There's a consistent conflict with hardware and software gigabit-speed intrusion detection systems (IDSs)--they can't slog through IP traffic quickly enough to provide protection on networks going at gigabit speed. So are these IDS vendors really getting by on the gigabit level?
The heart of the issue is packet processing. IDSs running at extremely high speeds tend to drop packets when they reach maximum processing capacity. As a result, your system is vulnerable to attacks. But speed is important, because the faster your IDS can thoroughly monitor network traffic, the safer your system will be.
Several vendors at N+I say their products are capable of preventing intrusions at gigabit--and, in some cases--multi-gigabit-speeds. IntruVert will be pushing the envelope this summer when it releases its IntruShield 4000 sensor appliance, which is capable of real-time detection at up to two gigabits. IntruVert VP of Marketing Raj Dhingra says the appliance's speed is ten times the packet-processing capability of today's high-speed firewalls, and believes that few vendors actually hit gigabit speed with their IDS products.
Others beg to differ on that last point. Though not a hardware appliance, Recourse Technologies' latest version of its Manhunt software provides multi-gigabit traffic monitoring. Product Manager Bryan Cameron says Manhunt 2.1 meets its gigabit goal because it combines flow-based processing with analysis to identify malicious traffic within specific states in a protocol. Cameron also points out that lab testing company Miercom has reported that Manhunt detected 100 percent of the vulnerabilities in tests on a gigabit network.
Georgia-based Lancope also touts the flow-based architecture in its StealthWatch IDS appliance, which has been available since last August. Director of Channel Sales Dan Tomassi says that in order to get a complete picture of what's happening on an IP-based data network, StealthWatch partitions the individual data packets into groups, or "flows," that represent communication transactions between two hosts associated with a single "service." (A service is something such as an e-mail program that would access a mail server.) By not having to search through strings of signature data, StealthWatch's engine can analyze network traffic at bandwidth requirements of up to one gigabit.
You can expect vendors to continue duking it out in the high-speed IDS product category. And they'll continue to refine the technology to develop even better ways of keeping your network traffic safe. But IDSs are still relatively young, and new attack methods are cropping up all the time. It may take a while to reconcile the two reliably and flawlessly in a high-speed, enterprise environment.