Re: IDS\IPS that can handle one Gig
From: Ed Gibbs (ed_at_digitalconclave.com)
To: "Chris Harrington" <firstname.lastname@example.org>, <THolman@toplayer.com>, <PPalmer@iss.net>, <email@example.com>, <firstname.lastname@example.org> Date: Mon, 6 Jun 2005 08:20:59 -0700
You're absolutely right - there needs to be IPS test standards. I would
like to propose putting together a forum, and defining what the IPS test
standards should be - is anyone interested? I would like to see several
members from each IPS vendor involved. The result is that we create a set
of procedures that provide guidance, and help someone determine which IPS is
best for their environment.
----- Original Message -----
From: "Chris Harrington" <email@example.com>
To: <THolman@toplayer.com>; <PPalmer@iss.net>; <firstname.lastname@example.org>;
Sent: Saturday, June 04, 2005 11:43 PM
Subject: RE: IDS\IPS that can handle one Gig
> Let's have another vendor weigh in :) See my comments in line.
>> -----Original Message-----
>> From: THolman@toplayer.com [mailto:THolman@toplayer.com]
>> Sent: Friday, June 03, 2005 8:25 AM
>> 1) Gigabit performance is irrelevant; it's the packets per
>> second that count. Vendors cheat and claim 1Gb performance
>> based on large packet sizes (not real world), or just add up
>> the sizes of all their interfaces.
> It would be nice if there was a standardized IPS performance test with
> regards to packet size, traffic mix, etc. I don't see that happening
> ICSA does it for the NIPS certification. This would cut down on the shady
> performance numbers that Tim refers to.
>> 2) In PC architecture, the PCI bus is the bottleneck, not
>> the processor.
> That depends on what you are doing with the processor. If you are doing
> pattern matching in the CPU you could run out of CPU well before you run
> of bus capacity. A PCI bus has a theoretical limit of 1.05 Gbps. A 16 lane
> PCI-Express bus is 80 Gbps. Several vendors are already shipping 10 Gig
> PCI-Express cards.
>> 3) An Intel processor has a large instruction set designed
>> for workstation/server performance and GUI operations, and
>> not for packet processing.
> I would say that the processor designers didn't have any specific tasks in
> mind. It is a general purpose processor.
>> 4) An ASIC has a tiny instruction set in comparison,
>> designed for a specific task. So, a 3.2Ghz Intel processor
>> forwarding/processing network traffic is on a par with a
>> 133Mhz ASIC designed to do the same thing.
> I'm not an ASIC guy so I will take your word for it on the comparison :)
>> 5) Processors can only do one thing at once. Thus, a
>> networking device with several processors installed in
>> parallel (ASICs OR Intel) is far more effective than a box
>> with a single/dual processor.
> More processors gives you more flexibility in what gets processed where.
>> 6) Hard disks do not slow down performance. They lower
>> reliability as fail all the time (!). RAID would help, but I
>> don't think any security vendor offers a RAID array as an
>> integral part of their appliance, so cut to the chase, get
>> the HDD off the inline unit and place on a separate
>> management machine so we have a reliable distributed
>> architecture that isn't put at risk by HDD failure. On the
>> same note, dual fans and power supplies also need to be considered.
> Hard drives do fail, no question there. I definitely disagree with your
> statement about vendors not having RAID. There are definitely vendors
> than us) who have drives in RAID configuration, both 1 and 5. I am not
> taking the drive off the device makes for a more reliable distributed
> architecture. What if the link from the IPS to the Management machine goes
> down or the Syslog server dies? What if the hard drive in the Management
> machine fails? :) With no drive on the IPS your space to store events,
> system data, etc, is somewhat limited. How long before you have to start
> overwriting event data on the IPS?
> Same goes for dual fans and power supplies. There are vendors (again other
> than us) who have dual fans and hot swappable power supplies. Although
> are generally found in the 500 mbps and up ranges.
> Don't forget fail open NIC's and bypass devices. Most vendors (including
> ASIC IPS') have them, at least as an option. If not having a hard drive is
> the path to reliability then why do vendors without hard drives have fail
> open NIC's? Because other components can and do fail as well.
>> 7) Single-processor machines can easily FORWARD 64-byte
>> packets at 'multi-Gig' speeds. They can do this as the
>> processor doesn't have to do anything with them. As soon as
>> you add intensive operations to the packets in question,
>> bearing in mind there is only a single CPU that can only do
>> one thing at once, you introduce LATENCY plus reduce pps
>> performance DRASTICALLY. This is where a parallel processing
>> architecture comes into it's own and takes leaps forward over
>> what a single-CPU box can do.
> You are assuming that the CPU is doing the packet processing. Many vendors
> are using network content accelerators and other processing cards to
> the CPU intensive operations.
>> In conclusion:
>> A box with one or two ASICs in is easily outperformed by a PC
>> with the latest Intel processor, fast network cards and a
>> good chunk of memory.
>> However, the PC is more prone to hard disk failure, which is
>> why you should never put one inline if uptime is critical.
>> A box with several ASICs in will outperform ANY PC-based
>> solution, and ANY ASIC solution that relies only on one or
>> two processors.
> But at what cost in terms of price per Gigabit and flexibility? Adding new
> functionality to software is pretty easy....
>> ..and one comment to Ed with respect to McAfee/TippingPoint
>> >both products really don't care if you have every signature and then
>> >some on.
>> Yes they do. If you turn on every signature check with these
>> IPS's, pps performance slows to a mediocre dribble...
> They do care. Look at some of the product reviews and you will see that
> vendor X has 2000 rules / filters / signatures but only 500 are on by
> default. I've witnessed a couple of ASIC IPS' that were brought to their
> knees when asked to store the offending packets. What about storing the
> stream involved with an event? Customers are asking about this...
>> Inline devices should NOT rely on REGEX signatures - by
>> nature, string searching is very resource intensive and best
>> left to a nice fast offline IDS running on an up-to-date PC
>> platform, where latency is not going to be an issue...
> There are PC platform IPS on the market that are under 100 microseconds
> do pattern matching.
>> Hope this helps - this isn't an all out war ASIC-based vs
>> PC-based, it's a question of architecture and suitability for
>> the job in hand!
> Definitely an interesting thread. I agree that it is about suitability.
> Christopher Harrington, CISSP
> Chief Technology Officer
> o: 603.570.3931
> c: 603.969.0592
> e: email@example.com
> w: www.nitrosecurity.com
> Skype: chrisharrington
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.