I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
Hi Tom,
On Thu, Mar 20, 2008 at 3:34 PM, Tom Yates madlists@teaparty.net wrote:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Not all iSCSI implementations support routing of iSCSI PDU's, so take that into account while choosing your IDS solution :)
Greets,
Nils
That's a very bad idea and is pointless. A good security implementation will put stuff like that in more outer layers.
Ask how the IDS devices will handle jumbo frames and ask if they can run at near 1Gb/s line-speeds. That's hard to do.
-----Original Message----- From: Nils Vogels [mailto:bacardicoke@gmail.com] Sent: Thursday, March 20, 2008 12:03 PM To: Tom Yates Cc: toasters@mathworks.com Subject: Re: Performance impact of in-lined firewalls/IDS
Hi Tom,
On Thu, Mar 20, 2008 at 3:34 PM, Tom Yates madlists@teaparty.net wrote:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an
adaptive IDS between my filers and my hosts.
Not all iSCSI implementations support routing of iSCSI PDU's, so take that into account while choosing your IDS solution :)
Greets,
Nils -- Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
As food for thought.
We recently implemented 8 VMs on ESX 3.0 on NFS on a filer.
Everything was working fine, but we decided to implement a "Storage VLAN" for ISCSI and NFS traffic.
While getting ready to implement this we discovered that the NFS traffic was traveling on our VMOTION network which was firewalled off by a linux based firewall (IPChains, RHEL 3).
Whats if even more interesting is that this linux based firewall was a VM on another standalone ESX 2.5.4 host running on a PowerEdge 2650 with 4GB RAM with 8 other VMs running.
So the point is - it can work but I doubt it could sustain high throughput.
Jack
Webster, Stetson wrote:
That's a very bad idea and is pointless. A good security implementation will put stuff like that in more outer layers.
Ask how the IDS devices will handle jumbo frames and ask if they can run at near 1Gb/s line-speeds. That's hard to do.
-----Original Message----- From: Nils Vogels [mailto:bacardicoke@gmail.com] Sent: Thursday, March 20, 2008 12:03 PM To: Tom Yates Cc: toasters@mathworks.com Subject: Re: Performance impact of in-lined firewalls/IDS
Hi Tom,
On Thu, Mar 20, 2008 at 3:34 PM, Tom Yates madlists@teaparty.net wrote:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an
adaptive IDS between my filers and my hosts.
Not all iSCSI implementations support routing of iSCSI PDU's, so take that into account while choosing your IDS solution :)
Greets,
Nils
Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you.
Le 20/03/2008 14:34, Tom Yates a �crit:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
That is a very strange setup !
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
If the filtering equipments do their job correctly there might be no performance penalty BUT - experience says that this kind of device always has some limits and that the network performance needed for the filer to do its job correctly will probably not be met - experience says that building a storage network that works well is not an easy task so putting filtering equipements is clearly asking for trouble (and not only performance troubles) - depending on the filtering equipments capabilities, such a setup might prevent you to use some things like jumbo frames or vlans.
If you absolutely need to inspect the nfs / cifs traffic for accounting purposes, configure your switch to mirror the netapp's port to another where the ids is plugged in. This way, it cannot interfere with the production traffic.
Regards,
I think this is a very bad idea, do you have any chance of creating a separate VLAN that does not require IDS, make it for iSCSI data only?
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Tom Yates Sent: Thursday, March 20, 2008 10:34 AM To: toasters@mathworks.com Subject: Performance impact of in-lined firewalls/IDS
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for
how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
If the iSCSI traffic is isolated on a VLAN, there is no point in having an IDS presence there when it really should be at the other end of those servers. Arguing a presence there is like arguing to scan SCSI, IDE and SATA traffic next.
Stetson M. Webster Onsite Professional Services Engineer PS - North Amer. - East
NetApp 919.250.0052 Mobile Stetson.Webster@netapp.com www.netapp.com
-----Original Message----- From: Page, Jeremy [mailto:jeremy.page@gilbarco.com] Sent: Thursday, March 20, 2008 12:49 PM To: Tom Yates; toasters@mathworks.com Subject: RE: Performance impact of in-lined firewalls/IDS
I think this is a very bad idea, do you have any chance of creating a separate VLAN that does not require IDS, make it for iSCSI data only?
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Tom Yates Sent: Thursday, March 20, 2008 10:34 AM To: toasters@mathworks.com Subject: Performance impact of in-lined firewalls/IDS
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for
how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
I would be concerned. You should already have the numbers, really:
1. what is your vendors max processing throughput? half it. They almost certainly use bonded interfaces, and you should at least account for a nic failure.
2. How many interfaces do you have on your filer? What type of bandwith are they actually pushing? (ifstat, mrtg, kricket, netflow, etc). Bump it up by 50%, to account for traffic spikes, unless you do really good trending and are confident in your numbers.
does #2 - #1 have a remainder? then you're Ok. If not, then you're not.
3. Does your IDS support jumbo frames? Are you using them with your filer? (you probably should be).
if it doesn't, I would say it's a no-go.
hth, Nick
Tom Yates wrote:
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
There is a 'correct' way to do this, I have experience in both iSCSI and IDS systems. It's not cheap though.
You need to get a gigabit network tap (see http://www.netoptics.com/products/product_family_details.asp?cid=4&pid=1 48&Section=products&menuitem=4&tag=NetOptics), which does not introduce latency or point of failure.
This way the ids/ips device doesn't have to be physically inline to analyze traffic patterns.
Of course you'll need one of these nifty devices for every 2 links you're monitoring...This is much better than span ports in the switch (which you can drop packets at the IDS or in the switch) or an actual inline deployment of IDS (which must, by design, introduce SOME latency which is bad). My firm does IDS services
-Glenn (the other one)
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Tom Yates Sent: Thursday, March 20, 2008 10:34 AM To: toasters@mathworks.com Subject: Performance impact of in-lined firewalls/IDS
I have a bunch of filers that we use from various hosts for CIFS, NFS and iSCSI. Powers That Be are planning to put both a firewall and an adaptive IDS between my filers and my hosts.
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for
how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
On Thu, 20 Mar 2008, Tom Yates wrote:
Does anyone have any rough and ready (ir ndeed, shiny and precise) numbers about what sort of performance impact this can have, recommendations for how to do it properly, or indeed solid data suggesting not to do it at all? Any experience with this?
i'm obliged to the list for all the feedback i received on this question!
-
Glenn Dekhayser -
Herve Boulouis -
Jack Lyons -
Nicholas Bernstein -
Nils Vogels -
Page, Jeremy -
Tom Yates -
Webster, Stetson