It really depends on what you deem performance hit Do you mean you are not
capturing the same number of events from the NT Sensor versus the Solaris
sensor? Or do you mean that CPU utilization is high under large number of
events, therefore the events are not being sent to the console or at all??
/mark
At 04:43 PM 9/11/00 -0400, Carric Dooley wrote:
>The results I have seen put NT ahead of Solaris for performance running the
>RS engine.. way ahead.
>
>
>----- Original Message -----
>From: "Loki" <[EMAIL PROTECTED]>
>To: "Haugsness, Kyle" <[EMAIL PROTECTED]>; "'Sadler, Connie J'"
><[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
>Sent: Friday, September 08, 2000 8:00 PM
>Subject: RE: Real Secure Intrusion Detection
>
>
> > Very excellent post for this thread.. I too saw the presentation, I had
> > commented durring that speech about my same experiences with RealSecure
> > matching up with the same one they were experiencing at ConXion. We had
>the
> > same setup, same configurations on the SUN systems, and got the same
> > degradation in speed...
> >
> > Just my 2 cents..
> >
> > Loki
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Haugsness, Kyle
> > Sent: Wednesday, September 06, 2000 8:20 AM
> > To: 'Sadler, Connie J'; '[EMAIL PROTECTED]'
> > Subject: RE: Real Secure Intrusion Detection
> >
> >
> >
> > I'd like to comment on the RealSecure thread. I have previously installed
> > and run a small RealSecure deployment (5 network sensors, 10 host sensors)
> > at a previous company. I have no association with any vendor other than
> > being a customer.
> >
> > I'm curious to know what size pipes Connie tested against and how the
> > testing was conducted. For those that did not attend the Black Hat
> > Briefings this year, there was interesting talk by Mark Kadrich, Director
>of
> > Security at Conxion Corp. Conxion is a big ISP with really big pipes (5 x
> > 0C-3 if I remember correctly). He and his group did a extensive
>performance
> > test of ISS RealSecure.
> >
> > He found that RealSecure on a hefty Solaris Sparc machine could only
>handle
> > 15-20 Mbps of traffic before dropping packets. Most big shops will find
> > that unacceptable (as mine does). They ended up doing some tricks with
>load
> > balancing and multiple network sensors to get more detection, but the ROI
>
> > just isn't worth it. You end up spending $100,000 just to monitor a fast
> > server segment. It is also interesting to note that RealSecure is
>currently
> > running faster on NT than Solaris.
> >
> > So if you need to watch some big pipes, start taking a look at other
> > products such as Network Flight Recorder (hi Marcus), Network Security
> > Wizards' Dragon, or even snort.
> >
> > I won't go into much detail regarding the functionality component that ISS
> > doesn't provide. I equate RealSecure to being an automatic transmission
>in
> > a car. The other systems give you more control. Case in point: have you
> > ever tried to look at the actual packet after RealSecure made a detect?
>You
> > can't. For forensics purposes, this is critical. How about re-assembly
>of
> > fragmented IP packets? ISS is only starting to do this. ISS does provide
> > alot of great features that make administration and scalability easy. So
> > your mileage may vary.
> >
> > For a very good article on IDS, read the Network Computing Article by Greg
> > Shipley. It's a bit dated, but not much has changed. Available at
> > http://www.networkcomputing.com/1023/1023f1.html. Also, a presentation by
> > Ron Gula of Network Security Wizards (also at Black Hat) should get you
> > concerned about how easy it is to bypass some commercial IDS systems on
>the
> > market. You can find his presentation at the bottom of this page:
> > http://www.securitywizards.com/library.html.
> >
> > Thoughts? Flames?
> >
> > -Kyle
> >
> >
> >
> >
> > -----Original Message-----
> > From: Sadler, Connie J [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 06, 2000 8:10 AM
> > To: Mark, Johnston; [EMAIL PROTECTED]
> > Subject: RE: Real Secure Intrusion Detection
> >
> >
> >
> > We completed an extensive eval including RealSecure. It is the best for
> > large pipes, as far as we are concerned - handles large volumes of traffic
> > well, and in fact, scales better than anything else we tested.
> >
> > Connie
> >
> > -----Original Message-----
> > From: Mark, Johnston [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 06, 2000 6:09 AM
> > To: [EMAIL PROTECTED]
> > Subject: Real Secure Intrusion Detection
> >
> >
> > Hi,
> >
> > Does anyone have a site with RealSecure Intrusion detection ?
> > I've just gone to a demo .... and well the product didn't look half bad,
>but
> > I'm looking for some first hand experiences.
> >
> > Thanks
> > Mark
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
