Re: ASIC-based vs. Software-based Security Platform

From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 08/27/03

  • Next message: Guy Bruneau: "Release of Shadow/Snort IDS version 3.1" 
    Date: Tue, 26 Aug 2003 23:17:15 -0400
To: <focus-ids@securityfocus.com>

    At 05:29 PM 8/26/2003 -0400, Klaus, Chris (ISSAtlanta) wrote:
    >Several security companies have been touting that ASIC (Application
    >Specific Integrated Circuit) hardware-based appliances are the future of
    >network security. I put together a whitepaper that compares ASIC-based
    >and software-based security platforms, especially as they relate to IDS
    >and the future direction of IDS. The security whitepaper is available at:
    >
    > http://www.issadvisor.com/viewtopic.php?t=368
    >
    >Like to get feedback and comments on the whitepaper.

    I think you make some good points, but are being biased.
    (apologies up front for the long email)

    [*] Adaptive Security

    I agree it is easier to distribute a complete software
    re-write than a complete ASIC redesign. However, on the
    commercial side, a complete rewrite often implies a
    re-purchase of the commercial product. ASIC systems are
    not all hard-coded in silicon either. They tend to take
    APIs (such as pattern matching) and accelerate them in
    chips.

    [*] Security Platform

    I like the option of running my NIDS at the host or on
    the network, but if its the same technology, then I think
    it is overkill. I really like the idea of running different
    IDS technologies at the host and the network and think
    that running two different technologies offers good defense
    in depth.

    [*] Vulnerability Detection

    Most of the VA/IDS correlation I've been looking at does
    seem to occur in software either on the IDS sensor or
    on some back-end system. I'm not convinced there is enough
    info in the packet stream to do VA/IDS reliably without
    an active scan though and would claim this is not as
    serious of a problem.

    [*] Security Convergence

    When I worked for Enterasys, we had customers who would
    have died for a device that did IDS, VPN, firewall, SSL
    acceleration, virus, VOIP, conent filtering etc. all in
    one box at a cheap price. The closest thing I've seen
    to this is Fortinet. I can't say it's NIDS is as good
    as Snort, ISS or whatever, but I can say if I had to
    deploy several hundred of these things all over the
    world, I'd rather go with one device than deploy several
    hundred of each type of network device.

    For big gateways, I want a sophisticated firewall and
    IDS watching over things, but most people don't have the
    resources to take that same technology and deploy it
    throughout their infrastructure.

    [*] Application Proxies

    I agree with you that many folks are tired of slow firewalls
    with application proxies, but I don't agree that this has
    to be done in software. There are plenty of hardware based
    app proxies being sold right now.

    [*] Security Blades

    I agree it's easier to re-deploy software than to re-deploy
    new ASICs, however, there is a LOT of resistance to put anything
    with a hard drive, fan or other moving part into an important
    router or switch. I really don't want my routers running SQL,
    Apache, IIS, etc.

    [*] Foundation Engine

    Yep. If someone takes firewall code, and bolts on some pattern
    matching, they don't have an enterprise-class IDS. On the other
    hand, I like that my $35 Dlink WAP will do content filtering
    and alert me for basic port scans. If someone does design a
    security platform from scratch though and they use ASICs, they
    can get around a lot of these issues.

    [*] Security Flaws

    You are right that both ASIC based and software based solutions
    can have security flaws, but its much more likely that a software
    solution which relies on SQL, IIS, Apache, etc. will get hit than
    an ASIC with some sort of proprietary management scheme. I think
    the ASIC vendors (Intruvert, Fortinet, etc.) have a valid point
    when they claim that most IDS boxes are typically some of the
    *worse* maintained security devices on the network.

    [*] Performance

    I have a hard time with some of your arguments, mostly because
    I think that performance has nothing to do with the relevancy of
    ASICs vs. software. If you put software on fast chips, it may
    run faster.

    Of course in any particular test, with any particular build,
    some NIDS will see things, and some NIDS wont. To pick that
    NetScreen was dropping some packets, and that ISS was working
    well at 1 G/b is misleading. I've spent a lot of time with
    different NIDS since I left Enterasys, and all of these guys
    do things very different and have many different strengths and
    weaknesses. Each NIDS engineering team always feels that the
    test didn't show their best features and performance.

    One thing I do belive though is that the race to get to 1 Gb
    performance for a NIDS was the wrong race. The industry should
    have been building integrated and cheap T1, DSL and T3 devices.

    [*] Manufacturing Costs

    I strongly disagree here. If this were the case, all of the
    routers and switches would be running on NT dell servers.

    -----

    Good paper. Obviously I disagree with some of what you say, but
    I think that anyone participating in the buying cycle of an
    ASIC based vs. software based NIDS or integrated security device
    should read it.

    Ron Gula, CTO
    Tenable Network Security
    http://www.tenablesecurity.com

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier
    technical IT security event. Modeled after the famous Black Hat event in
    Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
    Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
    ---------------------------------------------------------------------------

  • Next message: Guy Bruneau: "Release of Shadow/Snort IDS version 3.1"

    Relevant Pages