Re: IDS\IPS that can handle one Gig

From: Jonathan Glass (jonathan.glass_at_gmail.com)
Date: 05/29/05

  • Next message: Prashant Khandelwal: "RE: IDS\IPS that can handle one Gig" 
    Date: Sun, 29 May 2005 13:39:33 -0400
To: Andrew Plato <andrew.plato@anitian.com>

    Well, as a greedy IPS reseller, what would you recommend to handle 4
    10Gig connections for real-time IPS/IDS protection? That's where we
    are, and we're having trouble finding ANY vendor who can come close to
    keeping up with us. Frankly, we find that we're about 18-24 months
    ahead of any vendors, and are wondering whether there's any benefit to a
    true IPS, or if we should stick to netflow analysis and deep-packet IDS
    (when capable of keeping up), and write scripts to block attacks. Your
    thoughts?

    Jonathan Glass
    InfoSecEngineer III
    Georgia Institute of Technology

    Andrew Plato wrote:

    >DISCLAIMER: I am a greedy IPS reseller. ;-)
    >
    >Lots of IPSs can handle 1GB.
    >
    >TippingPoint 1200, 2400, or 5000 (5GB!)
    >ISS G1000, G2000
    >FortiGate 1000 or better
    >Juniper
    >Etc.
    >
    >Lots of them fail at 1GB because that's a buttload-O-packets to handle.
    >Especially if they're little UDP packets. The thing is, they can say
    >they're rated to 1GB because they can, theoretically handle 1GB. But,
    >the only way to get there is with a paltry policy set that only checks a
    >few things.
    >
    >If you need raw ungodly performance, you might want to stick to the
    >ASIC-based IPSs. They tend to be faster and have a much lower latency.
    >This would be TippingPoint and Fortigate. I don't think McAfee uses
    >ASICs, but I don't know. ISS, Juniper, Symantec, Cisco, etc. are all
    >software running on some OS.
    >
    >ASICs also have the added benefit that they are more secure as an
    >appliance. Its almost totally impossible to crack an ASIC-based system.
    >The OS-based IPSs usually run on-top of some hardened Linux or BSD
    >kernel. Which means, its possible (although unlikely) that a root
    >exploit to the Linux kernel could turn your security appliance into an
    >insecurity appliance.
    >
    >___________________________________
    >Andrew Plato, CISSP
    >President/Principal Consultant
    >Anitian Enterprise Security
    >
    >
    >
    >-----Original Message-----
    >From: Randall Jarrell [mailto:rgj@msn.com]
    >Sent: Thursday, May 19, 2005 8:28 AM
    >To: focus-ids@securityfocus.com
    >Subject: IDS\IPS that can handle one Gig
    >
    >Greetings,
    >
    >We are currently evaluating IDS\IPS vendors. We have tried two vendors,
    >whom I will not name unless you ask me, that have made claims that they
    >can handle a Gig of through put but actually start to fail around the
    >300-500MB range.
    >
    >Could anyone share a success story of a vendor they are using that is
    >handling this type of traffic?
    >
    >Thanks in advance,
    >
    >-RGJ
    >
    >------------------------------------------------------------------------
    >--
    >
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from
    >CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >------------------------------------------------------------------------
    >--
    >
    >
    >
    >
    >--------------------------------------------------------------------------
    >Test Your IDS
    >
    >Is your IDS deployed correctly?
    >Find out quickly and easily by testing it with real-world attacks from
    >CORE IMPACT.
    >Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >to learn more.
    >--------------------------------------------------------------------------
    >
    >
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Prashant Khandelwal: "RE: IDS\IPS that can handle one Gig"
    • Quantcast