OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Gigabit IDS solutions
From: Robert Graham (robert_david_grahamYAHOO.COM)
Date: Tue Nov 14 2000 - 19:45:59 CST

There has been a lot of discussion about "bits/second". This is an extremely
INACCURATE way of measuring an IDS.

It is like going to the store and asking the clerk for the price of 2-liters of
Pepsi. The clerk quotes a price for a 2-liter bottle. Then you bring size
individual cans to the counter (roughly 2.1-liters total) and find that the
price is a lot more than originally quoted by the clerk.

Networks are the same way. Processing 100-mbps of traffic using few large
packet is a lot "cheaper" than processing 100-mbps of traffic using a lot of
small packets. IDS vendors historically have claimed that they supported
100-mbps networks on the assumption the customer was using 1500-byte packets.
Customers would then see their purchases fail because in the real world, the
average size of a packet is about 200-bytes. This means that if an IDS cannot
achieve a packet rate of 55,000 packets/second, then it cannot truly keep up
with 100-mbps in the real world.

Therefore, when purchasing an IDS, first put a sniffer on your real live
network and measure the average packet rate. Then ask the vendor the packet
rate they can support. If they support terabits/second but can match your
packet/rate, the IDS still just won't work.

This is important because for all the IDSs I've looked at, the packet-rate has
been the most severe bottneck. Most still cannot handle the 55,000
packets/second needed to support 100-mbps networks with a 200-byte average
packet size.

=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE

__________________________________________________
Do You Yahoo!?
Yahoo! Calendar - Get organized for the holidays!
http://calendar.yahoo.com/