Re: Realsecure

From: virtualphil (
Date: 10/12/01

Message-ID: <013301c1533b$88560840$>
From: "virtualphil" <>
To: <>, "Kevin Brown" <>, <>, "'Greg Shipley'" <>, <>
Subject: Re: Realsecure
Date: Fri, 12 Oct 2001 11:32:44 -0500


You might want to take a look at the link for the actual testing, it's a
real eye opener.

I feel that their comparison matrix and weighting is flawed, but their
testing is valid and allows people to not have to repeat this testing.

This link talks about
the tests and the total number of attacks detected. Why aren't these
findings used in the matrix to determine overall product grading
specifically? It is an IDS and I would think the NUMBER OF ATTACKS DETECTED
would be an important criteria and should have a separate line item and
weight that is at least equal to if not higher than performance which IMHO
should only have been dropping packets and not throughput and attack

Another flaw in their methodology is that they weight IDS performance equal
to installation and management. Using their methodology a product that
installs easy and is easy to manage can miss twice as many attacks but the
overall score could be even. For an IDS I do not believe that should be

Form the link above:
1) Cisco only identified 21 out of 27 (77.7%) with NO LOAD, ISS and Dragon
24 of 27 (88%) with no load. This in itself should have lowered cisco below
ISS but it did not.
2) With 90MB load ISS identified 17 of 27, cisco was 19 of 27 and Dragon
was 24 of 27. This should have lowered both ISS and cisco, but it did not.

From these numbers you need to look at your network and traffic to determine
which product would best suit your needs. What would you do on a 1000MB
network based off these numbers?

Phil Kramer, SANS GSEC
Systems Solutions Technologies, LLC
Phone: 615-646-5766