Re: IDS\IPS that can handle one Gig

From: Ed Gibbs (
Date: 06/06/05

  • Next message: Chris Harrington: "RE: IDS\IPS that can handle one Gig"
    To: "Chris Harrington" <>, <>, <>, <>, <>
    Date: Mon, 6 Jun 2005 08:20:59 -0700

    You're absolutely right - there needs to be IPS test standards. I would
    like to propose putting together a forum, and defining what the IPS test
    standards should be - is anyone interested? I would like to see several
    members from each IPS vendor involved. The result is that we create a set
    of procedures that provide guidance, and help someone determine which IPS is
    best for their environment.


    ----- Original Message -----
    From: "Chris Harrington" <>
    To: <>; <>; <>;
    <>; <>
    Sent: Saturday, June 04, 2005 11:43 PM
    Subject: RE: IDS\IPS that can handle one Gig

    > Let's have another vendor weigh in :) See my comments in line.
    >> -----Original Message-----
    >> From: []
    >> Sent: Friday, June 03, 2005 8:25 AM
    >> 1) Gigabit performance is irrelevant; it's the packets per
    >> second that count. Vendors cheat and claim 1Gb performance
    >> based on large packet sizes (not real world), or just add up
    >> the sizes of all their interfaces.
    > It would be nice if there was a standardized IPS performance test with
    > regards to packet size, traffic mix, etc. I don't see that happening
    > unless
    > ICSA does it for the NIPS certification. This would cut down on the shady
    > performance numbers that Tim refers to.
    >> 2) In PC architecture, the PCI bus is the bottleneck, not
    >> the processor.
    > That depends on what you are doing with the processor. If you are doing
    > pattern matching in the CPU you could run out of CPU well before you run
    > out
    > of bus capacity. A PCI bus has a theoretical limit of 1.05 Gbps. A 16 lane
    > PCI-Express bus is 80 Gbps. Several vendors are already shipping 10 Gig
    > PCI-Express cards.
    >> 3) An Intel processor has a large instruction set designed
    >> for workstation/server performance and GUI operations, and
    >> not for packet processing.
    > I would say that the processor designers didn't have any specific tasks in
    > mind. It is a general purpose processor.
    >> 4) An ASIC has a tiny instruction set in comparison,
    >> designed for a specific task. So, a 3.2Ghz Intel processor
    >> forwarding/processing network traffic is on a par with a
    >> 133Mhz ASIC designed to do the same thing.
    > I'm not an ASIC guy so I will take your word for it on the comparison :)
    >> 5) Processors can only do one thing at once. Thus, a
    >> networking device with several processors installed in
    >> parallel (ASICs OR Intel) is far more effective than a box
    >> with a single/dual processor.
    > More processors gives you more flexibility in what gets processed where.
    >> 6) Hard disks do not slow down performance. They lower
    >> reliability as fail all the time (!). RAID would help, but I
    >> don't think any security vendor offers a RAID array as an
    >> integral part of their appliance, so cut to the chase, get
    >> the HDD off the inline unit and place on a separate
    >> management machine so we have a reliable distributed
    >> architecture that isn't put at risk by HDD failure. On the
    >> same note, dual fans and power supplies also need to be considered.
    > Hard drives do fail, no question there. I definitely disagree with your
    > statement about vendors not having RAID. There are definitely vendors
    > (other
    > than us) who have drives in RAID configuration, both 1 and 5. I am not
    > sure
    > taking the drive off the device makes for a more reliable distributed
    > architecture. What if the link from the IPS to the Management machine goes
    > down or the Syslog server dies? What if the hard drive in the Management
    > machine fails? :) With no drive on the IPS your space to store events,
    > system data, etc, is somewhat limited. How long before you have to start
    > overwriting event data on the IPS?
    > Same goes for dual fans and power supplies. There are vendors (again other
    > than us) who have dual fans and hot swappable power supplies. Although
    > these
    > are generally found in the 500 mbps and up ranges.
    > Don't forget fail open NIC's and bypass devices. Most vendors (including
    > ASIC IPS') have them, at least as an option. If not having a hard drive is
    > the path to reliability then why do vendors without hard drives have fail
    > open NIC's? Because other components can and do fail as well.
    >> 7) Single-processor machines can easily FORWARD 64-byte
    >> packets at 'multi-Gig' speeds. They can do this as the
    >> processor doesn't have to do anything with them. As soon as
    >> you add intensive operations to the packets in question,
    >> bearing in mind there is only a single CPU that can only do
    >> one thing at once, you introduce LATENCY plus reduce pps
    >> performance DRASTICALLY. This is where a parallel processing
    >> architecture comes into it's own and takes leaps forward over
    >> what a single-CPU box can do.
    > You are assuming that the CPU is doing the packet processing. Many vendors
    > are using network content accelerators and other processing cards to
    > offload
    > the CPU intensive operations.
    >> In conclusion:
    >> A box with one or two ASICs in is easily outperformed by a PC
    >> with the latest Intel processor, fast network cards and a
    >> good chunk of memory.
    >> However, the PC is more prone to hard disk failure, which is
    >> why you should never put one inline if uptime is critical.
    >> A box with several ASICs in will outperform ANY PC-based
    >> solution, and ANY ASIC solution that relies only on one or
    >> two processors.
    > But at what cost in terms of price per Gigabit and flexibility? Adding new
    > functionality to software is pretty easy....
    >> ..and one comment to Ed with respect to McAfee/TippingPoint
    >> >both products really don't care if you have every signature and then
    >> >some on.
    >> Yes they do. If you turn on every signature check with these
    >> IPS's, pps performance slows to a mediocre dribble...
    > They do care. Look at some of the product reviews and you will see that
    > vendor X has 2000 rules / filters / signatures but only 500 are on by
    > default. I've witnessed a couple of ASIC IPS' that were brought to their
    > knees when asked to store the offending packets. What about storing the
    > TCP
    > stream involved with an event? Customers are asking about this...
    >> Inline devices should NOT rely on REGEX signatures - by
    >> nature, string searching is very resource intensive and best
    >> left to a nice fast offline IDS running on an up-to-date PC
    >> platform, where latency is not going to be an issue...
    > There are PC platform IPS on the market that are under 100 microseconds
    > that
    > do pattern matching.
    >> Hope this helps - this isn't an all out war ASIC-based vs
    >> PC-based, it's a question of architecture and suitability for
    >> the job in hand!
    > Definitely an interesting thread. I agree that it is about suitability.
    > --Chris
    > Christopher Harrington, CISSP
    > Chief Technology Officer
    > nitrosecurity
    > o: 603.570.3931
    > c: 603.969.0592
    > e:
    > w:
    > Skype: chrisharrington

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: Chris Harrington: "RE: IDS\IPS that can handle one Gig"