Best Practices for the Intrusion Prevention System component of Symantec Endpoint Protectoin on high-availability/high bandwidth servers.
| Article:TECH162135 | | | Created: 2011-06-13 | | | Updated: 2013-03-13 | | | Article URL http://www.symantec.com/docs/TECH162135 |
Problem
The Intrusion Prevention System (IPS) engine introduces an additive impact on CPU usage, network latency, and memory usage for each TCP/UDP stream it processes. On high availability/high bandwidth servers, this increase can cause high CPU usage, network resource outages, and OS hangs/crashes due to exhaustion of kernel memory.
Cause
Non Paged Pool memory utilization:
The IPS drivers utilize a maximum of approximately 100 MB of Non Paged Pool memory to store data about the active TCP/UDP network streams flowing into and out of a computer. This data is integral to the process of the IDS engine utilized by IPS.
CPU and Network Bandwidth utilization:
The IPS engine introduces cumulative CPU and network latency based on the number of TCP streams open. This is most noticeable on high bandwidth servers with a high sustained rate of TCP/UDP streams. The more TCP/UDP streams, the more IDS engine memory usage and CPU processing time will affect the performance of the network connection(s).
Solution
Utilizing IPS is not recommended on servers with any of the following:
- Average total CPU usage of greater than 35%
- Average sustained TCP and UDP network throughput of 300 Mbps or more
- Teamed/Bonded Network Interface Cards (NICs)
Doing so can result in lowered network service response times, network outages, and in etreme cases, Operating System crashes.
|
|
| Source | ETrack |
| Value | 2377374 |
Article URL http://www.symantec.com/docs/TECH162135
Terms of use for this information are found in Legal Notices
Thank you.