RE: Realsecure
From: Greg Shipley (gshipley@neohapsis.com)Date: 10/12/01
- Previous message: Matt Willis: "FW: Realsecure"
- In reply to: Bob Walder: "RE: Realsecure"
- Next in thread: Jeff Nathan: "Re: Realsecure"
- Next in thread: malj31: "Re: Realsecure"
- Next in thread: Peters, Michael D.: "RE: Realsecure"
- Reply: Jeff Nathan: "Re: Realsecure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Oct 2001 18:28:48 -0500 (CDT) From: Greg Shipley <gshipley@neohapsis.com> To: <focus-ids@securityfocus.com> Subject: RE: Realsecure Message-ID: <Pine.LNX.4.33.0110111740230.26530-100000@7of9.neohapsis.com>
On Wed, 10 Oct 2001, Bob Walder wrote:
> Sorry to nit pick, but in our testing we found that RealSecure cannot handle
> anything like 100Mbps in terms of raw sniffing speed with small packets.
I'd have to agree with Bob on this one - but I'd like to add one caveat:
all 100Mbps traffic is not equal! For example, one could generate 100Mbps
worth of Ethernet traffic by:
(Please note: these are theoretical maxes)
- Using 2 hosts, using frame sizes of 1518 (59,594 fps - max)
- Using 100 hosts, with frame sizes of 64 (148,809 fps - max)
- Using 10000 hosts, with frame sizes of 64 (148,809 fps - max)
...and that's just three of MANY combinations. I assure everyone that
NIDS devices will react quite differently to each of those scenarios. (2
hosts spewing traffic at each other at 59k fps is quite easy, 10000 hosts
at 148k fps...not so easy).
I know many of the long-timers on this list are sick of hearing me get on
my soap-box about these issues, so I'll offer the following for anyone who
wants to expose themselves to my previous rants on using the "100Mbps"
reference:
http://archives.neohapsis.com/archives/sf/ids/2001-q1/0268.html
Let's just leave it at, well, IMO the generic reference to "100Mbps" is
not a good descriptor for real-world traffic.
-------------------------------------------------------------------
Totally switching topics, one point I didn't see anyone mention on the
RealSecure NT vs. Solaris debate is remote management. When we
(Neohapsis) had all of our sensors deployed at a university, we were
managing them over a VPN. When our connections got congested, the NT
boxes were almost impossible to manage remotely. We tried everything from
PCAnywhere to Remote Administrator to VNC - they all stunk when the
congestion hit. By comparison, the UNIX ssh sessions were far easier to
work with - and far more reliable.
So if you have out-of-band access to your sensors, the remote control
issues is moot. However, if you are managing sensors remotely over links
that could get congested, it would be wise to consider that UNIX-based
solutions may bring less headache.
Please note that these management headaches really don't have anything to
do with ISS/RealSecure, more of a problem with remote NT administration in
general.
Hope this helps,
-Greg
- Previous message: Matt Willis: "FW: Realsecure"
- In reply to: Bob Walder: "RE: Realsecure"
- Next in thread: Jeff Nathan: "Re: Realsecure"
- Next in thread: malj31: "Re: Realsecure"
- Next in thread: Peters, Michael D.: "RE: Realsecure"
- Reply: Jeff Nathan: "Re: Realsecure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
