IDS mailing list archives
Re: ASIC Based IPS
From: Barrett G.Lyon <blyon () prolexic com>
Date: Fri, 15 Apr 2005 10:18:55 -0400
Richard,Myself and my team have programming on CloudSheild's IDE for a good 6 months now. We have been doing very complicated processes at line-rate and we are able to do nearly anything we can think of with the packet. It's a heavy learning curve and a lot of nuances to pick-up, but for the most part -- a good platform. I'm sure the CS guys would thank me for that comment ;)
The 10k foot view of the device: Under the hood they have a bunch of NPs that feed into FPGAs that glue together a lot of ASIC based tools. So when you code, you can use an ASIC like it is a function in your program. It also has an on-board PC so you can interact with the network with any scripting/code you can think of, it's a lot of fun.
Our (Prolexic's) network takes a pretty heavy load (1-10+ Million PPS) from time-to-time, and if our network did not perform we would have a customer retention problem -- we built one of the first securenet/IPN (Intrusion Prevention Networks) So when you are making things that are "out of the box", it's hard to buy something that fits perfectly within your specifications.
Along with IPS in general, I think a lot of the devices out there have some pretty good rate-limiting and SYN flood mitigation, however, they all seemed to miscalculate the sheer amount of processing power it takes to do deep packet inspections and protocol verification. Our network is currently representing about 10 Terahertz of processing ability just for the DPI, so hoping a single FPGA based hardware device will do the trick may be a bad idea. Also, most devices can not handle out-of-state TCP based attacks (see: Riverhead), so keep your eyes out on that too.
-Barrett Barrett G. Lyon Chief Technology Officer Prolexic Technologies - The leaders in DDoS Security! -------------------------------------------------------------------------- Stop hurting your network!The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
Current thread:
- RE: ASIC Based IPS Brian Smith (Apr 04)
- Re: ASIC Based IPS Richard Bejtlich (Apr 05)
- Re: ASIC Based IPS Barrett G . Lyon (Apr 15)
- <Possible follow-ups>
- RE: ASIC Based IPS Brian Smith (Apr 05)
- Re: ASIC Based IPS Richard Bejtlich (Apr 05)