Cybersecurity, bandwidth doesn’t mean what you think...

The article critiques the overemphasis on bandwidth in cybersecurity, advocating for metrics like PPS and CPS to assess solutions' effectiveness. NANO Corp. emphasizes real-world performance over marketing claims.

Florian Thebault
March 1, 2024
LinkedIn LogoX logo

TLDR : When it comes to monitoring infrastructure, there comes a point in solution marketing where claims need to be put to the test, when bullshit needs to be called. Throughput handling is one those figures our competition uses that just make our eyes roll up here at NANO Corp. 10/50/100 Gbits/second mean nothing if you don’t look behind the smoke and mirrors. The only question you need to ask is how many packet/session per second the solution actually handle!#

So… what is Network Bandwidth, anyway?

At its core, network bandwidth is the max speed at which data zips through your network, measured in bits per second (bps). Sounds straightforward, right? **But wait**... the saga doesn't stop—or even start—there. To really get a handle on bandwidth, we've got to dive into its role and limitations, especially when we're talking about everyday internet use and, you guessed it, cybersecurity 😉

The real metrics for sizing your solutions

Let's talk numbers and what to look for. At NANO Corp., here are the metrics we take into account when we size a solution for our clients:

-Packets Per Second (PPS): In environments with a high volume of small packets, such as DNS or IoT traffic, PPS is a more relevant measure of the network's load than bandwidth. A security appliance might support (understand : marketingly supported) 10 Gbps but will struggle with a high PPS rate, leading to dropped packets and potential security lapses. You have no further to look than suricata-based rebranded solutions (looking strongly to our french competition here 😆) or household names like Extrahop (that will go no further than 1 million packets per second for 10Gbit/s networks).

- Connections Per Second (CPS): Critical for applications requiring frequent new connections, like found in dynamic environments with frequent session establishments, such as ebank data centers sites during sales events, CPS capability becomes critical. A security solution might advertise adequate bandwidth throughput but falter if it cannot keep up with the high rate of new connections. A problem that is prevalent with nearly all network security solutions.

- Concurrent Connections: This metric indicates the number of active sessions a security appliance can manage simultaneously. Security devices must manage current connections while accommodating new ones, requiring a balance between CPS capacity and the ability to sustain a high number of concurrent connections. This ability is crucial as potential threat trying to flood network security solutions during peak usage (like DDoS), to hide their footprint.- Throughput Needs: Beyond bandwidth, consider the actual data volume your network handles, factoring in both North-South and East-West traffic.

And that’s the only way you’ll actually be able to compare solutions.
Want to deep dive a little? Read on!

Common Misunderstandings…

The North-South vs. East-West Traffic Myth

Like seen previously, security solutions are too often sized based on North-South traffic, which is essentially the data flowing in and out of your network. It's a critical metric, sure, but it's only half the story. Because East-West traffic—the data moving laterally within your network, is often a hotbed for cyber threats lurking unnoticed. Ignoring East-West traffic is like locking your front door but leaving the back door wide open.

For instance, consider an enterprise with a 10 Gbps North-South bandwidth but with internal East-West traffic peaking at 40 Gbps due to high inter-departmental data exchange, cloud services access, and internal applications. Sizing security solutions based solely on external bandwidth ignores the vast majority of internal traffic, potentially leaving critical vulnerabilities unaddressed.

Relying Solely on Bandwidth: A Flawed Strategy

And focusing on bandwidth alone will lead clients to overlook other essential metrics such as packets per second (PPS), connections per second (CPS) or sessions per second, and concurrent connections. For example, a firewall might be rated for 10 Gbps of throughput but only handle 500,000 CPS and 1 million concurrent connections. If your network experiences peaks of 1 million CPS during business operations, this mismatch can lead to dropped connections and compromised security, despite the bandwidth capacity seeming sufficient.

If you’ve read our pieces on the competition rebranding Suricata or Zeek and calling that an NDR, you’ll understand those metrics are crucial. Especially when network solutions start dropping packets, which fucks up connection detection and provoke false positive alerts in cascade.

Add to that the need for Connection data retention for Machine Learning detection, sizing takes a whole different meaning that ‘just bandwidth’. For suricata-based solution, storing logs ends up being ressource-heavy. Especially as logs can take up to 500 bytes each for just one Connection. It will have a dramatic impact on retention for clients with lots of devices that talks all day. A problem

Know your network and thou shall know thyself

Grasping the nature of your network's traffic is crucial. For instance, a high volume of small packets (e.g., IoT device communications) can be more challenging to process than a lower volume of large packets (e.g., video streaming). A network primarily handling small packets needs security solutions optimized for high PPS processing, not just raw bandwidth throughput.

It's clear that a singular focus on bandwidth is insufficient for sizing robust network security solutions. Users and clients should steer away from the simplistic metrics used by IDS/IPS and start recognizing we live in a age when Machine Learning has become paramount and where analysts don’t want too many false positive detections that eats up time they don’t have.

Basically, when security solution providers give you a bandwidth of 10Gbit/s or 40Gbit/s, what you really need to ask them is: “that’s nice, now tell me how many packets, sessions or transaction per second we’re actually talking about?”

… and their impact on cybersecurity

Now, let's pivot to cybersecurity, where the importance of bandwidth is often understated. In our experience, focusing too much on bandwidth can distract from the real cybersecurity issues at hand. Especially when vendors will size their solution on client’s North-South connections only. Something that is reminiscent on a traditional IDS/IPS. Where the goal is to stop a threat before it enters the network.

Diving into the nitty-gritty of how IDS/IPS might miss the mark in today's encryption-heavy IT landscape is a story for another day. Instead, let's spotlight how sizing up an NDR (Network Detection and Response) borrows from IDS/IPS principles but goes into overdrive. Because an NDR doesn't just eyeball North-South traffic; it scrutinizes East-West movement and crunches data for machine learning—topics we'll unwrap later.

In that framework, bandwidth gives a generic overall metric, but a deceiving one. That's why, when we talk about protecting your network, sizing can't just limits its scope to “bandwidth” and hope for the best. It requires a more nuanced approach, looking beyond just the width of the highway to how we're guarding every on-ramp, exit, and vulnerable spot along the way.

So… what does NANO Corp. brings, exactly?

Well, when we talk about bandwidth, at NANO Corp., we mean ‘full linerate’. Imagine : “Full chaotic DDoS mode”. It’s not something you ‘might’ need, but wait until you have a hacker that uses DDoS to flood all your security solution and hide unnoticed in the trafic.

To answer that challenge, we offer a simple way for users and clients to size their solutions the right way :

  • The probes are free and the leanest on the market ⇒ it needs 32 cores and 64GB of RAM for 100Gbit/s network bandwidth (14.000.000 CPS / 148.500.000 PPS) - the solution is, in fact, very scalable you can build it with abaques specifying how many packets/connections per second you want to manage, and then deduce you how many CPU cores / RAM you need.
  • NANO Corp. is about no-BS : you get what you size for. You can have multiple VLANs, MPLS, VxLAN layers, etc… contrary to competitors, we don’t hide counter-performances in our fine-prints (👀 some vendors who don’t really say they can’t manage any significant traffic behind VLAN/VxLAN). Our performances are always given for the worst case scenario, so you can be certain you’ll never miss anything.

Florian Thebault
March 1, 2024
LinkedIn LogoX logo

Ready to unlock
full network visibility?

More blog posts

Go to the blog