Re: ASIC-based vs. Software-based Security Platform

[Ron Gula <rgula () tenablesecurity com>]

At 05:29 PM 8/26/2003 -0400, Klaus, Chris (ISSAtlanta) wrote:
> Several security companies have been touting that ASIC (Application 
> Specific Integrated Circuit) hardware-based appliances are the future of 
> network security.  I put together a whitepaper that compares ASIC-based 
> and software-based security platforms, especially as they relate to IDS 
> and the future direction of IDS.  The security whitepaper is available at:
>
>    http://www.issadvisor.com/viewtopic.php?t=368
>
> Like to get feedback and comments on the whitepaper.

I think you make some good points, but are being biased.
(apologies up front for the long email)

[*] Adaptive Security

I agree it is easier to distribute a complete software
re-write than a complete ASIC redesign. However, on the
commercial side, a complete rewrite often implies a
re-purchase of the commercial product. ASIC systems are
not all hard-coded in silicon either. They tend to take
APIs (such as pattern matching) and accelerate them in
chips.

[*] Security Platform

I like the option of running my NIDS at the host or on
the network, but if its the same technology, then I think
it is overkill. I really like the idea of running different
IDS technologies at the host and the network and think
that running two different technologies offers good defense
in depth.

[*] Vulnerability Detection

Most of the VA/IDS correlation I've been looking at does
seem to occur in software either on the IDS sensor or
on some back-end system. I'm not convinced there is enough
info in the packet stream to do VA/IDS reliably without
an active scan though and would claim this is not as
serious of a problem.

[*] Security Convergence

When I worked for Enterasys, we had customers who would
have died for a device that did IDS, VPN, firewall, SSL
acceleration, virus, VOIP, conent filtering etc. all in
one box at a cheap  price. The closest thing I've seen
to this is Fortinet. I can't say it's NIDS is as good
as Snort, ISS or whatever, but I can say if I had to
deploy several hundred of these things all over the
world, I'd rather go with one device than deploy several
hundred of each type of network  device.

For big gateways, I want a sophisticated firewall and
IDS watching over things, but most people don't have the
resources to take that same technology and deploy it
throughout their infrastructure.

[*] Application Proxies

I agree with you that many folks are tired of slow firewalls
with application proxies, but I don't agree that this has
to be done in software. There are plenty of hardware based
app proxies being sold right now.

[*] Security Blades

I agree it's easier to re-deploy software than to re-deploy
new ASICs, however, there is a LOT of resistance to put anything
with a hard drive, fan or other moving part into an important
router or switch. I really don't want my routers running SQL,
Apache, IIS, etc.

[*] Foundation Engine

Yep. If someone takes firewall code, and bolts on some pattern
matching, they don't have an enterprise-class IDS. On the other
hand, I like that my $35 Dlink WAP will do content filtering
and alert me for basic port scans. If someone does design a
security platform from scratch though and they use ASICs, they
can get around a lot of these issues.

[*] Security Flaws

You are right that both ASIC based and software based solutions
can have security flaws, but its much more likely that a software
solution which relies on SQL, IIS, Apache, etc. will get hit than
an ASIC with some sort of proprietary management scheme. I think
the ASIC vendors (Intruvert, Fortinet, etc.) have a valid point
when they claim that most IDS boxes are typically some of the
*worse* maintained security devices on the network.

[*] Performance

I have a hard time with some of your arguments, mostly because
I think that performance has nothing to do with the relevancy of
ASICs vs. software. If you put software on fast chips, it may
run faster.

Of course in any particular test, with any particular build,
some NIDS will see things, and some NIDS wont. To pick that
NetScreen was dropping some packets, and that ISS was working
well at 1 G/b is misleading. I've spent a lot of time with
different NIDS since I left Enterasys, and all of these guys
do things very different and have many different strengths and
weaknesses. Each NIDS engineering team always feels that the
test didn't show their best features and performance.

One thing I do belive though is that the race to get to 1 Gb
performance for a NIDS was the wrong race. The industry should
have been building integrated and cheap T1, DSL and T3 devices.

[*] Manufacturing Costs

I strongly disagree here. If this were the case, all of the
routers and switches would be running on NT dell servers.

-----

Good paper. Obviously I disagree with some of what you say, but
I think that anyone participating in the buying cycle of an
ASIC based vs. software based NIDS or integrated security device
should read it.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com



































































---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------