi

On Thu, Mar 5, 2009 at 9:18 AM, Jeremy Bennett <jeremyfb () mac com> wrote:

Ravi,

What you ask is a two-phase question. I can speak from experience, having
worked for a vendor, that (at least at the time) NSS had a strict policy
that the same signature/detection set be used for all tests. This means that
if a particular signature is enabled for the coverage tests then it must
also be enabled for the performance tests. This is really the only
believable way to test.

The reason I say it is a two-phase question is that just because a signature
is enabled does not necessarily mean it is always applied. Most high-speed
IPS devices have a 'fast path' or 'push-through' or similarly named
no-inspection channel that pulls packets from interface and pushes them out
another.

The cases when these channels are used, in my mind, separates the
security-centric IPS devices from the performance-centric IPS devices. Those
that tout performance often have aggressive algorithms for moving packets to
fast path, packet rate, packet size, destination port, previous history, are
all used to bypass inspection under load. I know of one device at the time
that would simply push through all small UDP packets if the system were
under load. The vendor, then, spent a lot on advertising how good their
small UDP packet performance was.

Now, just because there is a fast-path does not make the product a piece of
crap. There are intelligent ways to minimize the applied set of signatures
that do not harm security correctness. For example, if you can determine
that a data stream is encrypted then you can't inspect it. Also, if you
watch control traffic on a multi-media exchange (eg, watch the SIP traffic
on a video call) and you have not signatures for that particular media codec
then don't bother applying any others to the media stream.

So, I think the testers set out to do a good job. I also like to think that
the vendors do not set out to cheat on the tests. Instead vendors make a
choice between preferring performance versus security and the test results
show that.

-J


On 3/4/09 9:47 PM, "Ravi Chunduru" <ravi.is.chunduru () gmail com> wrote:


I was hoping  either NSS or vendors who had gone through the
certification to say  that all sessions/packets go through the IPS
detection in all cases as part of performance measurement. There is
absolute silence on my previous email.

Silence is enforcing the points made in earlier email that IPS devices
skip Intrusion analysis upon very small load on the system.  I was
hoping that somebody is going to speak out and prove otherwise.

Ravi

On Sat, Feb 28, 2009 at 4:15 PM, Ravi Chunduru
<ravi.is.chunduru () gmail com> wrote:

Hi,

This concerns many people I am sure.   I hope certification agencies
are reporting performance numbers where all packets are going through
complete inspection. If what you said is happening, then certification
agencies would lose their credibility.

Any comments from NSS?

Thanks
Ravi

On Fri, Feb 27, 2009 at 9:18 AM, Trygve Aasheim <trygve () pogostick net> wrote:

Sure.

But to clearify; it didn't bring throughput down to 15mbit, but we where
seeing signatures/filters that started to fail when the traffic was at about
15mbit, with less that 2000 sessions.

Now this isn't unusual with an IDS solution that uses pure regex signatures.
But some IPS vendors claim that their solutions ain't running anything near
regex, and their performance are way up there...sure.

Many IPS solution has a max latency threshold. So if the IPS uses more than
X amount of ms before it has analyzed the traffic, the traffic is passed
through. This is so that the IPS doesn't become a bottleneck under heavy
load.

But if you have (which many companies does) different service segments (like
one segment with databases, one with webserver etc) you might end up with an
IPS where a policy for one segment is a lot of different http, https, sql
injection, xss signatures/filters that all try to analyze the same traffic.
Add to these the filters for protecting apache, iis, SunOne and so on, and
the different version on different operating systems - and you end up with
one massiv policy if you're in a big company.

Then I promiss...gbit performance where all the filters that you really want
to run are on...fails. NSSlabs are more than welcome to ask for more
detailed information of course, so that their certifications might show more
than just throughput with a policy on, but also maybe throughput with a
policy running, where the policy is actually being applied to the data at
gbit speed.

The traffic pattern was customer traffic btw. Real world traffic.

T


Ravi Chunduru skrev:


We've seen gbit certified solutions starting to fail at 15mbit with <2000
sessions during PoC's....


This is really interesting. Can you throw some more light on traffic
pattern which brings down the performance to 15Mbps?

Ravi

On Mon, Feb 23, 2009 at 9:16 AM, Trygve Aasheim <trygve () pogostick net>
wrote:


Another question would be:

- How big is the rule base?
- Any exceptions
- How many filters/signatures/detection features failed to analyze the
traffic before the latency treshold was exceeded?
- Is the rule base based on a scenario where you for example pretend to
protect a windows server and workstation network, and therefor enable all
signatures for this - and turn off all *nix signatures? Or the other way
around? Or a pure web-/app-/database server network?

A lot of these tests fail to test the devices in a "near real world
scenario" where the IPS is configured with an adjusted rule base based on
typical assets, risks, firewall rules, exceptions, vlan tags etc.

We've seen gbit certified solutions starting to fail at 15mbit with <2000
sessions during PoC's....

T

C-Info skrev:


The question I would also ask is was this complete capture or sampling
of
the traffic?

Curt

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On
Behalf Of Addepalli Srini-B22160
Sent: Thursday, February 19, 2009 1:57 PM
To: Ravi Chunduru; rmoy () nsslabs com
Cc: focus-ids () securityfocus com
Subject: RE: 10Gbps IPS - what you need to know


Copied from the test report:  "The device ably supported over 11Gbps
of traffic with the larger HTTP response sizes (21KB) and lower
connections per second (5,000 CPS per Gigabit of traffic) found on
typical corporate networks".

It appears to be some calcualtion mistake!  It comes to around
820-830Mbps (21Kbytes * 5000 ), not 11Gbps throughput!


I think you missed "5000 CPS per gigabit of traffic". Since it is 10G


box, I would assume that there was 50000 CPS in total which gives around
8.5Gbps. If you add usual overheads TCP header, IP header, Ethernet
header, the total throughput might go beyond 8.5Gbps.

Regards
Srini
Previous By Date Next
Previous By Thread Next

Current thread: