Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protection on high-availability/high bandwidth servers.

Article:TECH162135  |  Created: 2011-06-13  |  Updated: 2013-09-13  |  Article URL http://www.symantec.com/docs/TECH162135
Article Type
Technical Solution


Subject

Issue



The Intrusion Prevention System (IPS) engine introduces an additive impact on CPU usage, network latency, and memory usage for each TCP/UDP stream it processes. On high availability/high bandwidth servers, this increase can cause high CPU usage, network resource outages, and OS hangs/crashes due to exhaustion of kernel memory.


Cause



Nonpaged Pool memory utilization:

The IPS drivers utilize a maximum of approximately 100 MB of Nonpaged Pool memory to store data about the active TCP/UDP network streams flowing into and out of a computer. This data is integral to the process of the IDS engine utilized by IPS.

 

CPU and Network Bandwidth utilization:

The IPS engine introduces cumulative CPU and network latency based on the number of TCP streams open. This is most noticeable on high bandwidth servers with a high sustained rate of TCP/UDP streams. The more TCP/UDP streams, the more IDS engine memory usage and CPU processing time will affect the performance of the network connection(s).


Solution



IPS may cause problems on servers with any of the following:

  • Average total CPU usage of greater than 35%
  • Average sustained TCP and UDP network throughput of 300 Mbps or more
  • Teamed/Bonded Network Interface Cards (NICs)

Doing so can result in lowered network service response times, network outages, and in extreme cases, Operating System crashes. If a server meets one or more of these criteria, Symantec recommends testing the SEP client on a server in a lab environment that can simulate peak production demands on the system in order to determine whether using IPS is feasible.

 

The following features utilize the IPS drivers:

  • Intrusion Prevention
  • Advanced Download Protection
  • SONAR

Supplemental Materials

SourceETrack
Value2377374



Article URL http://www.symantec.com/docs/TECH162135


Terms of use for this information are found in Legal Notices