Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: IDS\IPS that can handle one Gig

from [Barrett G.Lyon] Network Security [Permanent Link]
Subject: RE: IDS\IPS that can handle one Gig
Date: Tue, 7 Jun 2005 09:19:19 -0700 
Oh boy another long reply... ;)

1) Gigabit performance is irrelevant; it's the packets per second that
count. Vendors cheat and claim 1Gb performance based on large packet sizes
(not real world), or just add up the sizes of all their interfaces.

I agree, however, you would hope the PPS rates match the throughput of the gigabit circuit. 64-Byte packets should be in the 2.2 million PPS rate for a GigE. If my carrier can provide that PPS rate I should be able to process at that rate. Maybe the top rating of an IPS should be limited to the lowest PPS situation it can process? If the hardware can do a 1.2 million SYN/sec rate then it should only be rated at around 500 Mbps and not a full GigE? However, some devices may be great at some mitigation and bad at others, does that mean we should state that the device is only X at X PPS rate? I think the consumers of IPS devices expect that all mitigation/processing is at the PPS line rate of the circuit, so this is where IPS vendors can get in trouble with marketing and overstating what it is they are doing.


2) In PC architecture, the PCI bus is the bottleneck, not the processor.

It's not just PC vs network hardware, this is a cultural shift in security we are talking about...

In the last 3 years there has been a major shift from doing security as a application to security as a network device. This change is due to performance and general integration of security with the network. The major problem with this change is traditionally the network guys were not security guys and the security guys were not network guys - it is pretty apparent when you compare a security conference to a networking conference or security device GUI to a network device CLI... or a PC to a network appliance. Ideologically, networks guys connect and security guys restrict - strange combination.

The other problem is that security devices now have to talk network jive more like a router/switch should be. Doing OSPF with something like a chokepoint, or trying to incorporate a PC with single power supplies and things like hard drives (that Mr. Holman pointed out) that have a potential to take down the network is a very terrifying idea to a network guy, but maybe an okay idea for a security guy. With networks and attacks in the wild pushing traffic levels over the 4 gig (7+ million PPS) mark, squishing data over a PCI/PCIx bus is also something of a bad idea (issue #2 with Mr. Holman's email).

So, the race is on and the people with PC architecture software are trying to become network based security devices, and the network device world is trying to become security devices. When there is a race things get sloppy, so we are seeing a lot of products that have features that don't work or features that are just there to be there. So, when someone is saying you have to compromise a security function for health of the network or performance, sometimes that is just fine because that function may not have been doing anything anyway.

The way I see it, (to rip off Richard Stiennon) firewalls are dead... It's easy to setup a line speed ACL that acts like a firewall and have an application security device like an IPS behind that ACL. The new model is not having a single firewall but having something of a security based network, where each part of the network is doing as it should be doing, its job... rather than everything. No single point of security, and no single point of security to fail, no single vendor to fail -- every part of the network working together to perform security operations. Active redundancy in the network and the security is a neat idea and devices like IPS will help people achieve that.

With the intrusion prevention network/secure net (whatever you call it) only using part of a device's functionality may be absolutely fine. The traditional swiss army knife firewall is a thing of the past - with a swiss army knife, using each knife tool all at once may be the wrong way to go. You also don't cut down a tree with the small swiss army knife saw, you use a chain saw. You don't buy the swiss army knife over the chain saw because it's got everything, you buy what's good for the job.

Oh, and don't play with chain saws in the data center, that's a bad idea too. :)



-Barrett


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: IDS\IPS that can handle one Gig, Palmer, Paul (ISSAtlanta)
Next by Date:  Re: IDS\IPS that can handle one Gig, Frank Knobbe
Previous by Thread:  RE: IDS\IPS that can handle one Gig, Palmer, Paul (ISSAtlanta)
Next by Thread:  RE: IDS\IPS that can handle one Gig, Andrew Plato
Indexes:  [Date] [Thread] [Top] [All Lists]