Factors Affecting Network IPS Throughput

by Jack Walsh & David Koconis, ICSA Labs

Introduction
Following the successful completion of network IPS testing, ICSA Labs publishes the throughput that a device was able to sustain. When reflecting upon these reported throughput numbers, end users may question any differences between what ICSA Labs reports and what the vendor claims in its datasheet for the same product. Because there is likely to be a disparity between published throughputs for the same device, end users might be interested to learn what factors can affect the throughput achieved by a network IPS.

This white paper begins by isolating many of the factors that impact throughout. Additionally the paper explains what some vendors do to attempt to increase the throughput of their network IPS devices. The white paper concludes by explaining why there are differences between the throughput reported following ICSA Labs network IPS testing and the throughput published in vendor datasheets and what comparisons, if any, can be made between the two sources of throughput data.

The Applied Policy
Imagine a testing lab with two network IPS devices. Both devices are made by the same network IPS vendor. In fact both are the same model. One is configured to pass all traffic without any inspection. The other enables all possible server-side, client-side, evasion, DoS, and any other kind of vulnerability coverage protections. You can probably guess that the first device, which is simply configured to behave like a switch, is most likely to perform better. Even if the first device had half of all protection mechanisms enabled, it is still more likely to perform better.

The thought experiment above reveals that, for most network IPS devices, the policy being enforced – or the collective set of enabled protection mechanisms including any logging and alerting – impacts the maximum throughput the device can achieve. It’s also important to note that each individual vulnerability coverage protection mechanism is likely to require differing amounts of processing. For example, suppose the devices mentioned above have two completely different sets of 50 unique vulnerability coverage protections enabled. Chances are that the throughput for each device will differ even with the same mix of traffic.

Download the entire white paper below.

AttachmentSize
factorsaffectingnipsthroughput.pdf49.16 KB