IPS & Speed Tests

The activation of any scanning or filtering function in a Firewall/UTM will undoubtedly affect the performance of the network. From the security features available in a security device, it is known that the Intrusion Prevention System (IPS) has the greatest impact on the performance of a network (throughput).

When running a Speedtest or Movistar Speed ​​Test in the conditions described below, the impact on performance can be much greater than expected. 

  1. We have IPS activated
  2. We use a high-speed network, such as an Internet connection via Fiber, Gigabit or Gigabit LAN
  3. One or more connections share the same source IP and destination IP (this point is very relevant in terms of IPS performance)

This is based on how the IPS process handles traffic and test constraints instead of effectively reflecting throughput.

The IPS scanning engine can initiate multiple processes in multiple CPU cores; however, only one process is used for each IP source and destination pair. As the speed of the connection increases, the demand for system resources also increases to process the increased packet flow.

By using a high-speed connection, there will come a point where the available network bandwidth is greater than the speed at which the IPS process can scan the traffic, which causes the CPU core to execute the process to reach 100%. There are no exact figures for this impact because it depends on the UTM model and what else the system is doing at that moment.

Whenever the new connections originate from a different source or are directed to a different destination, they will go through a new IPS process in a separate CPU core. This would allow, therefore, that a simultaneous connection only have its limited speed when its CPU core reaches 100% or when the available network bandwidth has become saturated.

In real terms, this means that the actual impact on network performance will not be as dramatic as the speed test results show, and end users will not notice any impact on network performance unless they transfer very big files. Yuuuge files.

Stay up to date with us on Cyber Security issues and other stuff by following us on Facebook and Twitter.

https://community.sophos.com/kb/en-us/119464

Copyright 2017, TresW