TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- I can't believe they put NT in such shackles for that benchmark. 1) The SUN had dual processors and the NT had 1. Regardless of which processors were more powerful (CISC vs RISC) the simple fact of the matter is that you are dealing with an I/O streaming function that has data flowing thru several interfaces, having multiple processors to handle processing for multiple I/O processing threads is going to run smoother and much more efficiently than running timesliced on a single processor. 2) They used a much older version of NT, 3.51 (albeit stable, the tcp/ip performance is much better in 4.0 and above) 3) They gave NT a pittance of memory, which in all my experience 64 is not enough for much of anything. Yes, it's the same amount that Solaris was allotted, but it is well known that NT is very bad in the memory management/footprint category. I think they should have given it more memory to play with. Once NT gets out of the memory boggle, it runs much smoother. 4) No mention was made as to how the OS was tuned. Did they tune it properly? An out of the box install of NT is NO GOOD. If they just installed NT and fired away, then that is not a good test in my opinion. Did they use a bad release of Intel drivers? The Pro100 cards have had several releases of drivers that did not work well or required tuning to run well on NT. Anyway, I would rather run it on Solaris even so, or just install a PIX instead. ----- Original Message ----- From: <[EMAIL PROTECTED]> Cc: <recipient list not shown: ;> Sent: Monday, November 29, 1999 12:24 PM > <[EMAIL PROTECTED]> > To: > Subject: RE: COMPILED EMAIL: RS-NE for 100M environment > Date: Wed, 24 Nov 1999 23:54:18 -0000 > X-Mailer: Internet Mail Service (5.5.2448.0) > MIME-version: 1.0 > Content-type: text/plain; charset="iso-8859-1" > Sender: [EMAIL PROTECTED] > Precedence: bulk > X-Loop: issforum > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > -------------------------------------------------------------------------- -- > > > interesting stuff! > > a couple of thoughts ... > > on the Sun front I've found a reasonable price/performance compromise to be > Ultra 5 (360Mhz ultrasparc II, 256Mb RAM, Quad Fast Ethernet) > > Just to add to the confusion sitting in front of a Firewall facing an E1 up > link a proliant 1850R with 512Mb RAM, PII 300 (I think) and a netelligent > 10/100 card did pretty much the same things. > > Checkpoint did a series of tests (see > http://www.checkpoint.com/products/technology/pdata_sol_nt.html ) mainly > aimed at getting some comparison figures for Firewall-1 purposes. > > This was a high-throughput test, but how reliable is it to extrapolate from > these results to a realsecure environment? has anyone done a similar series > of tests with realsecure? > > regards > > Gavin. > -----Original Message----- > From: Droski, Sheila (ISSTexas) [mailto:[EMAIL PROTECTED]] > Sent: 23 November 1999 23:21 > To: [EMAIL PROTECTED] > Subject: FW: COMPILED EMAIL: RS-NE for 100M environment > > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any > problems! > -------------------------------------------------------------------------- -- > > Hi all, > I compiled some information below regarding RealSecure engine performance on > busy segments. Since this was a topic recently I thought you might want to > see what some of our internal, technical people have to say...I've deleted > the names to "protect the innocent". > :) > > The only thing I would change is in the first email below where he rates > memory as more important than cache on the card. I'd flip those since once > the card starts dropping packets, it really doesn't matter how much memory > the system has to process the signatures. > sheila > > =================================== > Sheila M. Droski > Technical Product Manager > [EMAIL PROTECTED] > > Internet Security Systems, Inc. > Austin, TX > Direct Dial: (512) 266-9323 > beeper: (888) 431-2052 > http://www.iss.net > > Adaptive Network Security for the Enterprise > =================================== > > one thing I didn't see in the write-ups is buy a NIC with the biggest cache > you can find. The nic itself can improve RS performance on very busy > lans. I/O is far more important than processing speed. I would say, in > this order: > > 1. Memory of the machine > 2. Cache on the NIC > 3. Backplane speed of the machine (100Mhz vs 66Mhz) > 3. CPU Speed / backplane speed > 4. I/O of the disks > > Throughput, throughput throughput. > =================================== > > We were running the RealSecure engine on a Sun Enterprise 250 with 2 > interfaces (one in stealth mode and one for the management) And we did very > well. > > RealSecure kept up on a 100Mbits/s network depending on the load: > > 128Byte packets 30%load OK > 128Byte packets 50%load started losing things, but still detected > certain > attacks. > 128Byte packets 70%load Only detected a couple things. > > 512byte packets 30%load OK > 512byte packets 50%load OK > 512byte packets 70%load OK, we started losing one or two things. > > Technical specs of the machine: > Sun Enterprise 250 > UltraSPARC-2 processor at 248 Mhz > 256 Mbyte Internal memory > 1 fast Ethernet onboard > 1 Quad PCI Ethernet card > > ============================================ > > You need to know the utilization on the network and how large the packets > > are. RealSecure has a tested limit of about 30%-40% utilization of a 100 > > Mb network. Recognize that all network based IDS products have this issue > > and the "tested limit" is very much dependent on a large range of > variables. > > > > The following information came from a real-life installation of > > RealSecure: > > While at an enterprise customer site, ISS tested RealSecure on an > > Enterprise 250 with 256MB of Ram and RealSecure kept up with 50% plus of a > > 100MB Ethernet segment. Not a typical box, but all of the Ultra Machines I > > have seen with at least 256MB of Ram have performed very well. > > > > To determine the performance of the RealSecure Network Engine, it is > > important to look at the following factors (some factors cannot be > > controlled): > > � CPU type and speed > > � Numbers of CPUs > > � Amount of RAM > > � The Policy enforced on RealSecure (signatures and responses that are > > selected) > > � The number of packets on the wire & their size (small packets pummel the > > > card at lower bandwidths) > > � The number of packets that match attack signatures which are enabled in > > RealSecure > > � The bursting amount of the traffic > > > > ISS is in the process of conducting a more sophisticated analysis where we > > vary certain variables discussed above to understand each variable's > impact > > on the performance of RealSecure. ISS is also developing a feature in > > RealSecure where the system will alert the administrator if RealSecure is > > unable to keep up with the current network traffic load. > > > > RealSecure's performance is enhanced by the following factors: > > � Optimizing the filter rules, > > � Moving the response options for user-specified events out of the filter > > module, > > � Speeding up the packet driver, and > > � Modifying the attack recognition logic for constant lookup time for > > signatures and data structures. > > > > ISS has additional performance enhancements underway that are expected to > > increase significantly the performance of the current system. >
