Note: Since the writing of the document we have found that the performance of the sensor is worse when only one side of the connections are seen. The sensor attempts to keep state but is unabel to because no data is seen from the server. So when seeing both sides of the connection the sensor may be able to keep up with 120 Mbps give or take. But it can not necessarily see 120 Mbps of traffic going one direction.
Why? Generally the number of connections required to fill 120 Mbps where both sides are monitored compared to 120 Mbps where only 1 side is monitored. Usually web requests are fairly small while web replies are fairly large. So if you remove the web replies it takes multiple more web requests (5-10 times as many in some cases) to fill the bacndwidth back up to 120 Mbps. The sensor can not keep up with that many web requests. Your performance is likely, therefore, going to be much less than 100 Mbos if the majority of the traffic is small web requests. Mainly because of the many stream states it has to track and the amount of regular expression checking since most of our sigs are for web servers.
When deploying pay special attention to the 993 sigs. It will tell you when the IDSM has been saturated with packets, and you have to filter down what you send to it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...