RE: IDS\IPS that can handle one Gig

THolman_at_toplayer.com
Date: 06/01/05

  • Next message: Justin.Ross_at_signalsolutionsinc.com: "Re: New to Snort !!!" 
    To: prashant@juniper.net, focus-ids@securityfocus.com
Date: Tue, 31 May 2005 18:54:10 -0400

    Hi Prashant,

    Agreed - with a system based around PCI / Intel architecture (eg Netscreen
    IDP, Check Point Interspect/Smart Defense, Cisco 4200, ISS Proventia to name
    but a few), then it makes sense to turn off various checks to improve
    performance, but at what cost to security?

    Is it acceptable to turn off vital security features just because the shiny
    new IPS system that you've just bought cannot handle doing too many things
    at once?

    Of course not! ...and to be completely brutal, anyone reading this who
    comes across such a situation should send this equipment back to the
    reseller as being unfit for purpose. There are plenty of network IPS's that
    are designed to do the job in hand with built-in ASIC technology (eg McAfee,
    TippingPoint and TopLayer) and offer far more punch for the money.

    There are a whole realm of attacks specifically designed to evade IDS/IPS
    devices through use of fragments. The theory being that with fragmented
    traffic, an attack can spread itself across multiple packets, which all get
    past string search engines that are looking for a complete string, rather
    than bits of it.

    With an IDS, this isn't a problem - the IDS can sit to one side, observe the
    packets coming in, take note once it has seen a stream of fragments and
    reassembled them, and quite happily spend a couple of seconds catching up
    with other stuff before it sends alerts about any signature matches it finds
    in both normal and reassembled traffic.

    However, with an IPS, you're supposed to be analysing network traffic at
    line speeds, and you do not have the luxury of hanging around whilst a
    machine designed for client/server purposes works out whether or not there's
    an attack concealed within fragments. After all, most fragmented traffic is
    genuine traffic - you need to let it through.

    Fragmented traffic is a real security threat that needs addressing, and
    disabling security measures that take steps to reassemble and verify such
    traffic will cause a failure of just about any security audit you throw at
    your network, plus leave you open to litigation if your failure to address
    such attacks causes a 3rd party loss.

    Regards,

    Tim

    -----Original Message-----
    From: Prashant Khandelwal [mailto:prashant@juniper.net]
    Sent: 30 May 2005 06:03
    To: focus-ids@securityfocus.com
    Subject: RE: IDS\IPS that can handle one Gig

    Adding to this conversation one relevant point would be, Policies which
    are pushed on the sensor makes big difference in the performance of the
    box.

    E.g.: If Fragmentation and reassembly turned off it can be observed that
    box performs better as it does not need to take care of tiny fragmented
    packets (In real life having such policies doesn't make any sense).

    Over all One should know the Claimed performance figures with avg packet
    size ,What type of traffic was used for achieving that particular
    performance figure ,What kind of policies were pushed on the sensor.
    This can really help to know how a particular IPS can fit in your
    network environment.

    My 2 cents
    Cheers
    Prashant

    -----Original Message-----
    From: THolman@toplayer.com [mailto:THolman@toplayer.com]
    Sent: Thursday, May 26, 2005 2:17 PM
    To: focus-ids@securityfocus.com
    Subject: RE: IDS\IPS that can handle one Gig

    Hi Randall,

    Throughput is unimportant when it comes to choosing an IDS/IPS, and to
    be
    honest, a bit of a bun fight when you place two vendors side by side and
    start scouring their datasheets for practical information.

    What is important, however, is the number of packets per second the
    device
    can process, the maximum number of connections that such a device keeps
    state for, and last but not least, the latency that such a device will
    introduce into your network if placed inline.

    The smaller the packets used in a test, the smaller the performance in
    terms
    of megabits. The larger the packets, the bigger the performance in
    terms of
    megabits. Unreliable, and totally abused by most vendors on their
    datasheets. It's quite easy to say 'we support 1000 Mbps', only to say
    in
    small print the average packet size is 595 bytes. You only need to
    search
    Google for '1000 Mbps 595 bytes' and you'll soon find out what I mean..
    ;)

    The vendor in question, although claiming Gigabit performance, can only
    setup TCP connections at a rate of 5,000 per second - if you do the
    math,
    you'll soon find out that this represents less that TEN MEGABITS per
    second
    in 'throughput' terms.

    Is it ethical to claim Gigabit performance, only for the potential end
    user
    to run a number of tests with small packets sizes and find out this is
    not
    the case?

    The moral of the plot is to never trust a data*** - either thoroughly
    test
    the products before purchase, or look toward an independent testing
    house,
    such as NSS (www.nss.co.uk), whom have the resources and experience to
    regularly generate test results that count.

    At TopLayer, we regularly deploy into Gigabit environments, and
    encourage
    the customer to test (using Smartbits, Ixia or Spirent) for piece of
    mind.
    Rest assured, each time they do this, we pass with flying colours, and
    this
    is what makes us one of the top market leaders in Gigabit IPS solutions.

    Regards,

    Tim

    -----Original Message-----
    From: Randall Jarrell [mailto:rgj@msn.com]
    Sent: 19 May 2005 16:28
    To: focus-ids@securityfocus.com
    Subject: IDS\IPS that can handle one Gig

    Greetings,

    We are currently evaluating IDS\IPS vendors. We have tried two vendors,
    whom
    I will not name unless you ask me, that have made claims that they can
    handle a Gig of through put but actually start to fail around the
    300-500MB
    range.

    Could anyone share a success story of a vendor they are using that is
    handling this type of traffic?

    Thanks in advance,

    -RGJ

    ------------------------------------------------------------------------ 

    --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Justin.Ross_at_signalsolutionsinc.com: "Re: New to Snort !!!"
    • Quantcast