Re: IDS\IPS that can handle one Gig

From: Per Engelbrecht (
Date: 05/31/05

  • Next message: Eric Hines: "RE: New to Snort !!!"
    Date: Tue, 31 May 2005 10:21:23 +0200
    To: "Barrett G.Lyon" <>,

    Barrett G.Lyon wrote:

    (I'll top-post this one)

    Hi Barret
    THis is by fare the most thorough explanation I've read in a while.
    I've had some trouble with IDS in our ISP-related setup when using GigE
    SPAN ports to GigE stations. Now I know why.
    Thank you!


    > Randall,
    > At Prolexic we have tested, used, and worked with most current IPS
    > platforms. They all make claims of "multi-gig" functionality, when in
    > reality, each one can only handle those traffic levels in very specific
    > lab conditions designed just to prove the point that they can actually
    > pass a "gigabit" of traffic. When on a real network with who-knows-what
    > flowing over the wire, gigabit speeds on an IPS doing useful stuff is
    > rather hard to achieve.
    > The definition of "gigabit" seems to very from vendor to vendor; some
    > call their hardware multi-gigabit just because they have more than one
    > GigE interface on the device: 4 GigE interfaces in that configuration
    > means the device can do 4 gigabit - not 2 ingress/egress for a total of
    > 2 gigabit, but a total of 4 gigabit.
    > See: for an example of
    > the above.
    > I'm sure every IPS vendor would be at 10 gigabit today if the 10 Gigabit
    > ports were at a low cost, but then their processing engines would not
    > support that packet rate and we would be where we are today with current
    > 1 gigabit IPS devices.
    > Further, to do a gigabit of traffic on a single link may not be that
    > bright as well. One would hope that a gig of traffic would have been
    > split across several gigabit interfaces all running at a lower average
    > bandwidth so you can burst and allot for failures.
    > What we are finding, to terminate and process more than one gigabit of
    > traffic is difficult; some modern gigabit switches do not do "trunking"
    > or OSPF load balanced multiple gige interfaces very well (destination
    > mac addresses can be the same causing load balancing algorithms to do
    > goofy stuff), so just having the capacity to do more than a gig can get
    > rather tricky. When you put an IPS in-line with an already difficult
    > environment ( or a pair of IPS devices) you run into state table
    > synchronization issues, symmetrical routing problems, and a whole lot of
    > other messy stuff.
    > I could keep going on and on about IPS failures we have experienced but
    > that would not do anyone any good. When it comes down to it, each
    > device on the market seems to excel at one or two items and the rest of
    > the "features" beyond what they are good at appear to mostly be bolt-on
    > for marketing.
    > Here are a few high-throughput IPS shopping tips:
    > 1) Identify what the IPS is to do, if that's "everything" then you
    > should adjust your expectations.
    > a) If it's to do DDoS mitigation, what aspects of mitigation? No
    > box can stop all of the attacks correctly, so don't expect to stop all
    > of your problems with an IPS, in most cases they can cause more problems
    > then you could imagine.
    > b) If it's doing string matching, what exact signatures do you need
    > - the less you run the more throughput you will see.
    > 2) Understand your traffic and how the IPS will work with that traffic
    > a) If your traffic is just HTTP stuff, your IPS could do well doing
    > limited checks to add value.
    > b) If your traffic is mixed (ISP) then good luck unless you are
    > trying to stop a specific worm or rate limit stuff.
    > c) If you are dealing with encryption, then an IPS can't do much for
    > you, unless you are decrypting and re-encrypting your traffic.
    > 3) Understand the underlying mechanism that the hardware uses to do its
    > job.
    > a) String matching may be good, but what about fragments?
    > b) What type of algorithmic things does it do to your traffic?
    > b) Does it do some sort of in-line tricks with the packets?
    > 4) Never listen to sales people
    > 5) Don't trust "industry" tests, they are just bought logos. Real world
    > testing of a device takes many months and must meet criteria that nobody
    > would ever expect (people build interesting networks out there.)
    > I would suggest you do a demo and a bake off with your vendors as well.
    > After you get a demo IPS units, go buy an Ixia and verify that the
    > device will do what it says it will and _do not_ put it in-line with
    > your production traffic as a test. In 100% of the cases we have worked
    > with, the box performed much lower than it was advertised and in some
    > cases a feature is just a ruleset that denies traffic rather than
    > cleaning traffic. There are also "side effects" that are very
    > unexpected with all the different IPS devices. A good expectation is
    > that a gigabit IPS can do about 50% of line rate on most things and full
    > line rate on some things.
    > Good luck and happy shopping,
    > -Barrett
    > Barrett G. Lyon
    > Founder & CTO
    > Prolexic Technologies - The leaders in DDoS Security!
    > --------------------------------------------------------------------------
    > Test Your IDS
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > Go to
    > to learn more.
    > --------------------------------------------------------------------------

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: Eric Hines: "RE: New to Snort !!!"