Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS\IPS that can handle one Gig

from [James Blake] Network Security [Permanent Link]
Subject: Re: IDS\IPS that can handle one Gig
Date: 25 May 2005 10:02:45 -0000 
In-Reply-To: <BAY103-DAV2CDA0AE7EB5D8601EB25EBA080@phx.gbl>


From: "Randall Jarrell" <rgj@msn.com>
To: <focus-ids@securityfocus.com>
Subject: IDS\IPS that can handle one Gig
Date: Thu, 19 May 2005 08:28:13 -0700

We are currently evaluating IDS\IPS vendors. We have tried two 

vendors, whom

I will not name unless you ask me, that have made claims that they 

can

handle a Gig of through put but actually start to fail around the 

300-500MB

range.

Could anyone share a success story of a vendor they are using that is
handling this type of traffic?

Thanks in advance,

-RGJ


As Kos mentions in a follow-up posting below, TippingPoint have a 
range of products that cover from 50 Mbps to 5 Gbps aggregate 
bandwidth (they apply the filters in both directions, so you can have 5 
Gbps total).  The 2400 appliance will do the job.

I hear what you are saying about IPSes either failing open or failing 
closed when you start to push them to their limits.  This is mainly due 
to the fact that a lot of them are extensions of IDS architectures, and 
IDSes were designed to take all the time in the world analysing as no 
real-time decisions needed to be taken.  IPSes on the other hand 
require very quick decisions, so any form of buffering increases the 
latency (so much so that under strain some time-sensitive applications 
like Fibre Channel over IP, Ethernet Encapsulated Fibre Channel and 
VoIP can fail), also any architecture with buffering is open to DoS.

Have a look at http://tomahawk.sourceforge.net - this is an Open 
Source project that TippingPoint released.   It allows you to build a PC-
based IPS testing engine that can pump out about 300 Mbps, the 
architecture allows you to strap multiple Tomahawks together so you 
can push the capacity well above 1 Gbps.  TippingPoint released this 
into the public domain so that coders can see the test are not rigged, 
but anyone is free to use this tool to push any IPS they are evaluating 
over 1 Gbps and see how it reacts.

I would recommend having a look at the TippingPoint appliances, but I 
would as I am their Senior Sales Engineer for the UK ;-)

Good luck with the testing!



James

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS ISS, PPowenski
Next by Date:  RE: Checkpoint SmartDefense, THolman
Previous by Thread:  Re: IDS\IPS that can handle one Gig, Jonathan Glass
Next by Thread:  RE: IDS\IPS that can handle one Gig, THolman
Indexes:  [Date] [Thread] [Top] [All Lists]