Re: IDS\IPS that can handle one Gig
From: James Blake (jblake_at_tippingpoint.com)
Date: 05/25/05
- Previous message: PPowenski_at_oag.com: "RE: IDS ISS"
- Maybe in reply to: Brian Blankenship: "IDS\IPS that can handle one Gig"
- Next in thread: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 May 2005 10:02:45 -0000 To: focus-ids@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <BAY103-DAV2CDA0AE7EB5D8601EB25EBA080@phx.gbl>
>From: "Randall Jarrell" <rgj@msn.com>
>To: <focus-ids@securityfocus.com>
>Subject: IDS\IPS that can handle one Gig
>Date: Thu, 19 May 2005 08:28:13 -0700
>
>We are currently evaluating IDS\IPS vendors. We have tried two
vendors, whom
>I will not name unless you ask me, that have made claims that they
can
>handle a Gig of through put but actually start to fail around the
300-500MB
>range.
>
>Could anyone share a success story of a vendor they are using that is
>handling this type of traffic?
>
>Thanks in advance,
>
>-RGJ
As Kos mentions in a follow-up posting below, TippingPoint have a
range of products that cover from 50 Mbps to 5 Gbps aggregate
bandwidth (they apply the filters in both directions, so you can have 5
Gbps total). The 2400 appliance will do the job.
I hear what you are saying about IPSes either failing open or failing
closed when you start to push them to their limits. This is mainly due
to the fact that a lot of them are extensions of IDS architectures, and
IDSes were designed to take all the time in the world analysing as no
real-time decisions needed to be taken. IPSes on the other hand
require very quick decisions, so any form of buffering increases the
latency (so much so that under strain some time-sensitive applications
like Fibre Channel over IP, Ethernet Encapsulated Fibre Channel and
VoIP can fail), also any architecture with buffering is open to DoS.
Have a look at http://tomahawk.sourceforge.net - this is an Open
Source project that TippingPoint released. It allows you to build a PC-
based IPS testing engine that can pump out about 300 Mbps, the
architecture allows you to strap multiple Tomahawks together so you
can push the capacity well above 1 Gbps. TippingPoint released this
into the public domain so that coders can see the test are not rigged,
but anyone is free to use this tool to push any IPS they are evaluating
over 1 Gbps and see how it reacts.
I would recommend having a look at the TippingPoint appliances, but I
would as I am their Senior Sales Engineer for the UK ;-)
Good luck with the testing!
James
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: PPowenski_at_oag.com: "RE: IDS ISS"
- Maybe in reply to: Brian Blankenship: "IDS\IPS that can handle one Gig"
- Next in thread: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
