What's the minimum throughput speed that a new IPS device should be capable of? I've read that at least one device was able to inspect and process traffic at a speed of 72 gigabits per second. Our RFP is officially for 3 to 5 years of use, but, realistically, we'll be aiming to use the hardware until at least the end of the decade.
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
The question of minimum IPS throughput relies on a few factors that only you can determine. Not every organization has the same bandwidth considerations, nor is the IPS placed in the same location within the architecture. Knowing your current bandwidth considerations, how much you'll need to scale to meet future bandwidth needs and where you'll place the device on the network will help with scoping the proper model. IPS vendors have multiple models of hardware available for different needs. Make sure you get the right fit for both now and the future.
Placement is the first item that you need to be aware of when installing an IPS. Where you deploy the device directly relates to the bandwidth that will be used. It's very common now to see people deploy IPSes behind the firewall and pick up anything that might have made its way through the first layer of defense. You can, of course, install the IPS in front of the firewall, but this will trigger multiple false positives since it will see everything on the Internet. This isn't a bad thing, but it does show you traffic that the firewall might have blocked. It will also require more processing power. Knowing where you want the IPS installed will give you a better idea of the bandwidth that it will need.
Once you know where you'll install the system, take a look at the current bandwidth and make sure that what you're purchasing will scale for the next couple years. You'll need to get an idea of the current bandwidth that's traversing the location that you want to monitor. Is this going to be on the outside of the network or on the LAN? Try to run reports on the links to get a better idea of the potential IPS throughput that's going through this network. Also, if you can, run reports back as far as possible and identify peak bandwidth consumption to account for future peak times. IPSes deal with traffic saturation by dropping the traffic or by passing it through unfiltered. Neither is an option. Know your traffic patterns and determine the best needs for monitoring all of your data.
Lastly, just because an IPS can do 72 Gbps doesn't mean that it's better than the same model that can do 10 Gbps; it's really up to your network. With these models, the only thing that's different is the hardware between the appliances. The logic and software will be the same, but the hardware capabilities are much higher. Determine what you need and don't buy a Cadillac when you can use a Toyota.
This was first published in March 2013