Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: performance metrics for IPS systems?

from [Massimo] Network Security [Permanent Link]
Subject: Re: performance metrics for IPS systems?
Date: Sat, 12 Feb 2005 20:16:20 +0100
We did some test with stress test equipment on the capability to handle hight traffic load with low latency on some "diffused" IPS.
I can tell you will have problem with some IPS product with that high load of packet. There are also commercial Gigabit IDS that lose traffic (doesn't slow, but lose) with that number of packet (225,000 packet/s can be close to a full gigabit with real packet size).

I am sorry but I have a NDA on that test and can't give you more detail.

Best Regards,
                  Massimo

On 09/01/2005 14.49, Mike Frantzen wrote:

I'm planning on demanding that the IPS systems perform at >225,000
packets/second (100% of packets inspected) with <.5ms latency per
packet. Is this reasonable for an IPS?



Just be careful how you measure that .5ms latency limit.  If you do a
single ping without background traffic against an IPS that does
interrupt polling then you'll see latency of about 1ms or 10ms
(depending on the underlying operating system used).  That latency
will start to drop once you have over 1000pps and will gradually
converge towards zero.

I'm not sure which IPS vendors do interrupt polling to gain performance.
It wasn't worth it for us.



- What is the acceptable/standard latency per packet for an IPS?



Humans begin to notice latency at about the 200ms mark (call it 100ms to
account for the return packet).  TCP behavior changes at 30-100ms unless
the stack does round trip time measurements.  Online gamers get cranky
at the 80-100ms mark.

That being said, you probably won't find an IPS that introduces more than
1ms of latency.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Tripwire for Solaris 8, Jason Czerak
Next by Date:  BASE 1.0.2 released, Kevin Johnson
Previous by Thread:  Tripwire for Solaris 8, Jason Czerak
Next by Thread:  Re: performance metrics for IPS systems?, Bob Walder
Indexes:  [Date] [Thread] [Top] [All Lists]