nCircle.com >> 360 Security

« cansecwest/core06: "How to test an IPS" | Main | SCADAGard SIG To Be Established »

cansecwest/core06: "Insiders View: Network Security Devices"

Dennis Cox,CTO – BreakingPoint
Title: Insiders View: Network Security Devices

Quick reminder: BreakingPoint is where HD Moore resides.
Let me see if I can get Dennis’s history right: Used to be with Cisco, then at some point ended up at Intruvert, and now BreakingPoint. Right or wrong, the dude is smart, this presentation was honest, and he almost speaks as fast as HD. Must be that overclocking of the grey matter.

The summary of this talk comes down to the topic of facts versus “facts*”.
Similar to Renaud’s talk today, this is much of the same. Vendors, and I am not talking about just security vendors, have always stretched the facts. They get caught in an argument where they claim that their competitors are doing it so they have to do it too. Again, the reason why it is so out of wack is because the consumer is not educated enough to know any better.

He pointed out that there are some useful questions to ask.
Mechanical Design? It could be just a DELL server.
Who runs their Hardware Team? No one?
What do they have running in Silicon? Nothing?

Vendors OEM a lot of components and these components have upper boundaries that are just impossible to overcome. When you know the real facts of these components, you do the math, and the throughput number you come up with is significantly lower than what the vendor has claimed, beware!

TIP: If you find A0 and the prefix to any silicon on the board, beware because it is fresh off the press and full of defects that are not yet known.

His Analysis:

He gave an example of the G1000 ISS Appliance:
G1000 has two Ethernet cards of known origin and is a repackaged Dell.
ISS has no no hardware team and the numbers they claim for throughput don’t match up to what you would get out of a common Dell box. These are his claims but it is hard to argue given the evidence.

He gave a detailed Netscreen IPS example and the figures were pathetic. How can these marketing claims be so far off from what can be derived via a scientific method? Are consumers that misinformed?

He then gave a TopLayer IPS example.
They claim 4.4Gbs of raw fw throughput….
By this time you can guess what his findings were.

He gave some very wise words that could have only come from someone experienced in the science of building network devices:
Somewhere on the every device the box trusts the packet in some way. Find that location and abuse it. Find out which process trusts you, then lie?


My Final Comments
-------------------

Well, I guess for human and machine alike, what does not kill you makes you stronger!

Back in the day when nCircle had a Traffic Monitor, in our research and design we were educated on the limitation of these off the shelf cards, driver design, mem copy tricks, dead locks, live locks, bus limits, all that good stuff. In fact, some of the best work in this area of off-the-shelf limitations and design was in an MIT project called The Click Modular Router.
Brilliant work! http://pdos.csail.mit.edu/click/

It all comes down to ‘Buyer Beware!’ Know what you want and don’t be afraid to test for what you want.

BreakingPoint is just oozing with talent. I can’t wait to see more from that company.

--tk

Posted on April 6, 2006 11:42 PM |

Search


About

This page contains a single entry from the blog posted on April 6, 2006 11:42 PM.

The previous post in this blog was cansecwest/core06: "How to test an IPS".

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]