Hardware vs. Software flow bypass in Suricata – Part 4
In last week’s blog post, we clearly showed that Suricata bypass software was overwhelmed with our mix of Internet traffic; the end result was a large percentage (about 45%) of dropped traffic. Dropped traffic is problematic for any application, but for security software it is the kiss of death. If you don’t process all traffic, how do you know that the traffic you dropped isn’t the one that contains the security vulnerability that is bringing down your network? The answer is, of course, you don’t know and this is simply unacceptable. It is for this reason that you need some hardware assist to make sure you process every last packet.
In case you weren’t convinced from last week’s results, here is another view of the situation. The accompanying graphic shows CPU load for both test scenarios. For SW bypass (orange color) you can see that the CPU is pegged at 100% utilization right away. This is the reason that so much traffic is dropped because all CPU resources are exhausted. HW bypass on the other hand reaches a maximum CPU utilization of around 75%. This is important for at least two reasons: 1) The CPU is never overloaded so no security traffic is ever dropped and 2) There is some remaining spare CPU capacity which can be used for other critical tasks.