RE: Performance Testing was RE: Realsecure

From: Reeves, Michael (GEAE, Compaq) (michael.reeves@ae.ge.com)
Date: 10/18/01


Message-ID: <EE5E8E5E3458D311A1410090279279C30AF14532@ev005msxaege.ae.ge.com>
From: "Reeves, Michael (GEAE, Compaq)" <michael.reeves@ae.ge.com>
To: focus-ids@securityfocus.com
Subject: RE: Performance Testing was RE: Realsecure
Date: Thu, 18 Oct 2001 12:54:39 -0400

Eric,

        I agree with you on most things but I want gigabit capabilities. By
creating a quality sensor able to handle gig traffic benefits everyone. Then
when you put it on a slower connection it should be able to handle that with
no problems.

Mike

-----Original Message-----
From: Eric Hacker [mailto:hacker@vudu.net]
Sent: Thursday, October 18, 2001 1:39 AM
To: focus-ids@securityfocus.com
Subject: Performance Testing was RE: Realsecure

I think that real world testing will provide some useful information, but it
is only applicable if the same real world environment is used for testing at
the same time (as Greg's report did). Even then, it won't necessary
translate to one's own real world environment.

In some respect we've got a sports car that will do 0-60 in under 6 seconds
and tops out at 150. Only I'm trying to drive it on Rte. 128 around Boston
at 8 AM. Or maybe I'm trying to drive it in a rain storm or blizzard. OK, so
where you live its always a blizzard and there's lots of traffic in your
way, adjust your expectations accordingly. You won't be doing 150.

The most important factors in testing are that it is completely open,
procedurally well documented and hopefully repeatable. The more tests that
are done and shared, the better. The problem is the fine print or even
claims with no support. These are a disservice.

Many folks aren't trying to do gigabit IDS but have other issues. How does
RealSecure compare on a Nokia 650 and a Sun Netra T1. (Hopefully some simple
results coming soon). What about a Windows box with X specs?

What if I want to try running IDS, Firewall and VPN at a small site with
only a T1, but I want it integrated with the solutions I use for the bigger
sites. Is there anything that can handle that load?

Testing performance is also different from testing attack identification
capability. If the IDS can't detect the attack with no background noise,
then performance isn't the issue. I'd really like to see (and do) some
detailed false negative testing for IDS as well.

Oh the things we can think!

Peace,
Eric Hacker, CISSP, GCIA, MCSE, CCSE
Network Security Consultant
Email: hacker@vudu.net
PGP key:
hacker@vudu.net">http://keyserver.pgp.com/pks/lookup?op=get&search=hacker@vudu.net
PGP Fingerprint: FADB 793E E98A 97BB 04D6 5973 7864 93A1 222B E0C7

"Long gone are the days when one's surname referred to the role
one had in the community."