RE: Realsecure
From: Bob Walder (bwalder@nss.co.uk)Date: 10/10/01
- Previous message: Carlos Macedo Gomes: "Re: IDS Sensor on ATM"
- Maybe in reply to: yh lee: "Realsecure"
- Next in thread: Greg Shipley: "RE: Realsecure"
- Next in thread: Peters, Michael D.: "RE: Realsecure"
- Reply: Greg Shipley: "RE: Realsecure"
- Reply: malj31: "Re: Realsecure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bob Walder" <bwalder@nss.co.uk> To: <focus-ids@securityfocus.com> Subject: RE: Realsecure Date: Wed, 10 Oct 2001 18:29:51 +0100 Message-ID: <81530203FD3BD111A02900805FCC099915777E@COMPAQ_NT40>
Sorry to nit pick, but in our testing we found that RealSecure cannot handle
anything like 100Mbps in terms of raw sniffing speed with small packets.
We are re-doing our testing this year with additional participants and
including a "real world" packet mix to try and give people an idea of how
these things will perform in a "real" network (how long is a piece of
string....). Unfortunately, ISS has declined to participate - read into that
what you will!
Of course, one of the best performing products we found last year was
NetworkICE, so it will be interesting to see what happens when ISS manages
to incorporate the BlackICE sniffing engine into its NIDS product -
hopefully they will feel a bit more confident about participating in tests
at that point....
For now, if performance is an issue, best avoid RealSecure
Regards,
Bob Walder
Director
The NSS Group
England
E-Mail: bwalder@nss.co.uk
Internet: http://www.nss.co.uk
-----Original Message-----
From: Jeroen Wortelboer [mailto:jwortel@carotechnology.com]
Sent: 10 October 2001 08:00
To: yh lee; focus-ids@securityfocus.com
Subject: Re: Realsecure
For me it's always more a matter of what kind of staff you have walking
around. If you have Unix people and a nice budget, go for the Unix
option. If not, the NT option will do fine.
In my experience, the Unix option performs a bit better because most
unix boxes and os-es handle task switches better (faster).
I am not sure but I beleive the windows version still uses a method of
capturing frames one by one so that every frames needs a task switch.
I talked to them briefly some time ago about using a bucket system for
the windows sensors (even got a working driver for it) but never heard
from it again. Perhaps is't already in there....
Is speed really an issue in your case ? In most cases the ISP is the
bottleneck of the overall system. Realsecure can handle speeds up to
100Mbps so you must have a nice uplink ;-)
Perhaps you can use a span-port-switch-trick so that you only see the
incoming traffic from you ISP but not the other frames on you DMZ. (if
you want that ofcourse) A packet filter in the policy can also help a
lot in gaining speed.
Jeroen
> hi
>
> is it better to run Realsecure Network sensor on Windows NT
> or SUn solaris in terms of performance ??
>
> what are the pros and cons of running on NT??
>
> thanks
>
> ekim
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
>
>
- Previous message: Carlos Macedo Gomes: "Re: IDS Sensor on ATM"
- Maybe in reply to: yh lee: "Realsecure"
- Next in thread: Greg Shipley: "RE: Realsecure"
- Next in thread: Peters, Michael D.: "RE: Realsecure"
- Reply: Greg Shipley: "RE: Realsecure"
- Reply: malj31: "Re: Realsecure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
