Re: ASIC-based vs. Software-based Security Platform

[Shaiful <shaifuljahari () yahoo com>]

Hi guys,

Can we have the best of both worlds?

With the emergence of network processors and the FPGA
like devices that you can buy off-the-shelf, I think
it is a very promising direction.

Pls refer to the following links:

Intel's Network Processor IXP family: 
http://www.intel.com/design/network/products/npfamily/

Altera's Nios development kit 
http://www.altera.com/products/devkits/altera/kit-nios.html

Tarari's content inspections processor
http://www.tarari.com/index2.html

Regards,
Shaiful

--- Ron Gula <rgula () tenablesecurity com> wrote:
> At 05:29 PM 8/26/2003 -0400, Klaus, Chris
> (ISSAtlanta) wrote:
> > Several security companies have been touting that
> ASIC (Application 
> > Specific Integrated Circuit) hardware-based
> appliances are the future of 
> > network security.  I put together a whitepaper that
> compares ASIC-based 
> > and software-based security platforms, especially
> as they relate to IDS 
> > and the future direction of IDS.  The security
> whitepaper is available at:
> >    http://www.issadvisor.com/viewtopic.php?t=368
> >
> > Like to get feedback and comments on the
> whitepaper.
>
> I think you make some good points, but are being
> biased.
> (apologies up front for the long email)
>
> [*] Adaptive Security
>
> I agree it is easier to distribute a complete
> software
> re-write than a complete ASIC redesign. However, on
> the
> commercial side, a complete rewrite often implies a
> re-purchase of the commercial product. ASIC systems
> are
> not all hard-coded in silicon either. They tend to
> take
> APIs (such as pattern matching) and accelerate them
> in
> chips.
>
> [*] Security Platform
>
> I like the option of running my NIDS at the host or
> on
> the network, but if its the same technology, then I
> think
> it is overkill. I really like the idea of running
> different
> IDS technologies at the host and the network and
> think
> that running two different technologies offers good
> defense
> in depth.
>
> [*] Vulnerability Detection
>
> Most of the VA/IDS correlation I've been looking at
> does
> seem to occur in software either on the IDS sensor
> or
> on some back-end system. I'm not convinced there is
> enough
> info in the packet stream to do VA/IDS reliably
> without
> an active scan though and would claim this is not as
> serious of a problem.
>
> [*] Security Convergence
>
> When I worked for Enterasys, we had customers who
> would
> have died for a device that did IDS, VPN, firewall,
> SSL
> acceleration, virus, VOIP, conent filtering etc. all
> in
> one box at a cheap  price. The closest thing I've
> seen
> to this is Fortinet. I can't say it's NIDS is as
> good
> as Snort, ISS or whatever, but I can say if I had to
> deploy several hundred of these things all over the
> world, I'd rather go with one device than deploy
> several
> hundred of each type of network  device.
>
> For big gateways, I want a sophisticated firewall
> and
> IDS watching over things, but most people don't have
> the
> resources to take that same technology and deploy it
> throughout their infrastructure.
>
> [*] Application Proxies
>
> I agree with you that many folks are tired of slow
> firewalls
> with application proxies, but I don't agree that
> this has
> to be done in software. There are plenty of hardware
> based
> app proxies being sold right now.
>
> [*] Security Blades
>
> I agree it's easier to re-deploy software than to
> re-deploy
> new ASICs, however, there is a LOT of resistance to
> put anything
> with a hard drive, fan or other moving part into an
> important
> router or switch. I really don't want my routers
> running SQL,
> Apache, IIS, etc.
>
> [*] Foundation Engine
>
> Yep. If someone takes firewall code, and bolts on
> some pattern
> matching, they don't have an enterprise-class IDS.
> On the other
> hand, I like that my $35 Dlink WAP will do content
> filtering
> and alert me for basic port scans. If someone does
> design a
> security platform from scratch though and they use
> ASICs, they
> can get around a lot of these issues.
>
> [*] Security Flaws
>
> You are right that both ASIC based and software
> based solutions
> can have security flaws, but its much more likely
> that a software
> solution which relies on SQL, IIS, Apache, etc. will
> get hit than
> an ASIC with some sort of proprietary management
> scheme. I think
> the ASIC vendors (Intruvert, Fortinet, etc.) have a
> valid point
> when they claim that most IDS boxes are typically
> some of the
> *worse* maintained security devices on the network.
>
> [*] Performance
>
> I have a hard time with some of your arguments,
> mostly because
> I think that performance has nothing to do with the
> relevancy of
> ASICs vs. software. If you put software on fast
> chips, it may
> run faster.
>
> Of course in any particular test, with any
> particular build,
> some NIDS will see things, and some NIDS wont. To
> pick that
> NetScreen was dropping some packets, and that ISS
> was working
> well at 1 G/b is misleading. I've spent a lot of
> time with
> different NIDS since I left Enterasys, and all of
> these guys
> do things very different and have many different
> strengths and
> weaknesses. Each NIDS engineering team always feels
> that the
> test didn't show their best features and
> performance.
>
> One thing I do belive though is that the race to get
> to 1 Gb
> performance for a NIDS was the wrong race. The
> industry should
> have been building integrated and cheap T1, DSL and
> T3 devices.
>
> [*] Manufacturing Costs
>
> I strongly disagree here. If this were the case, all
> of the
> routers and switches would be running on NT dell
> servers.
>
> -----
>
> Good paper. Obviously I disagree with some of what
> you say, but
> I think that anyone participating in the buying
> cycle of an
> ASIC based vs. software based NIDS or integrated
> security device
> should read it.
>
> Ron Gula, CTO
> Tenable Network Security
> http://www.tenablesecurity.com
=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, 
VA; the world’s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------