Hardware vs. Software flow bypass in Suricata – Part 2
In last week’s blog post, we discussed the setup and test parameters that were used to conduct a comprehensive test of the efficacy of hardware flow bypass in comparison to pure software-based Suricata flow bypass.
A mix of Internet traffic was chosen for the experiment because it is readily available and also provides a very real-world example of traffic flows. An identical 18 Gbps of Internet traffic was sent to each system. The traffic mix was the aggregate profile shown in the diagram (the source for this traffic profile is Sandvine Corporation).
Roughly 70% (67.3% to be precise) of the traffic was entertainment which consisted of Netflix, YouTube , iTunes, Hulu, and other similar traffic.
For the purposes of the experiment, this traffic was designated for flow bypass by Suricata, because it is from well-known sources and thus not worth examining for security purposes. The remaining roughly 30% of traffic was designated as traffic that Suricata should process and therefore not bypass. With this benchmark for traffic flow in place, the testing could begin.
In next week’s blog we will dive into the test results and what they mean. For those that want to read ahead, please reference this technical brief: