RE: Realsecure

From: Peters, Michael D. (Michael.Peters@acbl.net)
Date: 10/11/01 

Message-ID: <961762B3A2CED411BA0F0000E866BBF568961C@dopey.acbl.net>
From: "Peters, Michael D." <Michael.Peters@acbl.net>
To: 'Jeroen Wortelboer' <jwortel@carotechnology.com>, yh lee <micklee74@hotmail.com>, focus-ids@securityfocus.com
Subject: RE: Realsecure
Date: Thu, 11 Oct 2001 07:38:31 -0400

Initially when I took on the Firewall here, they had an NT install. It
required a weekly reboot to start. The average client connection speed was
about 35kbps. I migrated to an X86 Solaris 7 32 bit system and it was 9
months since the last reboot. The client connections went to about 153kbps.
I am eagerly waiting for my new dual processor E220 to arrive so I can build
a 64 bit Solaris 8 system. NT will drop allot of normal traffic during a
rule base compile whereas Solaris only seems to drop the NAT translations
carried on SecureClient/Remote connections.

For what it's worth,

Michael D. Peters
Senior Network Security Engineer
Lazarus Alliance Inc.
PO Box 91052
Louisville, Kentucky 40291
502-767-3448

-----Original Message-----
From: Jeroen Wortelboer [mailto:jwortel@carotechnology.com]
Sent: Wednesday, October 10, 2001 3:00 AM
To: yh lee; focus-ids@securityfocus.com
Subject: Re: Realsecure

For me it's always more a matter of what kind of staff you have walking
around. If you have Unix people and a nice budget, go for the Unix
option. If not, the NT option will do fine.

In my experience, the Unix option performs a bit better because most
unix boxes and os-es handle task switches better (faster).
I am not sure but I beleive the windows version still uses a method of
capturing frames one by one so that every frames needs a task switch.

I talked to them briefly some time ago about using a bucket system for
the windows sensors (even got a working driver for it) but never heard
from it again. Perhaps is't already in there....

Is speed really an issue in your case ? In most cases the ISP is the
bottleneck of the overall system. Realsecure can handle speeds up to
100Mbps so you must have a nice uplink ;-)
Perhaps you can use a span-port-switch-trick so that you only see the
incoming traffic from you ISP but not the other frames on you DMZ. (if
you want that ofcourse) A packet filter in the policy can also help a
lot in gaining speed.

Jeroen

> hi
>
> is it better to run Realsecure Network sensor on Windows NT
> or SUn solaris in terms of performance ??
>
> what are the pros and cons of running on NT??
>
> thanks
>
> ekim
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
>
>

Relevant Pages

  • RE: Realsecure
    ... but in our testing we found that RealSecure cannot handle ... If you have Unix people and a nice budget, ... capturing frames one by one so that every frames needs a task switch. ... Realsecure can handle speeds up to ...
    (Focus-IDS)
  • Re: Realsecure
    ... If you have Unix people and a nice budget, ... capturing frames one by one so that every frames needs a task switch. ... Realsecure can handle speeds up to ...
    (Focus-IDS)
  • Re: Realsecure
    ... Subject: Realsecure ... If you have Unix people and a nice budget, ... > capturing frames one by one so that every frames needs a task switch. ... Realsecure can handle speeds up to ...
    (Focus-IDS)