Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What is performance impact when running Intrusion Detection

We have C2620's running IDS on two interfaces concurrently (10Bt and a 100Bt Ethernet int). What I am wondering is; what is the performace impact likely to be as the C2620 is towards the lower end of the power/PPS scale.

I understand there is no 'hard' answer for this, but I would like a 'feel' for the sort of performance impact IDS will impose on the router.

Also, does IDS inspect EVERY packet on each enabled interface, or a 'few' packets in EVERY session flow? My reading indicates it is EVERY packet which is why I am a little concerned that the people who put this design/config together haven't considered possible performance/memory impact issues on the (smallish) C2620 router when under load.

Additional Info: The routers are also running Inbound CBAC inspection and ACL's on two interfaces. At present the routers are not pumping much traffic however with a 10M uplink to the network it won't be long before the users realise that they have bandwidth and try to use it.

thanks tony

5 REPLIES
Cisco Employee

Re: What is performance impact when running Intrusion Detection

The performance impact of intrusion detection depends on the number of signatures enabled, the level of traffic on the router, the router platform, and other individual features enabled on the router such as encryption, source route bridging, and so on. Because this router is being used as a security device, no packet will be allowed to bypass the security mechanisms. The IDS process in the Cisco IOS Firewall router sits directly in the packet path and thus will search each packet for signature matches. In some cases, the entire packet will need to be searched, and state information and even application state and awareness must be maintained by the router.

With CBAC, ACLs and IDS, i would say you are maxing up, you might want to consider distributing the IDS finctionality elsewhere, why don't you consider a hardware IDS device (standalone) like Cisco IDS or even snort on a unix box, you will not only relief the router but also avail heaps of other features like shunning, TCP reset "PLUS" far more signatures than on the router

(Note: IDS on a router only inspects for 51 of the most common attacks signatures, you cannot add any string/custom signatures too)

HTH

R/Yusuf

New Member

Re: What is performance impact when running Intrusion Detection

R/Yusuf,

thanks for your response. I've read the first para of your reply on CCO, in fact this is what made me start to consider/worry about the actual design/perf etc.

As for your second paragraph, where you state 'you might want to consider distributing the IDS....' this is the crux of my whole question, ie: 'at what stage' do you consider distributing the IDS to a hardware box? Obviously the 2600's will run IDS and CBAC etc, however 'at what point' do you say; "no, thats to much load/perf impact, I'll need a hardware IDS module"?

I've actually been considering a design change where, as you say, we move the IDS to a gruntier/hardware box however without understanding the impact IDS has on the 2600's I have no facts to support the plan. I'm sure the Cisco Dev Engineers, when building the IOS IDS code must have performed some sort of load/performance testing on the IDS functionanality. All I'm after is a guide to the sorts of level of traffic/load the 2600 can handle before dying an un-natural death.

Thanks again for your reply, I'd appreciate anymore info you may be able to dig up.

rgds tonyb

Cisco Employee

Re: What is performance impact when running Intrusion Detection

Tony,

Once again, I do not have any statistical info to support a verdict. You might be right, there has to be some stress figures which have been tested as far as performance is concerned, unfortunately, I do not have them.

Best i would suggest is you contact the Cisco Sales Rep or your Cisco SE or Account team and they could dig-out some figures and reports for you.

my 2 cents.

R/Yusuf

New Member

Re: What is performance impact when running Intrusion Detection

R/Yusuf,

thanks for trying anyway. I've actually tried my local SE contacts and also a couple of my 'informal' Cisco contacts who were also unable to help.

Maybe you could shoot my question onto the IDS Dev Team or Prod Mgr, or at least forward me their Email address(es) so I can take it up directly with the guru's. If you don't want to broadcast these details you can reply directly to me at: Tony.Budge@eddept.wa.edu.au

Thanks again, tony

Cisco Employee

Re: What is performance impact when running Intrusion Detection

Tony, you may want to open a TAC case if you wish to pursue this with the developers, there is no email address(s) i can provide you with, best way to contact the dev is through the TAC.

R/Yusuf

216
Views
0
Helpful
5
Replies