Re: performance metrics for IPS systems?

• Previous message: Thomas Ptacek: "Re: Intrushield vs. ISS once more..."
• In reply to: p z: "performance metrics for IPS systems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 9 Jan 2005 08:49:51 -0500
To: p z <peterzulu@gmail.com>

> I'm planning on demanding that the IPS systems perform at >225,000
> packets/second (100% of packets inspected) with <.5ms latency per
> packet. Is this reasonable for an IPS?

Just be careful how you measure that .5ms latency limit. If you do a
single ping without background traffic against an IPS that does
interrupt polling then you'll see latency of about 1ms or 10ms
(depending on the underlying operating system used). That latency
will start to drop once you have over 1000pps and will gradually
converge towards zero.

I'm not sure which IPS vendors do interrupt polling to gain performance.
It wasn't worth it for us.

> - What is the acceptable/standard latency per packet for an IPS?

Humans begin to notice latency at about the 200ms mark (call it 100ms to
account for the return packet). TCP behavior changes at 30-100ms unless
the stack does round trip time measurements. Online gamers get cranky
at the 80-100ms mark.

That being said, you probably won't find an IPS that introduces more than
1ms of latency.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Thomas Ptacek: "Re: Intrushield vs. ISS once more..."
• In reply to: p z: "performance metrics for IPS systems?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: performance metrics for IPS systems? ... hight traffic load with low latency on some "diffused" IPS. ... I can tell you will have problem with some IPS product with that high ... with that number of packet (225,000 packet/s ... (Focus-IDS) RE: performance metrics for IPS systems? ... Is this reasonable for an IPS? ... I would also insist on 0% packet loss. ... You SHOULDN'T find an IPS that introduces this amount of latency, ... >CORE IMPACT. ... (Focus-IDS) Re: performance metrics for IPS systems? ... Take a look at our IPS group tests if you are interested in such performance ... We go into some details regarding acceptable latencies of Gigabit ... >> Just be careful how you measure that .5ms latency limit. ... (Focus-IDS) Re: IPS Reliability/Availability ... You should also check for controllable latency. ... A box could be technically "up", but having problems and introducing latency. ... You should ask each vendor why they might add latency, what happens when CPU's get taxed too high, if latency is controllable. ... the IPS fails, the traffic routed straight throught the network with no IPS ... (Focus-IDS) IPS test criteria (was IDSIPS that can handle one Gig) ... Chris - what makes ICSA particularly relevant when it comes to defining IPS ... Speak to the vendors who were at their recent forum meeting ... a wide range of traffic loads and packet sizes. ... wide range of test criteria). ... (Focus-IDS)