Cisco Cisco IPS 4520 Sensor Weißbuch
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 5
Throughput
As mentioned earlier, few metrics in the IT industry are as consistently abused as system throughput. In response
to this problem, computer system users, database users, and network users have attempted to create standards
to provide common points of reference. For computing platforms, MIPS/MOPS/GIPs were introduced. For
databases, Transaction Processing Council (TPC) standards are prevalent. Network RFC 2544 has also been
suggested. The challenge with these reasonable attempts for commonality is that they rarely represent the
deployment environment in which the system will operate.
Despite the aforementioned attempts at commonality, security vendors remain highly diverse in their definition of
performance. The following sections will discuss what approaches are used in the industry.
Pure Network Throughput
Some vendors report performance numbers without any inspection activity. This measurement has potential value
for network planning purposes, should the device experience a significant failure. Vendors generally avoid any
specificity in describing this value, with the general assumption that it is essentially a wire equivalent through the
device.
Even vendors that report pure network values can use multiple forms to describe their throughput. For example,
one intrusion prevention system (IPS) security vendor uses a single User Datagram Protocol (UDP) and a single
packet size of 1512 bytes. Another pure-play IPS vendor simply runs traffic in “wire mode” until packets are lost.
Single Traffic Standard
IPS vendors can be descriptive or opaque in describing their performance values. However, most will not describe
the basis for their performance claims. Descriptive performance standards are available, but few IPS vendors are
willing to expose their methods.
Of the major IPS vendors, few describe their performance values. The majority simply report a value without any
explanation of their methodology. Further, these vendors typically make no attempt to qualify the likely deployment
scenario for their performance benchmarks.
Third-party testing houses may or may not conduct multiple performance tests, but their results point to a single
throughput value. For the most part, those traffic mixes, traffic change velocity, packet sizes, and protocol mixes
are not described; thus, potential users are left wondering.
Not all vendors limit themselves to hidden performance benchmarks. For example, Cisco has evolved its
performance metrics over the past year. Until recently, the performance measure was an Internet-edge scenario
based on HTTP with varied return packet sizes - referred to as Transactional and Media-Rich. Since that time,
Cisco’s IPSs now publish either an average or a range of numbers representing multiple performance tests based
on third-party testing tools.
Deployment-Centric
Almost all IPS vendors keep their performance metrics vague and undefined. Only a handful will attempt to
describe their methodology. And only one will incorporate multiple deployment scenarios.
Cisco recognizes the challenge that hidden performance metrics have imposed on customer deployments. This is
why we have turned to publicly available third-party testing tools and deployment-specific tests.