Hello Mr. Glass,
Are you running 10Gbps to each host? Where are your
choke points? If you have so many choke points that
acquisition cost is too great, (more and more common
these days) consider falling back to the host. More
and more these days, I find it best to shift from HIPS
to NIPS. High bandwidth utilization environments are
often good HIPS candidates.
Another option, and one that many organizations are
beginning to favor, is to forget the current,
"fashionable" notions of IPS and return to basics --
to focus more closely on vunerability and information
management. I believe that if you have a
comprehensive, continuous and meaningful flow of
information about the environment and an effective
vulnerability remediation program, the need for IPS
appliances and agents (band-aids) can be reduced
dramatically.
P
--- Jonathan Glass <jonathan.glass@gmail.com> wrote:
Well, as a greedy IPS reseller, what would you
recommend to handle 4
10Gig connections for real-time IPS/IDS protection?
That's where we
are, and we're having trouble finding ANY vendor who
can come close to
keeping up with us. Frankly, we find that we're
about 18-24 months
ahead of any vendors, and are wondering whether
there's any benefit to a
true IPS, or if we should stick to netflow analysis
and deep-packet IDS
(when capable of keeping up), and write scripts to
block attacks. Your
thoughts?
Jonathan Glass
InfoSecEngineer III
Georgia Institute of Technology
Andrew Plato wrote:
DISCLAIMER: I am a greedy IPS reseller. ;-)
Lots of IPSs can handle 1GB.
TippingPoint 1200, 2400, or 5000 (5GB!)
ISS G1000, G2000
FortiGate 1000 or better
Juniper
Etc.
Lots of them fail at 1GB because that's a
buttload-O-packets to handle.
Especially if they're little UDP packets. The thing
is, they can say
they're rated to 1GB because they can,
theoretically handle 1GB. But,
the only way to get there is with a paltry policy
set that only checks a
few things.
If you need raw ungodly performance, you might want
to stick to the
ASIC-based IPSs. They tend to be faster and have a
much lower latency.
This would be TippingPoint and Fortigate. I don't
think McAfee uses
ASICs, but I don't know. ISS, Juniper, Symantec,
Cisco, etc. are all
software running on some OS.
ASICs also have the added benefit that they are
more secure as an
appliance. Its almost totally impossible to crack
an ASIC-based system.
The OS-based IPSs usually run on-top of some
hardened Linux or BSD
kernel. Which means, its possible (although
unlikely) that a root
exploit to the Linux kernel could turn your
security appliance into an
insecurity appliance.
___________________________________
Andrew Plato, CISSP
President/Principal Consultant
Anitian Enterprise Security
-----Original Message-----
From: Randall Jarrell [mailto:rgj@msn.com]
Sent: Thursday, May 19, 2005 8:28 AM
To: focus-ids@securityfocus.com
Subject: IDS\IPS that can handle one Gig
Greetings,
We are currently evaluating IDS\IPS vendors. We
have tried two vendors,
whom I will not name unless you ask me, that have
made claims that they
can handle a Gig of through put but actually start
to fail around the
300-500MB range.
Could anyone share a success story of a vendor they
are using that is
handling this type of traffic?
Thanks in advance,
-RGJ
...
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
