Re: IDS\IPS that can handle one Gig

From: Peter Schawacker (ps_at_tenablesecurity.com)
Date: 05/31/05

  • Next message: Jason: "Re: Snort on Gigabit [was Re: IDS\IPS that can handle one Gig]" 
    Date: Tue, 31 May 2005 10:59:30 -0700 (PDT)
To: Jonathan Glass <jonathan.glass@gmail.com>

    Hello Mr. Glass,

    Are you running 10Gbps to each host? Where are your
    choke points? If you have so many choke points that
    acquisition cost is too great, (more and more common
    these days) consider falling back to the host. More
    and more these days, I find it best to shift from HIPS
    to NIPS. High bandwidth utilization environments are
    often good HIPS candidates.

    Another option, and one that many organizations are
    beginning to favor, is to forget the current,
    "fashionable" notions of IPS and return to basics --
    to focus more closely on vunerability and information
    management. I believe that if you have a
    comprehensive, continuous and meaningful flow of
    information about the environment and an effective
    vulnerability remediation program, the need for IPS
    appliances and agents (band-aids) can be reduced
    dramatically.

    P

    --- Jonathan Glass <jonathan.glass@gmail.com> wrote:
    > Well, as a greedy IPS reseller, what would you
    > recommend to handle 4
    > 10Gig connections for real-time IPS/IDS protection?
    > That's where we
    > are, and we're having trouble finding ANY vendor who
    > can come close to
    > keeping up with us. Frankly, we find that we're
    > about 18-24 months
    > ahead of any vendors, and are wondering whether
    > there's any benefit to a
    > true IPS, or if we should stick to netflow analysis
    > and deep-packet IDS
    > (when capable of keeping up), and write scripts to
    > block attacks. Your
    > thoughts?
    >
    > Jonathan Glass
    > InfoSecEngineer III
    > Georgia Institute of Technology
    >
    > Andrew Plato wrote:
    >
    > >DISCLAIMER: I am a greedy IPS reseller. ;-)
    > >
    > >Lots of IPSs can handle 1GB.
    > >
    > >TippingPoint 1200, 2400, or 5000 (5GB!)
    > >ISS G1000, G2000
    > >FortiGate 1000 or better
    > >Juniper
    > >Etc.
    > >
    > >Lots of them fail at 1GB because that's a
    > buttload-O-packets to handle.
    > >Especially if they're little UDP packets. The thing
    > is, they can say
    > >they're rated to 1GB because they can,
    > theoretically handle 1GB. But,
    > >the only way to get there is with a paltry policy
    > set that only checks a
    > >few things.
    > >
    > >If you need raw ungodly performance, you might want
    > to stick to the
    > >ASIC-based IPSs. They tend to be faster and have a
    > much lower latency.
    > >This would be TippingPoint and Fortigate. I don't
    > think McAfee uses
    > >ASICs, but I don't know. ISS, Juniper, Symantec,
    > Cisco, etc. are all
    > >software running on some OS.
    > >
    > >ASICs also have the added benefit that they are
    > more secure as an
    > >appliance. Its almost totally impossible to crack
    > an ASIC-based system.
    > >The OS-based IPSs usually run on-top of some
    > hardened Linux or BSD
    > >kernel. Which means, its possible (although
    > unlikely) that a root
    > >exploit to the Linux kernel could turn your
    > security appliance into an
    > >insecurity appliance.
    > >
    > >___________________________________
    > >Andrew Plato, CISSP
    > >President/Principal Consultant
    > >Anitian Enterprise Security
    > >
    > >
    > >
    > >-----Original Message-----
    > >From: Randall Jarrell [mailto:rgj@msn.com]
    > >Sent: Thursday, May 19, 2005 8:28 AM
    > >To: focus-ids@securityfocus.com
    > >Subject: IDS\IPS that can handle one Gig
    > >
    > >Greetings,
    > >
    > >We are currently evaluating IDS\IPS vendors. We
    > have tried two vendors,
    > >whom I will not name unless you ask me, that have
    > made claims that they
    > >can handle a Gig of through put but actually start
    > to fail around the
    > >300-500MB range.
    > >
    > >Could anyone share a success story of a vendor they
    > are using that is
    > >handling this type of traffic?
    > >
    > >Thanks in advance,
    > >
    > >-RGJ
    ...

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Jason: "Re: Snort on Gigabit [was Re: IDS\IPS that can handle one Gig]"