Re: IDS\IPS that can handle one Gig

From: Mike Frantzen (frantzen_at_nfr.com)
Date: 06/06/05

  • Next message: Ed Gibbs: "Re: IDS\IPS that can handle one Gig" 
    Date: Mon, 6 Jun 2005 10:26:52 -0400
To: THolman@toplayer.com

    > Think about it from an architectural perspective - these devices have a
    > single REGEX processor, and performance will degrade the more signatures you
    > tell this processor to look for.

    There are a plethora of multi-pattern regex algorithms that even with a
    ton of patterns will only walk the packet data once (not many times as
    most people would think). Shift-Or, Aho-Corasick and DFAs are the ones
    that immedietly jump to mind. IIRC they're all between O(n) and O(n+m)
    where 'n' is your data length and 'm' is your maximum pattern size.
    Notice that the algorimic complexities don't care about the number of
    signatures...

    There are other reasons not to design intrusion detection/prevention
    around pattern matching. But performance is certainly not one.

    The perfomanace nut in me wishes we at NFR could switch our product to
    pattern matching. Then I remember I'm a security guy.
     
    .mike
    frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
    PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Ed Gibbs: "Re: IDS\IPS that can handle one Gig"