Re: IDS\IPS that can handle one Gig

• Next in thread: Peter Schawacker: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Ed Gibbs: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Bob Walder: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Ed Gibbs: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 31 May 2005 10:21:23 +0200
To: "Barrett G.Lyon" <blyon@prolexic.com>, focus-ids@securityfocus.com

Barrett G.Lyon wrote:

(I'll top-post this one)

Hi Barret
THis is by fare the most thorough explanation I've read in a while.
I've had some trouble with IDS in our ISP-related setup when using GigE
SPAN ports to GigE stations. Now I know why.
Thank you!

respectfully
/per
per@xterm.dk

> Randall,
>
> At Prolexic we have tested, used, and worked with most current IPS
> platforms. They all make claims of "multi-gig" functionality, when in
> reality, each one can only handle those traffic levels in very specific
> lab conditions designed just to prove the point that they can actually
> pass a "gigabit" of traffic. When on a real network with who-knows-what
> flowing over the wire, gigabit speeds on an IPS doing useful stuff is
> rather hard to achieve.
>
> The definition of "gigabit" seems to very from vendor to vendor; some
> call their hardware multi-gigabit just because they have more than one
> GigE interface on the device: 4 GigE interfaces in that configuration
> means the device can do 4 gigabit - not 2 ingress/egress for a total of
> 2 gigabit, but a total of 4 gigabit.
> See: http://www.toplayer.com/content/cm/pr131.jsp for an example of
> the above.
>
> I'm sure every IPS vendor would be at 10 gigabit today if the 10 Gigabit
> ports were at a low cost, but then their processing engines would not
> support that packet rate and we would be where we are today with current
> 1 gigabit IPS devices.
>
> Further, to do a gigabit of traffic on a single link may not be that
> bright as well. One would hope that a gig of traffic would have been
> split across several gigabit interfaces all running at a lower average
> bandwidth so you can burst and allot for failures.
>
> What we are finding, to terminate and process more than one gigabit of
> traffic is difficult; some modern gigabit switches do not do "trunking"
> or OSPF load balanced multiple gige interfaces very well (destination
> mac addresses can be the same causing load balancing algorithms to do
> goofy stuff), so just having the capacity to do more than a gig can get
> rather tricky. When you put an IPS in-line with an already difficult
> environment ( or a pair of IPS devices) you run into state table
> synchronization issues, symmetrical routing problems, and a whole lot of
> other messy stuff.
>
> I could keep going on and on about IPS failures we have experienced but
> that would not do anyone any good. When it comes down to it, each
> device on the market seems to excel at one or two items and the rest of
> the "features" beyond what they are good at appear to mostly be bolt-on
> for marketing.
>
>
> Here are a few high-throughput IPS shopping tips:
>
> 1) Identify what the IPS is to do, if that's "everything" then you
> should adjust your expectations.
> a) If it's to do DDoS mitigation, what aspects of mitigation? No
> box can stop all of the attacks correctly, so don't expect to stop all
> of your problems with an IPS, in most cases they can cause more problems
> then you could imagine.
> b) If it's doing string matching, what exact signatures do you need
> - the less you run the more throughput you will see.
>
> 2) Understand your traffic and how the IPS will work with that traffic
> a) If your traffic is just HTTP stuff, your IPS could do well doing
> limited checks to add value.
> b) If your traffic is mixed (ISP) then good luck unless you are
> trying to stop a specific worm or rate limit stuff.
> c) If you are dealing with encryption, then an IPS can't do much for
> you, unless you are decrypting and re-encrypting your traffic.
>
> 3) Understand the underlying mechanism that the hardware uses to do its
> job.
> a) String matching may be good, but what about fragments?
> b) What type of algorithmic things does it do to your traffic?
> b) Does it do some sort of in-line tricks with the packets?
>
> 4) Never listen to sales people
>
> 5) Don't trust "industry" tests, they are just bought logos. Real world
> testing of a device takes many months and must meet criteria that nobody
> would ever expect (people build interesting networks out there.)
>
>
> I would suggest you do a demo and a bake off with your vendors as well.
> After you get a demo IPS units, go buy an Ixia and verify that the
> device will do what it says it will and _do not_ put it in-line with
> your production traffic as a test. In 100% of the cases we have worked
> with, the box performed much lower than it was advertised and in some
> cases a feature is just a ruleset that denies traffic rather than
> cleaning traffic. There are also "side effects" that are very
> unexpected with all the different IPS devices. A good expectation is
> that a gigabit IPS can do about 50% of line rate on most things and full
> line rate on some things.
>
> Good luck and happy shopping,
>
> -Barrett
>
>
>
> Barrett G. Lyon
> Founder & CTO
> Prolexic Technologies - The leaders in DDoS Security!
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
>
>

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Next in thread: Peter Schawacker: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Ed Gibbs: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Bob Walder: "Re: IDS\IPS that can handle one Gig"
• Maybe reply: Ed Gibbs: "Re: IDS\IPS that can handle one Gig"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]