Cisco 2811 and Intrusion Prevention Service

[Deleted member 174149]

I haven't really deployed IPS in any kind of business environment before, just controlled testing environments for my Cisco Academy curriculum.

A client has asked me to implement this service if possible. I'm familiar with the setup process and, as I said, I've done this in test environments before, but after setting up and turning on the service I found it knocks a full 3-4 Mbps off their internet connection speeds.

I was a little astounded by this. Of course, I expected a performance hit because it'll inspect every packet, but even so, using the 128MB .sdf file, 4 Mbps seems like a heck of a big performance hit for a signature inspection engine on a Cisco 2811.

Should I have expected this? Is there something I can do to mitigate the performance hit?

Thanks in advance.

 

[jlazzaro]

what type of WAN circuit, and what else is this router doing? QoS, ACLs, CBAC, etc? I haven't had the need to run IPS on an ISR, but that figure sounds about right...

 

[Tarrant64]

Do you have the option of running it in different modes? I know there are different kinds of setups you can do. One where you inspect every packet before anything gets through. There is also (perhaps "passive" I think) where it captures a decent amount of packets before they go through and looks for any signs of an attack and THEN takes action (or rather notifies you of the problem). This helps reduce the impact on overall network performance.

I may be thinking more towards Intrusion 'Detection' Systems though (IDS). I really need to find my class notes...I have a ton of stuff on security.

 

[Deleted member 174149]

Originally posted by: jlazzaro
what type of WAN circuit, and what else is this router doing? QoS, ACLs, CBAC, etc? I haven't had the need to run IPS on an ISR, but that figure sounds about right...

It's a 10 Mbps symmetrical fiber connection.

The router isn't doing much - the firewall is inspecting packets, but that is partly why I find this confusing. With a bare router configuration - nothing but an IP address on the interface and a default route - I get about 10.8-11.3 Mbps both directions. With the firewall inspecting packets, I get about 10.6-11.1 Mbps. Then, when I turn on IPS, it plummets to 6.5-7 Mbps.

Tarrant, I'm not aware of multiple ways to configure IPS - my notes on the subject don't reveal anything like that (though for IDS you can do that). IPS can't work like that because it's actually standing between the sender and the receiver.

Still, though, I'm surprised at knocking 40% of the bandwidth off.

 

[Deleted member 174149]

Ahh, nevermind, I'm an idiot. I went and reviewed my configuration a little more carefully (for about the tenth time, amazing what stands out when you take a break for a couple hours) and I was inspecting both inbound and outbound. Switching it to simple inbound gives me far more normal bandwidth numbers.