Very excellent post for this thread.. I too saw the presentation, I had
commented durring that speech about my same experiences with RealSecure
matching up with the same one they were experiencing at ConXion. We had the
same setup, same configurations on the SUN systems, and got the same
degradation in speed...
Just my 2 cents..
Loki
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Haugsness, Kyle
Sent: Wednesday, September 06, 2000 8:20 AM
To: 'Sadler, Connie J'; '[EMAIL PROTECTED]'
Subject: RE: Real Secure Intrusion Detection
I'd like to comment on the RealSecure thread. I have previously installed
and run a small RealSecure deployment (5 network sensors, 10 host sensors)
at a previous company. I have no association with any vendor other than
being a customer.
I'm curious to know what size pipes Connie tested against and how the
testing was conducted. For those that did not attend the Black Hat
Briefings this year, there was interesting talk by Mark Kadrich, Director of
Security at Conxion Corp. Conxion is a big ISP with really big pipes (5 x
0C-3 if I remember correctly). He and his group did a extensive performance
test of ISS RealSecure.
He found that RealSecure on a hefty Solaris Sparc machine could only handle
15-20 Mbps of traffic before dropping packets. Most big shops will find
that unacceptable (as mine does). They ended up doing some tricks with load
balancing and multiple network sensors to get more detection, but the ROI
just isn't worth it. You end up spending $100,000 just to monitor a fast
server segment. It is also interesting to note that RealSecure is currently
running faster on NT than Solaris.
So if you need to watch some big pipes, start taking a look at other
products such as Network Flight Recorder (hi Marcus), Network Security
Wizards' Dragon, or even snort.
I won't go into much detail regarding the functionality component that ISS
doesn't provide. I equate RealSecure to being an automatic transmission in
a car. The other systems give you more control. Case in point: have you
ever tried to look at the actual packet after RealSecure made a detect? You
can't. For forensics purposes, this is critical. How about re-assembly of
fragmented IP packets? ISS is only starting to do this. ISS does provide
alot of great features that make administration and scalability easy. So
your mileage may vary.
For a very good article on IDS, read the Network Computing Article by Greg
Shipley. It's a bit dated, but not much has changed. Available at
http://www.networkcomputing.com/1023/1023f1.html. Also, a presentation by
Ron Gula of Network Security Wizards (also at Black Hat) should get you
concerned about how easy it is to bypass some commercial IDS systems on the
market. You can find his presentation at the bottom of this page:
http://www.securitywizards.com/library.html.
Thoughts? Flames?
-Kyle
-----Original Message-----
From: Sadler, Connie J [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 06, 2000 8:10 AM
To: Mark, Johnston; [EMAIL PROTECTED]
Subject: RE: Real Secure Intrusion Detection
We completed an extensive eval including RealSecure. It is the best for
large pipes, as far as we are concerned - handles large volumes of traffic
well, and in fact, scales better than anything else we tested.
Connie
-----Original Message-----
From: Mark, Johnston [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 06, 2000 6:09 AM
To: [EMAIL PROTECTED]
Subject: Real Secure Intrusion Detection
Hi,
Does anyone have a site with RealSecure Intrusion detection ?
I've just gone to a demo .... and well the product didn't look half bad, but
I'm looking for some first hand experiences.
Thanks
Mark
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
