This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
You can't afford to get IPS performance wrong, but testing is problematic. As IPSes move further up the network stack, their performance becomes highly data-dependent. By comparison, it's easy to measure performance for switches, routers and standard firewalls, because metrics such as connection rate, maximum simultaneous connection count and goodput are commonly understood and universally accepted.
The greatest differentiator in performance is not the IPS itself, but how it is configured. The performance of signature-based IPS products varies hugely based on the number of signatures and protocols enabled for detection. For example, an IPS may have hundreds of signatures covering HTTP. If half of those signatures are disabled (perhaps because they are IIS signatures and Apache is being used on your network), performance on HTTP traffic can be affected.
Your traffic may also cause variations. For example, moving files around a network with Windows file sharing might not slow down the IPS very much because there aren't many IPS signatures for Windows file traffic. If you moved the exact same files using HTTP, you would see very different performance characteristics.
IPSes will also behave differently depending on the mix of attack traffic and benign traffic. In our testing, we found that attack traffic has a disproportionate impact on IPS performance compared to "clean" traffic. Even small amounts of attack traffic can impact performance,
If you intend to put an IPS out near the perimeter of your network, you will see more attacks, and thus greater variation in system performance. The worst performance case would be to put an IPS outside the network firewall, fully exposed to the Internet. This provides the curious security staffer with gigabytes of interesting data, but results in slower and generally unpredictable performance because of the variation in type and volume of Internet-sourced attacks.
This was first published in February 2007