Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ASIC Based IPS

from [Brian Smith] Network Security [Permanent Link]
Subject: RE: ASIC Based IPS
Date: Mon, 4 Apr 2005 11:55:39 -0500 
Network Processors (NPs) are chips that are programmed much like CPUs.
NPUs differ from CPUs in several ways:

1) Many offer hardware level parallelism -- much like the coming
generation of multi-core CPUs.
2) Most offer tight control over memory layout and cache control.  This
leads to more predictable performance than CPUs (at the cost of added
complexity in programming them).
3) Most offer specialized instructions and/or programming models for
parsing packet headers (L2-L4 processing).

In my experience, NPs are generally good for fixed header processing,
but not so good at processing the application layer.  You have to
reassemble the stream before you can decode it at the application layer.
The complexities associated with IP defragmentation, TCP reassembly,
application-layer fragmentation, plus the zillion different types of
application layer-processing, are beyond most NPUs (at least, if you
want to get the advertised throughput :-)

FPGAs are completely programmable -- you can program in an almost
arbitrary amount of parallelism (you're limited by the physical
characteristics of the chip, memory access, and so on).  An FPGA is
functionally identical to a custom ASIC. In fact, implementing a design
in an FPGA is almost always the first step in developing a fixed
function ASIC.  The nice thing about an FPGA is that it can be
reprogrammed in the field.  So their function can evolve as required;
this is really important for a new product, like IPS.

If FPGAs are so great, why would anyone develop an ASIC?  The answer is
cost.  FPGAs are expensive, ASICs are cheap.  However, transforming an
FPGA into an ASIC costs about $1M and 9-18 mos.  After that, though, you
can get the ASICs comparatively cheaply (it all depends on the volume
ordered).  But if you ever want the ASIC to do something else, you need
to go back to the drawing board, pay another $1M and 9-18 mos, and then
any customers will have to do a forklift upgrade to get the new
features.

        Brian Smith
        TippingPoint, a division of 3com

-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@gmail.com] 
Sent: Monday, April 04, 2005 11:24 AM
To: Brian Smith
Cc: THolman@toplayer.com; siddharth.phadnis@impetus.co.in;
focus-ids@securityfocus.com
Subject: Re: ASIC Based IPS

On Apr 1, 2005 7:39 PM, Brian Smith <bsmith@tippingpoint.com> wrote:

Hi Tim!  Good post; let me add my 2 cents.

The key to performance is parallelism, and processing network data is

an

inherently (and extremely) parallel problem.  
...
FPGAs are the way to go, for now.


Hi Brian,

You briefly mentioned network processors in your post, but prefer
FPGAs.  Would you (and anyone else) care to comment on NPs vs FPGAs?

Also, do you or anyone else have experience developing on Cloudshield?
 Any idea what Cloudshield uses under the hood?  I see they are
working with Arbor.

Thank you,

Richard
http://www.taosecurity.com

--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  BASE 1.1 release, Kevin Johnson
Next by Date:  Re: Spyware Master Hosts DB, Rodrigo Barbosa
Previous by Thread:  Re: ASIC Based IPS, Barrett G.Lyon
Next by Thread:  Security Traffic Simulator, Alexandre Soares
Indexes:  [Date] [Thread] [Top] [All Lists]