Re: ASIC-based vs. Software-based Security Platform

[Mark Teicher <mht3 () earthlink net>]

At 09:17 PM 8/26/2003, Ron Gula wrote:

At 05:29 PM 8/26/2003 -0400, Klaus, Chris (ISSAtlanta) wrote:
> Several security companies have been touting that ASIC (Application 
> Specific Integrated Circuit) hardware-based appliances are the future of 
> network security. I put together a whitepaper that compares ASIC-based and 
> software-based security platforms, especially as they relate to IDS and 
> the future direction of IDS. The security whitepaper is available at:
>
>   http://www.issadvisor.com/viewtopic.php?t=368
>
> Like to get feedback and comments on the whitepaper.



[*] Security Convergence

When I worked for Enterasys, we had customers who would
have died for a device that did IDS, VPN, firewall, SSL
acceleration, virus, VOIP, conent filtering etc. all in
one box at a cheap price. The closest thing I've seen
to this is Fortinet. I can't say it's NIDS is as good
as Snort, ISS or whatever, but I can say if I had to
deploy several hundred of these things all over the
world, I'd rather go with one device than deploy several
hundred of each type of network device.

<mht> I evaluated the Fortinet appliance, it has a little piece of 
everything, nice UI, but not great content filtering or logging, The IDS 
signatures are not the greatest and not easily configurable.
It can be overwhelmed with logging and thus rendered unusable.  It is a 
nice NextGen Netscreen 5 appliance.  I would write more, but I don't want 
the listeners who work for Fortinet to perk up and start taking what I 
write seriously.



For big gateways, I want a sophisticated firewall and
IDS watching over things, but most people don't have the
resources to take that same technology and deploy it
throughout their infrastructure.

<mht> Do you mean an In-line IDS on both the external perimeter and 
internal perimeter.  The Intruvert IDS box has 3 ports to monitor such a 
configuration.

[*] Application Proxies

I agree with you that many folks are tired of slow firewalls
with application proxies, but I don't agree that this has
to be done in software. There are plenty of hardware based
app proxies being sold right now.


<mht> Plenty of hardware based apps proxies being sold, but not the 
greatest in handling SAP applications or Java based applications, if you 
let 80 through, you basically bypass everything anyways..


[*] Security Blades

I agree it's easier to re-deploy software than to re-deploy
new ASICs, however, there is a LOT of resistance to put anything
with a hard drive, fan or other moving part into an important
router or switch. I really don't want my routers running SQL,
Apache, IIS, etc.

<mht> Cisco tried this with the 6501 and still couldn't keep up with the 
competition, to much overhead in processing frames, not enough on the 
coalescining(sp?) side of the product.  It kept on logging similiar attacks 
as unique attacks and flooded the boxes with logs..


[*] Foundation Engine

Yep. If someone takes firewall code, and bolts on some pattern
matching, they don't have an enterprise-class IDS. On the other
hand, I like that my $35 Dlink WAP will do content filtering
and alert me for basic port scans. If someone does design a
security platform from scratch though and they use ASICs, they
can get around a lot of these issues.

<mht> Of course, you mean GOOD firewall code, and Enterprise ready 
appliances, which of course is another category in itself.


[*] Security Flaws

You are right that both ASIC based and software based solutions
can have security flaws, but its much more likely that a software
solution which relies on SQL, IIS, Apache, etc. will get hit than
an ASIC with some sort of proprietary management scheme. I think
the ASIC vendors (Intruvert, Fortinet, etc.) have a valid point
when they claim that most IDS boxes are typically some of the
*worse* maintained security devices on the network.

<mht> VxWorks is a good base to start with, but one still has to figure out 
how to upgrade the firmware without introducing new flaws, as I just had 
the same conversation with NAI a few weeks ago regarding how they introduce 
firmware upgrades to a box not connected to the Internet. Their assumption 
is that the box has a direct connection out.

[*] Performance

I have a hard time with some of your arguments, mostly because
I think that performance has nothing to do with the relevancy of
ASICs vs. software. If you put software on fast chips, it may
run faster.

<mht> Performance is all in the design, if you design and code correctly, 
performance is eliminated from the equation, but everyone claims 
performance numbers from outside vendors, and that is a whole other argument

Of course in any particular test, with any particular build,
some NIDS will see things, and some NIDS wont. To pick that
NetScreen was dropping some packets, and that ISS was working
well at 1 G/b is misleading. I've spent a lot of time with
different NIDS since I left Enterasys, and all of these guys
do things very different and have many different strengths and
weaknesses. Each NIDS engineering team always feels that the
test didn't show their best features and performance.

<mht>I agree, each NIDS has its strenghs and weaknesses, using a layered 
approach in a security architecture is the only way to find out.

One thing I do belive though is that the race to get to 1 Gb
performance for a NIDS was the wrong race. The industry should
have been building integrated and cheap T1, DSL and T3 devices.

<mht> What about OC-12, or OC-48.. ??


[*] Manufacturing Costs

I strongly disagree here. If this were the case, all of the
routers and switches would be running on NT dell servers.

<mht>I agree with Chris, is that manufacturing costs do matter, remember 
WatchGuard.. ??



-----

Good paper. Obviously I disagree with some of what you say, but
I think that anyone participating in the buying cycle of an
ASIC based vs. software based NIDS or integrated security device
should read it.

<mht>It is an GOOD paper, it needs some work on delivering the punch and 
driving the outlined points home to a decision maker/purchaser.. :)



Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com



































































---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the worldÂ's premier 
technical IT security event. Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 
Visit: www.blackhat.com
---------------------------------------------------------------------------




---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------