Well, as a greedy IPS reseller, what would you recommend to handle 4
10Gig connections for real-time IPS/IDS protection? That's where we
are, and we're having trouble finding ANY vendor who can come close to
keeping up with us. Frankly, we find that we're about 18-24 months
ahead of any vendors, and are wondering whether there's any benefit to a
true IPS, or if we should stick to netflow analysis and deep-packet IDS
(when capable of keeping up), and write scripts to block attacks. Your
thoughts?
Jonathan Glass
InfoSecEngineer III
Georgia Institute of Technology
Andrew Plato wrote:
DISCLAIMER: I am a greedy IPS reseller. ;-)
Lots of IPSs can handle 1GB.
TippingPoint 1200, 2400, or 5000 (5GB!)
ISS G1000, G2000
FortiGate 1000 or better
Juniper
Etc.
Lots of them fail at 1GB because that's a buttload-O-packets to handle.
Especially if they're little UDP packets. The thing is, they can say
they're rated to 1GB because they can, theoretically handle 1GB. But,
the only way to get there is with a paltry policy set that only checks a
few things.
If you need raw ungodly performance, you might want to stick to the
ASIC-based IPSs. They tend to be faster and have a much lower latency.
This would be TippingPoint and Fortigate. I don't think McAfee uses
ASICs, but I don't know. ISS, Juniper, Symantec, Cisco, etc. are all
software running on some OS.
ASICs also have the added benefit that they are more secure as an
appliance. Its almost totally impossible to crack an ASIC-based system.
The OS-based IPSs usually run on-top of some hardened Linux or BSD
kernel. Which means, its possible (although unlikely) that a root
exploit to the Linux kernel could turn your security appliance into an
insecurity appliance.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
-----Original Message-----
From: Randall Jarrell [mailto:rgj@msn.com]
Sent: Thursday, May 19, 2005 8:28 AM
To: focus-ids@securityfocus.com
Subject: IDS\IPS that can handle one Gig
Greetings,
We are currently evaluating IDS\IPS vendors. We have tried two vendors,
whom I will not name unless you ask me, that have made claims that they
can handle a Gig of through put but actually start to fail around the
300-500MB range.
Could anyone share a success story of a vendor they are using that is
handling this type of traffic?
Thanks in advance,
-RGJ
------------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
