IPS for 10GB

Unanswered Question
Mar 15th, 2010

Hi

I have a customer who wants an IPS that can support a full 10GB throughput. This is to go with a data center taht will be Nexus 7000 based with 6500 service switches hung off it. Anyone know of a way of doing this with Cisco kit as I really do't want to have to go wIth a  Juniper IDP 8200.

Thanks

Pat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Tue, 03/16/2010 - 13:22

Cisco's IDS and IDSM blades do not support 10Gbps YET.

the best IDS has about hlf name speed.

The solution that I could suggest is considering to have 2 IDSes in an Etherchannel and have them both inspect traffic.

That could scale well for atomic signatures.

I hope it helps a little.

PK

Patrick Colbeck Tue, 03/16/2010 - 15:16

Thanks guys. Looks like I will have to go with the Juniper. At least MARS supports the Juniper so it'snot a total loss on the Cisco front.

Panos Kampanakis Tue, 03/16/2010 - 17:14

The highest Cisco IDS is the 4570 that can do up to 4Gbps.

ASA with AIP has much less throughput.

don't even consider an AIP for the throughput you need.

PK

bnidacoc Wed, 03/17/2010 - 12:07

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I am interested in this as well.

pkampana, the OP brought up IPS.  Is there a distinction among Cisco's products in the context of throughput operating as an IDS vs IPS.  In that IPS actively "denies" attackers/packets/connections which it calculates as harmful (via the Risk Rating formula)?  I am not asking about the "Block" actions, only "Deny" actions.

I understand that the message is the AIP sensors cannot perform at the same rates as the appliances.  I would not be surprised at this.

Can one Cisco IPS appliances be inserted into ALL flows of data between ALL logical interfaces of a Cisco ASA, or, would a firm need to purchase one Cisco IPS appliance for each logical interface, or would it only be able to operate as an IDS?  If this particular design scenario is documented, I’m overlooking it. 

Thanks.

Panos Kampanakis Wed, 03/17/2010 - 13:34

The AIP scans packets in the ASA's backplane, so it doesn't have to do with interface pairs.

The throughput it can do is not asa hagh as 10Gbps. Not even close. check the AIP-SSM model for specs.

I hope it helps.

PK

pjsutton1 Wed, 09/01/2010 - 06:34

We have been using the 4260's and 4270's but are now going to

10gb. Rather than etherchanneling enought 4270's to get to 10gb or waiting

on the stability of the new Cisco 10gb sensors getting released soon our need is now. So after extensive testing we have decided to go with McAfee M8000's where we need the 10GB line speed.

Actions

This Discussion