Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

RE: IPS Reliability/Availability
From: j <y8k0vt3p () yahoo com>
Date: Wed, 15 Mar 2006 22:56:33 -0800 (PST)
--- Mike Barkett <mbarkett () nfr com> wrote:

The RISC based solution we are discussing is
markedly different in that it has none of the above, and it relies less on

load

balancing than traditional "sandwich" solutions.


OK. From bird’s-eye view, your solution looks like FWLB in a chassi, but this
forum is probably inappropriate place to discuss specifics of the NFR solution.
 

It's hard to be specific without knowing the details of load balancing.
However, let me try to list a few issues:
- Increased latencies and jitter in case of inline deployment.
- Burst loss. For example, try to do a deep inspection without loss of a >> 

  large TCP window of a single TCP session sent by a server or a test 

   device over a gige interface. 
   What's max burst you can process without loss?
- If traffic from a malicious source is distributed to several CPUs,it 
   will take you much longer or even impossible to detect the attack and 
   start dropping malicious traffic.

 

It's certainly understandable that you'd be skeptical about the numbers
being thrown around.  You're not the only one.  And  it's true that a poorly
Implemented distribution scheme will suffer from the problems you mention.
These are not new concerns, however, and the equipment and software that we
use to tackle the speed problem are specifically designed to handle these
challenges.  As someone said on a previous thread  (or was it this thread?),
let's wait until the third party numbers come out before passing judgment.

.......
Sure, however let’s keep in mind that the third parties don’t test for spike,
burst latencies and jitter in the IDP testing. See:

http://seclists.org/lists/focus-ids/2006/Feb/0018.html

Jack.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]