Re: performance metrics for IPS systems?

Take a look at our IPS group tests if you are interested in such performance
metrics. We go into some details regarding acceptable latencies of Gigabit
devices ("acceptable" obviously depends a lot on whether you intend to
deploy them internally or at the network perimeter).

The kind of behaviour mentioned below was observed frequently in our tests
(i.e. That latency actually gets lower as traffic levels increase....up to a
point). Round about 225,000pps is indeed around 1Gbps with a "normal"
average packet size - a lot of our "real world" tests are based around these
kinds of figures.

Edition 2 is on line - Edition 1 can now only be purchased as a PDF for
immediate download (or as a CD)

Bob Walder
The NSS Group


On 12/2/05 8:16 pm, "Massimo" <massimo.mail@xxxxxxxx> wrote:

> We did some test with stress test equipment on the capability to handle
> hight traffic load with low latency on some "diffused" IPS.
> I can tell you will have problem with some IPS product with that high
> load of packet. There are also commercial Gigabit IDS that lose traffic
> (doesn't slow, but lose) with that number of packet (225,000 packet/s
> can be close to a full gigabit with real packet size).
>  
> I am sorry but I have a NDA on that test and can't give you more detail.
> 
> Best Regards,
>                    Massimo
> 
> On 09/01/2005 14.49, Mike Frantzen wrote:
> 
>>> I'm planning on demanding that the IPS systems perform at >225,000
>>> packets/second (100% of packets inspected) with <.5ms latency per
>>> packet.  Is this reasonable for an IPS?
>>>    
>>> 
>> 
>> Just be careful how you measure that .5ms latency limit.  If you do a
>> single ping without background traffic against an IPS that does
>> interrupt polling then you'll see latency of about 1ms or 10ms
>> (depending on the underlying operating system used).  That latency
>> will start to drop once you have over 1000pps and will gradually
>> converge towards zero.
>> 
>> I'm not sure which IPS vendors do interrupt polling to gain performance.
>> It wasn't worth it for us.
>> 
>>  
>> 
>>> - What is the acceptable/standard latency per packet for an IPS?
>>>    
>>> 
>> 
>> Humans begin to notice latency at about the 200ms mark (call it 100ms to
>> account for the return packet).  TCP behavior changes at 30-100ms unless
>> the stack does round trip time measurements.  Online gamers get cranky
>> at the 80-100ms mark.
>> 
>> That being said, you probably won't find an IPS that introduces more than
>> 1ms of latency.
>> 
>> .mike
>> frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
>> PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28
>> 
>> --------------------------------------------------------------------------
>> Test Your IDS
>> 
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it with real-world attacks from
>> CORE IMPACT.
>> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>> to learn more.
>> --------------------------------------------------------------------------
>> 
>> 
>>  
>> 
> 
> --------------------------------------------------------------------------
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------
> 




--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------