Does anyone know if Snort or Suricata are capable of handing full 10Gbps? (14,204,545 PPS)
Not Snort/Suricata, but here's how to do 100G with Bro
No clue if a similar method would work for Snort/Suricata
I'd want to be able to deny packets and rate-limit. I don't think BRO is able to do those things.
The idea with Bro is that you do all of that with other hardware.
IDS vs IPS...
It's technically Snort, but Cisco's Firepower 4100 and 9300 series start around 10Gbps and go up to 133Gbps according to their docs.
Architecture of the box doesn’t punt traffic to the snort engine unless you have rules in place.
Not sure if those numbers are with rules enabled or not.
The quality of Firepower (formerly Sourcefire) has taken a dramatic dive since Cisco purchased them. I’ve spent the last four years in various stages of hell because of it.
Do not recommend.
I've worked with both for the last 5 years and I have little to no grief with firepower and was a early adopter (version 5.3, I agree that 5.3-5.4 kinda sucked). I've run mostly asa with firepower services, but switched over to firepower threat defence and am really happy with it. I'm a security over connectivity guy, so I can understand that if you are a connectivity over security guy you could be unhappy :)
Firepower 2100 series is specked to do 8+ Gig/s with all the bells and whistles activated. Haven't tested it to verify. But Cisco has a track record of reporting the specs lower than real life experiance.
Yes, they have gotten better since the acquisition of Sourcefire, it just took them awhile. Can't wait to see what 6.3 holds for Firepower
At Cisco live in Barcelona they told me multiple context mode would come in 6.3, that will be awesome for msp's. I know I've been waiting on that particular feature.
Nah, I'm a security guy.
We've had issues with every single release since Cisco took over. In fact, at one point our office had identified enough bugs that we had more tickets open than any other Cisco Firepower customer.
Hell, we ran on loaner hardware using a previous version for the first 9 months we had the thing while they identified a bug in the version they shipped us.
To be fair, we're sending between 4 and 20Gbps of traffic in both directions, but our hardware stack is supposed to be able to handle that without issue. I don't think it's a hardware problem. The software QA has just been poor since Cisco took over.
Maybe with an FPGA.
By FPGA, do you mean one of those NICs designed specifically for packet capture? Or would you have to get an actual custom built NIC for this?
It's not the NIC that needs to be able to do this, it's the CPU, and I don't think there is much out there that will get you there. I've seen an internet facing firewall chew up ~80% of 8 cores moving 1.2 -1.4Gb/s of internet traffic, and that wasn't even scanning it all
Actually the NIC can make a huge difference. Just handling that many packets can really stress a system. X86_64 Linux is a general purpose network stack and isn’t designed to process packets efficiently at this volume. In fact, it seems to start to come apart around 4Gbps. This is why vendors have FPGA NICs (Napatech/CSPI). You can also use something called a “zero copy” driver like PF_Ring_ZC, NetMap, or Intel DPDK to deal with this. As I understand it, This essentially puts the packet directly into memory without the processor having to copy it twice. This frees up a ton of CPU to do analysis.
It's common for traffic shapers to require dpdk
These are great papers. Even with the first SEPTUN you can hit 10Gbps on a single NIC.
I am not trying to be off-topic but I feel this is relevant to your question. I have dealt with traffic up to 50gig throughput for monitoring. In our case, we relied heavily on a Gigamon GigaVUE-HC3 to perform deduplication, load balancing, and packet filtering.
When you want to inspect a significant amount of traffic it becomes a matter of scale and managing that traffic intelligently. By cutting down the actual inspection throughput requirements you can save a substantial expense in your security stack. Once you pass the 10gig mark, you will find that the cost per gig for monitoring traffic explodes. By utilizing something like a Gigamon or similar appliance you save the cost of the tool by being able to purchase inspection tools that are considerably less expensive for a smaller amount of throughput. It also opens the door to tools that typically wouldn't be able to handle such a significant amount of traffic.
So the question can Snort handle 10gig becomes can it handle 1gig-5gig due to the massive reduction in throughput requirements, or similar tool that supports clustering, you can load balance the traffic across multiple links and clusters.
What’s the pricing like for gigavue/secure?
10gbps snorting is real life all you need is the pf_ring daq
is it any good?
is there anything better?
pf_ring zc and a qualifying nic
OP Here, Just to clarify, I want it to act as an IPS, not an IDS. I don't plan on having it run thousands of rules either. Probably a maximum of 25-50.
Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.