Re: performance metrics for IPS systems?

From: Mike Frantzen (frantzen_at_nfr.com)
Date: 01/09/05

  • Next message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"
    Date: Sun, 9 Jan 2005 08:49:51 -0500
    To: p z <peterzulu@gmail.com>
    
    

    > I'm planning on demanding that the IPS systems perform at >225,000
    > packets/second (100% of packets inspected) with <.5ms latency per
    > packet. Is this reasonable for an IPS?

    Just be careful how you measure that .5ms latency limit. If you do a
    single ping without background traffic against an IPS that does
    interrupt polling then you'll see latency of about 1ms or 10ms
    (depending on the underlying operating system used). That latency
    will start to drop once you have over 1000pps and will gradually
    converge towards zero.

    I'm not sure which IPS vendors do interrupt polling to gain performance.
    It wasn't worth it for us.

    > - What is the acceptable/standard latency per packet for an IPS?

    Humans begin to notice latency at about the 200ms mark (call it 100ms to
    account for the return packet). TCP behavior changes at 30-100ms unless
    the stack does round trip time measurements. Online gamers get cranky
    at the 80-100ms mark.

    That being said, you probably won't find an IPS that introduces more than
    1ms of latency.

    .mike
    frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
    PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"

    Relevant Pages

    • Re: performance metrics for IPS systems?
      ... hight traffic load with low latency on some "diffused" IPS. ... I can tell you will have problem with some IPS product with that high ... with that number of packet (225,000 packet/s ...
      (Focus-IDS)
    • RE: performance metrics for IPS systems?
      ... Is this reasonable for an IPS? ... I would also insist on 0% packet loss. ... You SHOULDN'T find an IPS that introduces this amount of latency, ... >CORE IMPACT. ...
      (Focus-IDS)
    • Re: performance metrics for IPS systems?
      ... Take a look at our IPS group tests if you are interested in such performance ... We go into some details regarding acceptable latencies of Gigabit ... >> Just be careful how you measure that .5ms latency limit. ...
      (Focus-IDS)
    • Re: IPS Reliability/Availability
      ... You should also check for controllable latency. ... A box could be technically "up", but having problems and introducing latency. ... You should ask each vendor why they might add latency, what happens when CPU's get taxed too high, if latency is controllable. ... the IPS fails, the traffic routed straight throught the network with no IPS ...
      (Focus-IDS)
    • IPS test criteria (was IDSIPS that can handle one Gig)
      ... Chris - what makes ICSA particularly relevant when it comes to defining IPS ... Speak to the vendors who were at their recent forum meeting ... a wide range of traffic loads and packet sizes. ... wide range of test criteria). ...
      (Focus-IDS)