Hardware vs. Software flow bypass in Suricata – Conclusion
Over the past four blog posts, we have meticulously shown that without hardware assist there is almost no point in using the bypass feature in Suricata. Without hardware assist there is the very real possibility that critical traffic will be dropped or otherwise not properly handled. This situation could very well lead to a catastrophic security breach not being detected; resulting in untold damage to an enterprise, service provider or government agency.
This experiment clearly exemplifies why relegating repetitive and CPU intensive tasks such as flow bypass is best done in hardware. The benefits of this approach are: 1) A guarantee that all traffic will be processed, resulting in a much higher likelihood of finding security related problems and 2) Freeing up the security software so it can perform higher value functionality using the same CPU resources.
For more information or to review the overall experiment please read the tech brief below.