RE: Realsecure

From: Bob Walder (bwalder@nss.co.uk)
Date: 10/12/01 

From: "Bob Walder" <bwalder@nss.co.uk>
To: "'Greg Shipley'" <gshipley@neohapsis.com>, <focus-ids@securityfocus.com>
Subject: RE: Realsecure
Date: Fri, 12 Oct 2001 00:42:11 +0100
Message-ID: <81530203FD3BD111A02900805FCC0999157799@COMPAQ_NT40>

Ahhhh there's the rub....

IDS' do indeed behave differently depending on the type of traffic you spit
out on the wire - that's why testing these things is a damn nightmare!

The testing we did last year was more concerned with "raw sniffing
capability" - lots of tiny packets. This year we have modified our
methodology to include those wonderful 1514 byte packets that some vendors
like to quote (hmmmm....) and what we like to call our "real world mix" of
packets. The latter is based on samples of "real" network traffic (caveat
emptor.....my "real" traffic might not be the same as your "real"
traffic....). And, of course, we use Smartbits and Adtech boxes to generate
it, so it's not really "real" traffic after all.... but it does provide a
solid, repeatable load against which all products under test can be
compared.

Regards,

Bob Walder

-----Original Message-----
From: Greg Shipley [mailto:gshipley@neohapsis.com]
Sent: 12 October 2001 00:29
To: focus-ids@securityfocus.com
Cc: Bob Walder
Subject: RE: Realsecure

On Wed, 10 Oct 2001, Bob Walder wrote:

> Sorry to nit pick, but in our testing we found that RealSecure cannot
handle
> anything like 100Mbps in terms of raw sniffing speed with small packets.

I'd have to agree with Bob on this one - but I'd like to add one caveat:
all 100Mbps traffic is not equal! For example, one could generate 100Mbps
worth of Ethernet traffic by:

(Please note: these are theoretical maxes)
- Using 2 hosts, using frame sizes of 1518 (59,594 fps - max)
- Using 100 hosts, with frame sizes of 64 (148,809 fps - max)
- Using 10000 hosts, with frame sizes of 64 (148,809 fps - max)

...and that's just three of MANY combinations. I assure everyone that
NIDS devices will react quite differently to each of those scenarios. (2
hosts spewing traffic at each other at 59k fps is quite easy, 10000 hosts
at 148k fps...not so easy).

I know many of the long-timers on this list are sick of hearing me get on
my soap-box about these issues, so I'll offer the following for anyone who
wants to expose themselves to my previous rants on using the "100Mbps"
reference:

http://archives.neohapsis.com/archives/sf/ids/2001-q1/0268.html

Let's just leave it at, well, IMO the generic reference to "100Mbps" is
not a good descriptor for real-world traffic.

-------------------------------------------------------------------

Totally switching topics, one point I didn't see anyone mention on the
RealSecure NT vs. Solaris debate is remote management. When we
(Neohapsis) had all of our sensors deployed at a university, we were
managing them over a VPN. When our connections got congested, the NT
boxes were almost impossible to manage remotely. We tried everything from
PCAnywhere to Remote Administrator to VNC - they all stunk when the
congestion hit. By comparison, the UNIX ssh sessions were far easier to
work with - and far more reliable.

So if you have out-of-band access to your sensors, the remote control
issues is moot. However, if you are managing sensors remotely over links
that could get congested, it would be wise to consider that UNIX-based
solutions may bring less headache.

Please note that these management headaches really don't have anything to
do with ISS/RealSecure, more of a problem with remote NT administration in
general.

Hope this helps,

-Greg

Relevant Pages

  • RE: Realsecure
    ... Subject: Realsecure ... sensors that will be soon close to 9. ... We can use hardware traffic generators to create different Ethernet ... > RealSecure NT vs. Solaris debate is remote management. ...
    (Focus-IDS)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... verses the RST or ICMP 3,3. ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: What is going on with my Dialup?
    ... also forward it to an unused port, and have that port provide the ... There is a huge debate of whether it's better to provide no response ... The lack of response causes the remote computer to make ... Others think that by not responding to unwanted packets, ...
    (comp.os.linux.networking)
  • Re: After many hours all outbound connections get stuck in SYN_SENT
    ... Back to your SYN_SENT problem, I suppose the remote IP is known, so you ... I've run tcpdump for all IPs during this problem. ... tcpdump reported that some packets were dropped during the capture. ...
    (Linux-Kernel)
  • RE: Realsecure
    ... Subject: Realsecure ... On Wed, 10 Oct 2001, Bob Walder wrote: ... RealSecure NT vs. Solaris debate is remote management. ... congestion hit. ...
    (Focus-IDS)