The results I have seen put NT ahead of Solaris for performance running the
RS engine.. way ahead.
----- Original Message -----
From: "Loki" <[EMAIL PROTECTED]>
To: "Haugsness, Kyle" <[EMAIL PROTECTED]>; "'Sadler, Connie J'"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, September 08, 2000 8:00 PM
Subject: RE: Real Secure Intrusion Detection
> Very excellent post for this thread.. I too saw the presentation, I had
> commented durring that speech about my same experiences with RealSecure
> matching up with the same one they were experiencing at ConXion. We had
the
> same setup, same configurations on the SUN systems, and got the same
> degradation in speed...
>
> Just my 2 cents..
>
> Loki
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Haugsness, Kyle
> Sent: Wednesday, September 06, 2000 8:20 AM
> To: 'Sadler, Connie J'; '[EMAIL PROTECTED]'
> Subject: RE: Real Secure Intrusion Detection
>
>
>
> I'd like to comment on the RealSecure thread. I have previously installed
> and run a small RealSecure deployment (5 network sensors, 10 host sensors)
> at a previous company. I have no association with any vendor other than
> being a customer.
>
> I'm curious to know what size pipes Connie tested against and how the
> testing was conducted. For those that did not attend the Black Hat
> Briefings this year, there was interesting talk by Mark Kadrich, Director
of
> Security at Conxion Corp. Conxion is a big ISP with really big pipes (5 x
> 0C-3 if I remember correctly). He and his group did a extensive
performance
> test of ISS RealSecure.
>
> He found that RealSecure on a hefty Solaris Sparc machine could only
handle
> 15-20 Mbps of traffic before dropping packets. Most big shops will find
> that unacceptable (as mine does). They ended up doing some tricks with
load
> balancing and multiple network sensors to get more detection, but the ROI
> just isn't worth it. You end up spending $100,000 just to monitor a fast
> server segment. It is also interesting to note that RealSecure is
currently
> running faster on NT than Solaris.
>
> So if you need to watch some big pipes, start taking a look at other
> products such as Network Flight Recorder (hi Marcus), Network Security
> Wizards' Dragon, or even snort.
>
> I won't go into much detail regarding the functionality component that ISS
> doesn't provide. I equate RealSecure to being an automatic transmission
in
> a car. The other systems give you more control. Case in point: have you
> ever tried to look at the actual packet after RealSecure made a detect?
You
> can't. For forensics purposes, this is critical. How about re-assembly
of
> fragmented IP packets? ISS is only starting to do this. ISS does provide
> alot of great features that make administration and scalability easy. So
> your mileage may vary.
>
> For a very good article on IDS, read the Network Computing Article by Greg
> Shipley. It's a bit dated, but not much has changed. Available at
> http://www.networkcomputing.com/1023/1023f1.html. Also, a presentation by
> Ron Gula of Network Security Wizards (also at Black Hat) should get you
> concerned about how easy it is to bypass some commercial IDS systems on
the
> market. You can find his presentation at the bottom of this page:
> http://www.securitywizards.com/library.html.
>
> Thoughts? Flames?
>
> -Kyle
>
>
>
>
> -----Original Message-----
> From: Sadler, Connie J [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 8:10 AM
> To: Mark, Johnston; [EMAIL PROTECTED]
> Subject: RE: Real Secure Intrusion Detection
>
>
>
> We completed an extensive eval including RealSecure. It is the best for
> large pipes, as far as we are concerned - handles large volumes of traffic
> well, and in fact, scales better than anything else we tested.
>
> Connie
>
> -----Original Message-----
> From: Mark, Johnston [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 06, 2000 6:09 AM
> To: [EMAIL PROTECTED]
> Subject: Real Secure Intrusion Detection
>
>
> Hi,
>
> Does anyone have a site with RealSecure Intrusion detection ?
> I've just gone to a demo .... and well the product didn't look half bad,
but
> I'm looking for some first hand experiences.
>
> Thanks
> Mark
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
