Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS\IPS that can handle one Gig

from [Prashant Khandelwal] Network Security [Permanent Link]
Subject: RE: IDS\IPS that can handle one Gig
Date: Mon, 30 May 2005 10:33:15 +0530 
Adding to this conversation one relevant point would be, Policies which
are pushed on the sensor makes big difference in the performance of the
box. 

E.g.: If Fragmentation and reassembly turned off it can be observed that
box performs better as it does not need to take care of tiny fragmented
packets (In real life having such policies doesn't make any sense).

Over all One should know the Claimed performance figures with avg packet
size ,What type of traffic was used for achieving that particular
performance figure ,What kind of policies were pushed on the sensor.
This can really help to know how a particular IPS can fit in your
network environment.


My 2 cents
Cheers
Prashant 


-----Original Message-----
From: THolman@toplayer.com [mailto:THolman@toplayer.com] 
Sent: Thursday, May 26, 2005 2:17 PM
To: focus-ids@securityfocus.com
Subject: RE: IDS\IPS that can handle one Gig

Hi Randall,

Throughput is unimportant when it comes to choosing an IDS/IPS, and to
be
honest, a bit of a bun fight when you place two vendors side by side and
start scouring their datasheets for practical information.

What is important, however, is the number of packets per second the
device
can process, the maximum number of connections that such a device keeps
state for, and last but not least, the latency that such a device will
introduce into your network if placed inline.

The smaller the packets used in a test, the smaller the performance in
terms
of megabits.  The larger the packets, the bigger the performance in
terms of
megabits.  Unreliable, and totally abused by most vendors on their
datasheets.  It's quite easy to say 'we support 1000 Mbps', only to say
in
small print the average packet size is 595 bytes.  You only need to
search
Google for '1000 Mbps 595 bytes' and you'll soon find out what I mean..
;)

The vendor in question, although claiming Gigabit performance, can only
setup TCP connections at a rate of 5,000 per second - if you do the
math,
you'll soon find out that this represents less that TEN MEGABITS per
second
in 'throughput' terms.

Is it ethical to claim Gigabit performance, only for the potential end
user
to run a number of tests with small packets sizes and find out this is
not
the case?

The moral of the plot is to never trust a datasheet - either thoroughly
test
the products before purchase, or look toward an independent testing
house,
such as NSS (www.nss.co.uk), whom have the resources and experience to
regularly generate test results that count.

At TopLayer, we regularly deploy into Gigabit environments, and
encourage
the customer to test (using Smartbits, Ixia or Spirent) for piece of
mind.
Rest assured, each time they do this, we pass with flying colours, and
this
is what makes us one of the top market leaders in Gigabit IPS solutions.

Regards,

Tim


-----Original Message-----
From: Randall Jarrell [mailto:rgj@msn.com] 
Sent: 19 May 2005 16:28
To: focus-ids@securityfocus.com
Subject: IDS\IPS that can handle one Gig

Greetings,

We are currently evaluating IDS\IPS vendors. We have tried two vendors,
whom
I will not name unless you ask me, that have made claims that they can
handle a Gig of through put but actually start to fail around the
300-500MB
range.

Could anyone share a success story of a vendor they are using that is
handling this type of traffic?

Thanks in advance,

-RGJ

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS\IPS that can handle one Gig, Jonathan Glass
Previous by Thread:  RE: IDS\IPS that can handle one Gig, THolman
Next by Thread:  RE: SIM Tools, and endpoint security., THolman
Indexes:  [Date] [Thread] [Top] [All Lists]