Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: challenges in capturing Gigabit ethernet

Re: challenges in capturing Gigabit ethernet

From: Securesolutions <securesolutions_at_gmail.com>
Date: Fri, 30 Dec 2005 12:53:54 -0000

Hello

If you are using an offline IDSor other advanced analysis application that
requires all packets of sessions go to the same device because they reqiire
the full session to report on the session such as an IDS and that IDS cannot
accept at Gig rates or cannot write to the HDD at this rate then you need to
aggregate the traffic on a stateful balancer and then have these sessions
balanced across the number of sensors required to cover the traffic input,
We have used the IDS-LB from Toplayer Networks for this for a number of
projects now.
It comes at a price however but if the requirement for gathering stateful
information and monitoring all packets at GIG rates is essential then it is
definetely worth the outlay if a single server cannot handle the load,

Regarding inline IPS quoting several GIG raw throughput beware,
Raw throughput is a good metric for a router but not if you need to do
stateful connection setups & deep inspection of packets which is a
requirement for Firewalls and IPS,
I believe most IPS devices tested for raw throughput will not have this
traffic passed through inspection engines or it will be clean and not
require detailed analysis and does not reflect a real world environment
In my opinion the numbers that are important for these devices are
connection setups/sec Deep inspection throughput and latency.

/Mick

----- Original Message -----
From: "Mike" <mike_at_jeke.fdns.net>
To: <focus-ids_at_securityfocus.com>
Sent: Wednesday, December 28, 2005 5:42 PM
Subject: Re: challenges in capturing Gigabit ethernet

> just to wrap some numbers around that, the worst case scenario for packets
> per second on gigabit ethernet is around 3 million for a full-duplex link
> (2,976,190 per second to be exact).
> it is difficult to just get those packets to your application, much less
> inspect all of them for attacks.
>
> efficent algorithms are essential, you need to very quickly catagorize a
> packet early on in the inspection so that you only do the necissary deep
> analysis. (a over-simplified example would be that you catagorize by ports
> so that you are not looking for IIS exploits in a SMTP session)
>
>
> Mike
>
>
> On Wed, 28 Dec 2005, Sanjay Rawat wrote:
>
>> Its not only installing GB NIC. An IDS/IPS must be capable of processing
>> the packet at that speed. For this purpose, it makes use of HW
>> accelerators, efficient algorithms and data structures.
>> I hope you have some idea now.
>> regards
>> -Sanjay
>>
>> At 01:28 PM 12/23/2005, Siddharth Phadnis wrote:
>> >Hi All,
>> >
>> >Vendors have long been talking about gigabit ethernet capabilities of
>> >their IDS/IPS. It got me thinking that is it just a simple matter of
>> >installing a gigabit ethernet card in the appliance and capturing the
>> >packets or is there any specialized hardware which is required.
>> >
>> >In effect, what all challenges are involved in capturing packets off a
>> >gigabit ethernet network so that packets do not drop. Does it just
>> >involve the hardware or are there some considerations in software too?
>> >
>> >Regards,
>> >Siddharth
>> >
>> >
>>
>> Sanjay Rawat
>> Senior Software Engineer
>> INTOTO Software (India) Private Limited
>> Uma Plaza, Above HSBC Bank, Nagarjuna Hills
>> PunjaGutta,Hyderabad 500082 | India
>> Office: + 91 40 23358927/28 Extn 422
>> Website : www.intoto.com
>> Homepage: http://sanjay-rawat.tripod.com
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>> to learn more.
>> ------------------------------------------------------------------------
>>
>>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jan 02 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos