RE: Realsecure

From: Bob Walder (bwalder@nss.co.uk)
Date: 10/14/01 

From: "Bob Walder" <bwalder@nss.co.uk>
To: "'malj31'" <malj31@dial.pipex.com>, <focus-ids@securityfocus.com>
Subject: RE: Realsecure
Date: Sun, 14 Oct 2001 10:31:09 +0100
Message-ID: <81530203FD3BD111A02900805FCC09991577B6@COMPAQ_NT40>

Yes, it is true that we charge vendors for testing. There was an interesting
exchange between Greg Shipley and Rick Williams (I think it was) recently
that covered a lot of the pros and cons of charging vs free testing, so I
won't go over old ground.

Suffice it to say that we do not accept advertising or any other form of
sponsorship in any way, so we do need to make some money somewhere along the
line. NSS actually started life as "Network Subscription Service", where we
used to test for free and sell the reports on a subscription basis to large
corporate clients. We changed the model two years ago now to charge vendors
and give the reports away, and the response to that approach has largely
been very positive, both from vendors (who now see circulation of the
reports numbering tens of thousands instead of a few hundred) and end users
(who no longer have to pay for the information).

I would stress that every vendor pays the same amount, and since we accept
no other advertising or sponsorship this allows us to remain completely
vendor neutral. Our reports are always as independent as it is possible to
make them - without that, they are useless. We stand by our record of
reporting warts and all, no matter who is paying - you only have to read
some of our previous reports (check out what we had to say about IBM's PKI
solution in our PKI report)

As to our opinion on vendors who decline to pay - if they decline to pay,
they do not get tested. Therefore we would never offer an opinion - good or
bad - on a vendor or product we had not tested.

Our ONLY exception to the payment rule to date has been this year when we
have tested Snort 1.8.1 - clearly no one was going to pay for this one (!)
but we felt we had to include it in the report to put the freeware IDS into
context. As it happens, we found it to be an excellent product (you will
have to wait until the new report is published next month to see just how
good it was).

As far as my opinion of RealSecure is concerned, note that I was talking
about the tests we performed last year, when ISS DID participate in the
report. I also mention that NetworkICE (now ISS) was an excellent performer,
and I believe that when the two technologies are merged ISS will have a
product to shout about. As far as ISS' reluctance to participate in the
current round of testing using the current version of RealSecure, I imply
nothing. As I said - read into it what you will.

I stand by our results of last year that indicated RealSecure was a poor
performer on heavily loaded networks, and look forward to testing the
product again when the BlackICE engine is integrated fully.

I hope that clarifies things.

Regards,

Bob Walder

The NSS Group
England

Internet: http://www.nss.co.uk

----------------------------------------------------------------------------
------
This message is intended for the addressee only and may contain information
that may be of a privileged or confidential nature. If you have received
this message in error, please notify the sender and destroy the message
immediately. Unauthorised use or reproduction of this message is strictly
prohibited.

-----Original Message-----
From: malj31 [mailto:malj31@dial.pipex.com]
Sent: 13 October 2001 11:19
To: focus-ids@securityfocus.com
Subject: Re: Realsecure

Is it true that in order for an IDS system to be included in your testing
that you charge the company? If so does this not affect your opinion if the
company declines to pay?

----- Original Message -----
From: "Bob Walder" <bwalder@nss.co.uk>
To: <focus-ids@securityfocus.com>
Sent: Wednesday, October 10, 2001 6:29 PM
Subject: RE: Realsecure

> Sorry to nit pick, but in our testing we found that RealSecure cannot
handle
> anything like 100Mbps in terms of raw sniffing speed with small packets.
>
> We are re-doing our testing this year with additional participants and
> including a "real world" packet mix to try and give people an idea of how
> these things will perform in a "real" network (how long is a piece of
> string....). Unfortunately, ISS has declined to participate - read into
that
> what you will!
>
> Of course, one of the best performing products we found last year was
> NetworkICE, so it will be interesting to see what happens when ISS manages
> to incorporate the BlackICE sniffing engine into its NIDS product -
> hopefully they will feel a bit more confident about participating in tests
> at that point....
>
> For now, if performance is an issue, best avoid RealSecure
>
> Regards,
>
> Bob Walder
> Director
>
> The NSS Group
> England
>
> E-Mail: bwalder@nss.co.uk
> Internet: http://www.nss.co.uk
>
> -----Original Message-----
> From: Jeroen Wortelboer [mailto:jwortel@carotechnology.com]
> Sent: 10 October 2001 08:00
> To: yh lee; focus-ids@securityfocus.com
> Subject: Re: Realsecure
>
>
> For me it's always more a matter of what kind of staff you have walking
> around. If you have Unix people and a nice budget, go for the Unix
> option. If not, the NT option will do fine.
>
> In my experience, the Unix option performs a bit better because most
> unix boxes and os-es handle task switches better (faster).
> I am not sure but I beleive the windows version still uses a method of
> capturing frames one by one so that every frames needs a task switch.
>
> I talked to them briefly some time ago about using a bucket system for
> the windows sensors (even got a working driver for it) but never heard
> from it again. Perhaps is't already in there....
>
> Is speed really an issue in your case ? In most cases the ISP is the
> bottleneck of the overall system. Realsecure can handle speeds up to
> 100Mbps so you must have a nice uplink ;-)
> Perhaps you can use a span-port-switch-trick so that you only see the
> incoming traffic from you ISP but not the other frames on you DMZ. (if
> you want that ofcourse) A packet filter in the policy can also help a
> lot in gaining speed.
>
> Jeroen
>
>
> > hi
> >
> > is it better to run Realsecure Network sensor on Windows NT
> > or SUn solaris in terms of performance ??
> >
> > what are the pros and cons of running on NT??
> >
> > thanks
> >
> > ekim
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp
> >
> >
>
>

Relevant Pages