Re: ISS Site Protector WAN Performance Issues

From: Alexander Delarge (alex_at_nowhere.com)
Date: 05/31/03 

Date: Sat, 31 May 2003 06:01:09 GMT

"SJ" <sjnospam@yahoo.com> wrote

> I do not think 150kbps is a lot every 2 minutes. 4x150 is, especially
> on a 512 kbs link. Cutting down on the sensors is an option, with
> redesign of Internet accessible dmz's and screened subnets. These are
> only monitoring at the most 6mb links to the internet.
> Even if we were monitoring gb links, the only traffic that should be
> significant should be event traffic and I would buy your argument.

Yes, but this also depends on how many events you see. 10 events an hour
wouldn't produce very much traffic, but 10,000 per hour would.

> However, this is not related to events/second but to Site Protector
> sensor polling for status information.

You can configure the polling rates in SP. I forget exactly where its done,
but you can change all the polling rates.

> Is it really too much to ask of a multiple tier solution to function
> as a multiple tier solution and reduce bandwidth utilization? Even if
> I could make a case for a full T-1 to the sites, 600 to 700 kbps every
> 2 minutes for a solid 40 seconds is unacceptable.

4 100Mbps sensors being remotely managed over a 512Kbps link is a lot to ask
for. The ideal solution would be to move your SP database/event collector to
the remote site, then terminal service or VNC to a box at the remote site
and run the console there. IDSs are not firewalls or SNMP devices. They have
a lot more data to handle.

> Maybe I am being unreasonable in my expectations, but this behaviour
> is not acceptable in an Enterprise Application.

Your architecture is the problem. You have a weakness in your architecture
and want SP to compensate for that. I have 2 sensors and a SP along with
300+ desktops. Never had any comm problems. But, then everthing is over 100
mbps copper.

Ask the same issue at the ISS forum:
https://atla-mm1.iss.net/mailman/listinfo/issforum See what they say.

Alex