Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: RE: RE: IPS Reliability/Availability

RE: RE: IPS Reliability/Availability

From: Mike Barkett <mbarkett_at_nfr.com>
Date: Sun, 12 Mar 2006 13:12:11 -0500

> -----Original Message-----
> From: y8k0vt3p_at_yahoo.com [mailto:y8k0vt3p_at_yahoo.com]
> Sent: Friday, March 10, 2006 2:42 AM
> To: focus-ids_at_securityfocus.com
> Subject: Re: RE: IPS Reliability/Availability
>
> > The primary "con" is that it's a fairly new approach, and therefore it's
> > difficult to get people on the bandwagon.
> > - it's hard to convince people that this solution is actually as
> > fast (or faster) than an ASIC solution for the same price. ASICs have
> > been around a long time, and people have a kind of warm fuzzy from that
> > older technology.
>
> I'm wondering why CPU cluster technology that you are deploying is
> considered new in comparison to ASIC/FPGA/NP technology.

Primarily because it is newer than those technologies. Can you offer any
examples in which this approach was applied to bundled network security
point solutions prior to the advent of ASICs?

But to your point... you're right that the concepts are similar in that, at
some point, you ultimately reduce the problem to processors processing data.
However, the RISC based solution removes "forklift upgrade" from the user's
vocabulary.

> Obviously, "software + CPU cluster" technology has some attractive
> properties.
> However, it also has several nasty properties, especially in the IDS
> space. In addition, the problems get nastier with adding more CPUs to the
> cluster, so there are a limit how many CPUs you can put in a cluster.
> For starters, if your load balancing scheme is based on TCP/UDP port
> numbers,
> you'll have a hard time detecting even simple port scan.
>
> - Jack

This might be partially true if the load balancing assumption were correct,
but at least in the one implementation (NFR) with which I am familiar, it is
not. Can you enumerate some of the inherent "nasty properties" to which you
allude?

-MAB

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Mar 14 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]