RE: IDS\IPS that can handle one Gig
From: Barrett G.Lyon (blyon_at_prolexic.com)
Date: 06/07/05
- Previous message: Edward Sohn: "RE: IDS\IPS that can handle one Gig"
- Maybe in reply to: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"
- Next in thread: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 7 Jun 2005 09:19:19 -0700 To: focus-ids@securityfocus.com
Oh boy another long reply... ;)
> 1) Gigabit performance is irrelevant; it's the packets per second that
> count. Vendors cheat and claim 1Gb performance based on large packet
> sizes
> (not real world), or just add up the sizes of all their interfaces.
I agree, however, you would hope the PPS rates match the throughput of
the gigabit circuit. 64-Byte packets should be in the 2.2 million PPS
rate for a GigE. If my carrier can provide that PPS rate I should be
able to process at that rate. Maybe the top rating of an IPS should be
limited to the lowest PPS situation it can process? If the hardware
can do a 1.2 million SYN/sec rate then it should only be rated at
around 500 Mbps and not a full GigE? However, some devices may be
great at some mitigation and bad at others, does that mean we should
state that the device is only X at X PPS rate? I think the consumers
of IPS devices expect that all mitigation/processing is at the PPS line
rate of the circuit, so this is where IPS vendors can get in trouble
with marketing and overstating what it is they are doing.
> 2) In PC architecture, the PCI bus is the bottleneck, not the
> processor.
It's not just PC vs network hardware, this is a cultural shift in
security we are talking about...
In the last 3 years there has been a major shift from doing security as
a application to security as a network device. This change is due to
performance and general integration of security with the network. The
major problem with this change is traditionally the network guys were
not security guys and the security guys were not network guys - it is
pretty apparent when you compare a security conference to a networking
conference or security device GUI to a network device CLI... or a PC to
a network appliance. Ideologically, networks guys connect and security
guys restrict - strange combination.
The other problem is that security devices now have to talk network
jive more like a router/switch should be. Doing OSPF with something
like a chokepoint, or trying to incorporate a PC with single power
supplies and things like hard drives (that Mr. Holman pointed out) that
have a potential to take down the network is a very terrifying idea to
a network guy, but maybe an okay idea for a security guy. With
networks and attacks in the wild pushing traffic levels over the 4 gig
(7+ million PPS) mark, squishing data over a PCI/PCIx bus is also
something of a bad idea (issue #2 with Mr. Holman's email).
So, the race is on and the people with PC architecture software are
trying to become network based security devices, and the network device
world is trying to become security devices. When there is a race
things get sloppy, so we are seeing a lot of products that have
features that don't work or features that are just there to be there.
So, when someone is saying you have to compromise a security function
for health of the network or performance, sometimes that is just fine
because that function may not have been doing anything anyway.
The way I see it, (to rip off Richard Stiennon) firewalls are dead...
It's easy to setup a line speed ACL that acts like a firewall and have
an application security device like an IPS behind that ACL. The new
model is not having a single firewall but having something of a
security based network, where each part of the network is doing as it
should be doing, its job... rather than everything. No single point of
security, and no single point of security to fail, no single vendor to
fail -- every part of the network working together to perform security
operations. Active redundancy in the network and the security is a
neat idea and devices like IPS will help people achieve that.
With the intrusion prevention network/secure net (whatever you call it)
only using part of a device's functionality may be absolutely fine.
The traditional swiss army knife firewall is a thing of the past - with
a swiss army knife, using each knife tool all at once may be the wrong
way to go. You also don't cut down a tree with the small swiss army
knife saw, you use a chain saw. You don't buy the swiss army knife
over the chain saw because it's got everything, you buy what's good for
the job.
Oh, and don't play with chain saws in the data center, that's a bad
idea too. :)
-Barrett
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: Edward Sohn: "RE: IDS\IPS that can handle one Gig"
- Maybe in reply to: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"
- Next in thread: Andrew Plato: "RE: IDS\IPS that can handle one Gig"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
