Re: Whatever happened to 10gb IPS?



Hi Marty, Hi Chris,
Long time.. Anyways I will throw my hat in too FWIW.
If you really wanted to compare you need to do metrics on:
- total number of useful signatures/vulnerabilities assessed in
same time frame
- total number of false positives over same time frame
- total number of false negatives over same time frame
- speed of response to zero days..
- hieristics/anomoly success rate
- throw in analysis as deep as I need and want..
- what it provides when it gets the above anomolies
All via side by side comparison.
There is absolutely no point fast your tool is drawn if it can't
hit the targets.. Or see them coming..

Best Regards,
dreamwvr@xxxxxxxxxxxx

On 07/21/2010 06:54 PM, Chris Brenton wrote:
Hey Marty, long time no chat. :)

I'm reminded of a party I once attended in my youth where a drunken
attendee kept bragging his Nova could blow the doors off of my Mustang.
When I asked to see the car, he explained it was up on blocks in his back
yard with no engine. ;-)

It is easy to brag when you don't have a client install base who can
potentially counter your claims.

Of course the big issue here (as Dave stated earlier) is that throughput
*is not* the primary job of a NIDS/NIPS. If security stinks, who really
cares how fast the device can process packets? I've been at this long
enough to know that no one gets security right in the early revisions.
Have they thought about how to deal with fragment time out evasion when
protecting multiple systems using different time outs? What about trying
to protect both first and last frag policy systems at the same time? Are
they validating layer 4 checksums? Are you *really* sure they are doing it
all the time? Is the product protocol aware for all major applications or
are they performing simple RegeX matches?

Snort has arguably the largest install base of any NIDS/NIPS on the
market. That is a whole lot of networks vetting Snorts ability to
implement an effective security policy. Till they can show effective
security under a similar level of vetting, they are just blowing smoke.

Disclaimer: I do not work for Sourcefire. I have however spent many years
deploying their products and trying to break/evade them.

HTH,
C


Roesch here. Was just doing an apples-to-apples comparison for Ellen
(not the most technical reporter in the industry) where she said the
other engine could do 10Gbps so I gave her a relative estimation of
Snort performance in a world where that was possible based on the
relative performance numbers we have.

In a world where X can do 10Gbps and we know in our test environment
we're seeing at least 5x the performance without trying real hard, we
can do 5*X the performance. It came out as stupid as I hoped it
would. :)

Marty


On Wed, Jul 21, 2010 at 2:21 PM, Curt Purdy <infosysec@xxxxxxxxx> wrote:
FYI, Roesch is claiming not 10Gbs but 10GBs! and apparently that's not
the Sourcefire appliance but Snort, at least according to this
article:
http://www.networkworld.com/news/2010/072010-is-snort-dead.html?page=2

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
infosysec@xxxxxxxxx
purdy@xxxxxxxxxx



On Thu, Jul 15, 2010 at 3:16 AM, Dave Venman <dvenman@xxxxxxxxxxxxxx>
wrote:
<disclaimer> I work for Sourcefire </disclaimer> but I'll try to keep
this vendor-neutral

There are lots of boxes now which can, or claim they can, perform
10Gbps or more inspection.

Some of that is marketing fluff, some of it is the real McCoy.

If you have a need for 10Gbps inspection or higher then you really
need to do your homework because the boxes you pay for go for lots of
money. If you spend all that money on a solution which doesn't do IPS
properly or only do IPS properly well below the expected / rated /
claimed throughput - and I accept there are various approaches which
do work, and there are those which don't - then you're stuck with it
for the foreseeable future.

You need to do your homework seriously - check reviews, NSS reports,
anything you can lay your hands on. Then, get your hands on a unit to
evaluate them. And when you test these devices, make sure you put
them in a production environment (passively - I'm not that stupid) to
get them to inspect YOUR traffic. Don't rely on sending a PCAP to
someone and getting results, because you don't know how they've tested
your traffic, or if indeed they have tested it at all, just run basic
traffic distribution analysis on it and chucked the resulting figures
into a program to see the theoretical throughput.

And don't just test for raw IPS throughput - although it's important -
make sure the stuff you throw at it is caught - make sure it's proper
attempts to exploit vulnerabilities not just Nessus / NMAP scans, make
sure your testing rig replays traffic properly and doesn't provide an
approximation of TCP traffic, and lots of other things which need to
be done properly to test the solution effectively.

Raw throughput is only one element. If you don't get proper
inspection, then the things are essentially expensive doorstops.

On 14 July 2010 16:50, pacific.croc <pacific.croc@xxxxxxx> wrote:


Juniper also has the newly launched SRX series of appliances which if
I am
not wrong can deliver up to 30 Gbps


On 7/14/2010 5:02 AM, Jeffrey Chen wrote:

I think they've been here for a while now:

Palo Alto Networks PA-4000 IPS/Firewall - 10GB
Top Layer IPS 5500-1000 - 4GB individually, up to 32GB in clustering
mode.
Juniper IDP-8200 - 10GB

Just off top of my head. I think there are few others out there as
well.




--
Dave Venman

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server,
you can securely collect sensitive information online, and increase
business by giving your customers confidence that their transactions
are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194






--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you
can securely collect sensitive information online, and increase business
by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194






-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194




-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



Relevant Pages

  • Re: Whatever happened to 10gb IPS?
    ... enough to know that no one gets security right in the early revisions. ... make sure the stuff you throw at it is caught - make sure it's proper ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • Re: Whatever happened to 10gb IPS?
    ... Sourcefire has a 10 gig sensor in it's 3D9900 and has for some time. ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • RE: Whatever happened to 10gb IPS?
    ... Just a note regarding the 3D9900 sensors. ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • Re: Whatever happened to 10gb IPS?
    ... As for production, I don't mean "testing" in production, I mean actually monitoring a network in production. ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • Re: I love the smell of whining in the morning...
    ... I love the smell of whining in the morning... ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, how they operate and their application. ...
    (Focus-IDS)