RE: Realsecure

From: Kevin Brown (kbrownfox@home.com)
Date: 10/12/01 

From: "Kevin Brown" <kbrownfox@home.com>
To: <bwalder@nss.co.uk>, "'Greg Shipley'" <gshipley@neohapsis.com>, <focus-ids@securityfocus.com>
Subject: RE: Realsecure
Date: Thu, 11 Oct 2001 22:49:46 -0400
Message-ID: <NEBBIFJCILKEKMJKGMFIGEOOCOAA.kbrownfox@home.com>

I agree with Bob. Testing IS a bleepin' nightmare, especially when you only
have a few weeks to test several products. Personally, I'd love to have
each product for several weeks and test under a dozen or more different
scenarios. Unfortunately, vendors aren't willing to pay for this type of
testing :-)

The results of our latest IDS comparison published in this weeks Network
World magazine. You can find the on-line version here.

http://www.nwfusion.com/reviews/2001/1008rev.html

I know this article doesn't contain some of the detail of reviews done in
other mags, but I'd be happy to answer any reasonable requests for more
information regarding the test bed to anyone who is interested. It might
take a day or two to answer any inquiries as I have a few days vacation
coming, but I'll do the best I can.

For background traffic, we chose to use NetIQ's Chariot generating HTTP
Gets. We only used 4 PCs for generating traffic, but each was configured
with 250 IPs to simulate 1000 different nodes on our test network. The "how
we tested" section covers the pps and Mbps.

I think everyone will be surprised by the RealSecure results we saw.
Version 6 moves to a 3 tier architecture, and performance saw a big boost.
Of course, we gave it quite a bit of horsepower. That helps too.

Brownfox

-----Original Message-----
From: Bob Walder [mailto:bwalder@nss.co.uk]
Sent: Thursday, October 11, 2001 7:42 PM
To: 'Greg Shipley'; focus-ids@securityfocus.com
Subject: RE: Realsecure

Ahhhh there's the rub....

IDS' do indeed behave differently depending on the type of traffic you spit
out on the wire - that's why testing these things is a damn nightmare!