IDS mailing list archives
Re: ASIC-based vs. Software-based Security Platform
From: Ron Gula <rgula () tenablesecurity com>
Date: Tue, 26 Aug 2003 23:17:15 -0400
At 05:29 PM 8/26/2003 -0400, Klaus, Chris (ISSAtlanta) wrote:
Several security companies have been touting that ASIC (Application Specific Integrated Circuit) hardware-based appliances are the future of network security. I put together a whitepaper that compares ASIC-based and software-based security platforms, especially as they relate to IDS and the future direction of IDS. The security whitepaper is available at:http://www.issadvisor.com/viewtopic.php?t=368 Like to get feedback and comments on the whitepaper.
I think you make some good points, but are being biased. (apologies up front for the long email) [*] Adaptive Security I agree it is easier to distribute a complete software re-write than a complete ASIC redesign. However, on the commercial side, a complete rewrite often implies a re-purchase of the commercial product. ASIC systems are not all hard-coded in silicon either. They tend to take APIs (such as pattern matching) and accelerate them in chips. [*] Security Platform I like the option of running my NIDS at the host or on the network, but if its the same technology, then I think it is overkill. I really like the idea of running different IDS technologies at the host and the network and think that running two different technologies offers good defense in depth. [*] Vulnerability Detection Most of the VA/IDS correlation I've been looking at does seem to occur in software either on the IDS sensor or on some back-end system. I'm not convinced there is enough info in the packet stream to do VA/IDS reliably without an active scan though and would claim this is not as serious of a problem. [*] Security Convergence When I worked for Enterasys, we had customers who would have died for a device that did IDS, VPN, firewall, SSL acceleration, virus, VOIP, conent filtering etc. all in one box at a cheap price. The closest thing I've seen to this is Fortinet. I can't say it's NIDS is as good as Snort, ISS or whatever, but I can say if I had to deploy several hundred of these things all over the world, I'd rather go with one device than deploy several hundred of each type of network device. For big gateways, I want a sophisticated firewall and IDS watching over things, but most people don't have the resources to take that same technology and deploy it throughout their infrastructure. [*] Application Proxies I agree with you that many folks are tired of slow firewalls with application proxies, but I don't agree that this has to be done in software. There are plenty of hardware based app proxies being sold right now. [*] Security Blades I agree it's easier to re-deploy software than to re-deploy new ASICs, however, there is a LOT of resistance to put anything with a hard drive, fan or other moving part into an important router or switch. I really don't want my routers running SQL, Apache, IIS, etc. [*] Foundation Engine Yep. If someone takes firewall code, and bolts on some pattern matching, they don't have an enterprise-class IDS. On the other hand, I like that my $35 Dlink WAP will do content filtering and alert me for basic port scans. If someone does design a security platform from scratch though and they use ASICs, they can get around a lot of these issues. [*] Security Flaws You are right that both ASIC based and software based solutions can have security flaws, but its much more likely that a software solution which relies on SQL, IIS, Apache, etc. will get hit than an ASIC with some sort of proprietary management scheme. I think the ASIC vendors (Intruvert, Fortinet, etc.) have a valid point when they claim that most IDS boxes are typically some of the *worse* maintained security devices on the network. [*] Performance I have a hard time with some of your arguments, mostly because I think that performance has nothing to do with the relevancy of ASICs vs. software. If you put software on fast chips, it may run faster. Of course in any particular test, with any particular build, some NIDS will see things, and some NIDS wont. To pick that NetScreen was dropping some packets, and that ISS was working well at 1 G/b is misleading. I've spent a lot of time with different NIDS since I left Enterasys, and all of these guys do things very different and have many different strengths and weaknesses. Each NIDS engineering team always feels that the test didn't show their best features and performance. One thing I do belive though is that the race to get to 1 Gb performance for a NIDS was the wrong race. The industry should have been building integrated and cheap T1, DSL and T3 devices. [*] Manufacturing Costs I strongly disagree here. If this were the case, all of the routers and switches would be running on NT dell servers. ----- Good paper. Obviously I disagree with some of what you say, but I think that anyone participating in the buying cycle of an ASIC based vs. software based NIDS or integrated security device should read it. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com ---------------------------------------------------------------------------Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Current thread:
- ASIC-based vs. Software-based Security Platform Klaus, Chris (ISSAtlanta) (Aug 26)
- <Possible follow-ups>
- Re: ASIC-based vs. Software-based Security Platform Ron Gula (Aug 26)
- Re: ASIC-based vs. Software-based Security Platform Shaiful (Aug 27)
- Re: ASIC-based vs. Software-based Security Platform Ron Gula (Aug 27)
- Re: ASIC-based vs. Software-based Security Platform Shaiful (Aug 27)
- Re: ASIC-based vs. Software-based Security Platform Mark Teicher (Aug 27)