Re: IDS\IPS that can handle one Gig

From: Per Engelbrecht (per_at_xterm.dk)
Date: 05/31/05

  • Next message: Eric Hines: "RE: New to Snort !!!"
    Date: Tue, 31 May 2005 10:21:23 +0200
    To: "Barrett G.Lyon" <blyon@prolexic.com>, focus-ids@securityfocus.com
    
    

    Barrett G.Lyon wrote:

    (I'll top-post this one)

    Hi Barret
    THis is by fare the most thorough explanation I've read in a while.
    I've had some trouble with IDS in our ISP-related setup when using GigE
    SPAN ports to GigE stations. Now I know why.
    Thank you!

    respectfully
    /per
    per@xterm.dk

    > Randall,
    >
    > At Prolexic we have tested, used, and worked with most current IPS
    > platforms. They all make claims of "multi-gig" functionality, when in
    > reality, each one can only handle those traffic levels in very specific
    > lab conditions designed just to prove the point that they can actually
    > pass a "gigabit" of traffic. When on a real network with who-knows-what
    > flowing over the wire, gigabit speeds on an IPS doing useful stuff is
    > rather hard to achieve.
    >
    > The definition of "gigabit" seems to very from vendor to vendor; some
    > call their hardware multi-gigabit just because they have more than one
    > GigE interface on the device: 4 GigE interfaces in that configuration
    > means the device can do 4 gigabit - not 2 ingress/egress for a total of
    > 2 gigabit, but a total of 4 gigabit.
    > See: http://www.toplayer.com/content/cm/pr131.jsp for an example of
    > the above.
    >
    > I'm sure every IPS vendor would be at 10 gigabit today if the 10 Gigabit
    > ports were at a low cost, but then their processing engines would not
    > support that packet rate and we would be where we are today with current
    > 1 gigabit IPS devices.
    >
    > Further, to do a gigabit of traffic on a single link may not be that
    > bright as well. One would hope that a gig of traffic would have been
    > split across several gigabit interfaces all running at a lower average
    > bandwidth so you can burst and allot for failures.
    >
    > What we are finding, to terminate and process more than one gigabit of
    > traffic is difficult; some modern gigabit switches do not do "trunking"
    > or OSPF load balanced multiple gige interfaces very well (destination
    > mac addresses can be the same causing load balancing algorithms to do
    > goofy stuff), so just having the capacity to do more than a gig can get
    > rather tricky. When you put an IPS in-line with an already difficult
    > environment ( or a pair of IPS devices) you run into state table
    > synchronization issues, symmetrical routing problems, and a whole lot of
    > other messy stuff.
    >
    > I could keep going on and on about IPS failures we have experienced but
    > that would not do anyone any good. When it comes down to it, each
    > device on the market seems to excel at one or two items and the rest of
    > the "features" beyond what they are good at appear to mostly be bolt-on
    > for marketing.
    >
    >
    > Here are a few high-throughput IPS shopping tips:
    >
    > 1) Identify what the IPS is to do, if that's "everything" then you
    > should adjust your expectations.
    > a) If it's to do DDoS mitigation, what aspects of mitigation? No
    > box can stop all of the attacks correctly, so don't expect to stop all
    > of your problems with an IPS, in most cases they can cause more problems
    > then you could imagine.
    > b) If it's doing string matching, what exact signatures do you need
    > - the less you run the more throughput you will see.
    >
    > 2) Understand your traffic and how the IPS will work with that traffic
    > a) If your traffic is just HTTP stuff, your IPS could do well doing
    > limited checks to add value.
    > b) If your traffic is mixed (ISP) then good luck unless you are
    > trying to stop a specific worm or rate limit stuff.
    > c) If you are dealing with encryption, then an IPS can't do much for
    > you, unless you are decrypting and re-encrypting your traffic.
    >
    > 3) Understand the underlying mechanism that the hardware uses to do its
    > job.
    > a) String matching may be good, but what about fragments?
    > b) What type of algorithmic things does it do to your traffic?
    > b) Does it do some sort of in-line tricks with the packets?
    >
    > 4) Never listen to sales people
    >
    > 5) Don't trust "industry" tests, they are just bought logos. Real world
    > testing of a device takes many months and must meet criteria that nobody
    > would ever expect (people build interesting networks out there.)
    >
    >
    > I would suggest you do a demo and a bake off with your vendors as well.
    > After you get a demo IPS units, go buy an Ixia and verify that the
    > device will do what it says it will and _do not_ put it in-line with
    > your production traffic as a test. In 100% of the cases we have worked
    > with, the box performed much lower than it was advertised and in some
    > cases a feature is just a ruleset that denies traffic rather than
    > cleaning traffic. There are also "side effects" that are very
    > unexpected with all the different IPS devices. A good expectation is
    > that a gigabit IPS can do about 50% of line rate on most things and full
    > line rate on some things.
    >
    > Good luck and happy shopping,
    >
    > -Barrett
    >
    >
    >
    > Barrett G. Lyon
    > Founder & CTO
    > Prolexic Technologies - The leaders in DDoS Security!
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    > --------------------------------------------------------------------------
    >
    >

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Eric Hines: "RE: New to Snort !!!"

    Relevant Pages

    • RE: IDSIPS that can handle one Gig
      ... the myriad of attacks (ie, some can block SYN flooding, but not ... Some IPS devices that claim gigabit ... The definition of "gigabit" seems to very from vendor to vendor; ...
      (Focus-IDS)
    • Re: IDSIPS that can handle one Gig
      ... At Prolexic we have tested, used, and worked with most current IPS ... pass a "gigabit" of traffic. ... The definition of "gigabit" seems to very from vendor to vendor; ... 4 GigE interfaces in that configuration ...
      (Focus-IDS)
    • Re: performance metrics for IPS systems?
      ... Take a look at our IPS group tests if you are interested in such performance ... We go into some details regarding acceptable latencies of Gigabit ... >> Just be careful how you measure that .5ms latency limit. ...
      (Focus-IDS)
    • Re: ROI on IDS/IPS products
      ... Sorry to say, but that big telecom company sounds like it may be the one that lets all the SQL Slammer, aspROX, PHP Includes, and many other attacks hit my IPS inbound, where they are stopped. ... It takes daily attention from a trained network security analyst who does threat analysis and tunes the device to protect against the attacks that it can best detect. ... remove IPS devices. ...
      (Focus-IDS)
    • ROI on IDS/IPS products
      ... remove IPS devices. ... It apperas that no major incidents were detected by network ... Any examples of successful detection ...
      (Focus-IDS)