What is a Monitoring
and Recording Fabric?

Elements of a network monitoring fabric

An Inconvenient
Truth

Why other systems
drop packets

The problem with incomplete packet capture

100% Proof

Independent verfication
that we deliver 100%

NSS Labs puts our EndaceProbe to the test

Endace Systems

Purpose built for monitoring &
recording

Endace Systems
Home » Power to see all » 100% Proof

100% Proof

Independent verification that we deliver
100% continuous packet capture at 10Gb/s

When nothing less than 100% will do ...

Based on over 10 years of experience working with government security agencies, telcos and financial organisations, we recognise that the most important requirement for these organisations is the power to see every packet that traverses their networks – capturing it, analysing it, and, if necessary, archiving it for later deep analysis.

Critical infrastructure monitoring demands absolute, 100% guaranteed packet-capture accuracy. Our customers trust us to monitor their critical networks because we don't miss anything - regardless of speed or interface type.

At the core of an Endace Monitoring and Recording Fabric are right-sized, purpose-built Endace Systems that capture a 100% accurate copy of every packet from the network. All our systems leverage the power of our proprietary DAG® I/O technology.

To help define the absolute standards for mission-critical monitoring, we put our systems, and this technology, to the test.

Independent validation of our claims from NSS Labs

Claiming that you can continuously capture and analyse 100% of packets and proving it are two very different things.

So we set out to really prove that our 10 Gigabit EndaceProbe™ 7000 can analyse 100% of packets for potential security attacks at 10Gb/s without dropping any packets.

We needed our EndaceProbe's performance to be verified by a fully independent third party whose results would be trusted, and whose methodology is sound and is published. So we submitted our EndaceProbe 7000 to NSS Labs for testing. NSS Labs' 'Attack Leakage Test' methodology has been a de facto industry standard for the past decade and NSS Labs has established a worldwide reputation for the objective and scientific nature of its security products testing.

And the results?

As you can see from the graph on the right, the results speak for themselves. At all speeds up to and including 10Gb/s the EndaceProbe 7000 successfully detected the 'beacon attack' at the smallest traffic size (1.7KB) without ever exceeding 50% CPU utilisation. In short, our EndaceProbe 7000 didn't miss a beat - and barely broke a sweat - right up to 10Gb/s.

Vik Phatak, NSS Labs’ chief technology officer, said: “Even under the harshest conditions, at full 10 Gigabit capacity with 1.7KB HTTP response traffic, we could not force the EndaceProbe 7000 to leak attacks. Further, the system correctly identified 100% of our evasion attempts without error. It is one of the few products on the market capable of servicing the high throughput demands of a true 10 Gigabit environment.”

NSS Labs Attack Leakage Test Results

NSS Labs' Attack Leakage Test methodology

In its Attack Leakage test, NSS Labs tests the accuracy of IPS/IDS devices, along with performance under load. Devices are tested against a test traffic load that contains a known number of attack vectors. The load is increased to the point where the device under test starts to miss detection of attack vectors.

Security systems can leak (miss) attacks for two different reasons:

  • Lack of detection capabilities which result from poor rules or poor deep packet inspection capability
  • System resource limitations such as state table memory, processing power, and network interface limitations.

NSS Labs' Attack Leakage test eliminates the first cause of leakage by testing using a single attack that the system is proven to pick up at low speeds. Packets containing the attack are inserted into a randomly generated stream of HTTP response traffic every second. The system is required to detect the attack on each pass.

NSS Labs then repeats the test, increasing the throughput of the HTTP stream in 1Gb/s increments in order to find the point at which the system stops alerting on the known attack. At this point the system is deemed to have reached its performance limit.

The full, multi-pass test is repeated again using smaller HTTP response traffic (down to 1.7KB) to find out how the increased load affects the system's performance.

In every test the appliance is loaded with a full rule set in order to mimic real-world deployments. In our case we used a full VRT rule set to ensure that the system was properly loaded.

About the system

The exceptionally high performance of the EndaceProbe 7000 is a direct result of Endace’s scalable system architecture - the Endace Platform - which is tightly coupled with Endace’s high-speed, hardware-based DAG I/O technology. Efficient CPU utilisation enables organisations to run larger custom rule sets that deliver higher levels of attack detection and lower levels of false positives, without compromising packet capture accuracy. In situations where a system is being used to monitor operational networks that underpin critical infrastructure, it is vital to have the ability to run comprehensive rule sets that deliver the highest possible level of threat detection and accuracy, as opposed to using a resource constraint compromised rule set.

The system leverages SNORT® IDS (the world’s most widely used open-source network intrusion detection engine). The Snort IDS is part of the Endace Security Manager application included in the Endace Application Suite, which comes with all EndaceProbes.

If you would like a copy of the full report please complete the general enquiry form and we'll send you a download link within 24 hours.