Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 1999-q4

ISS/XForce Archives: (no subject)

(no subject)

ISSTexas (SDroskiiss.net)
23 Nov 1999 15:33:02 -0000

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Justin Robbins: "Re: Windows 2000 Professional"
Previous message: ISSReading: "(no subject)"

issforumiss.net
Cc: RS-Tech <rs-techiss.net>
Subject: RE: Real Secure
Date: Fri, 19 Nov 1999 15:53:41 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
charset="iso-8859-1"
Sender: owner-issforumiss.net
Precedence: bulk
X-Loop: issforum

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Hi Dave,
Hopefully this will make all the "out of office" and other annoying replies
worth it.

I don't have any specific numbers to give you right now, but I can give you
some general guidance. I agree with you that it is probably not necessary to
deal with the upkeep of a Unix system in your situation. If you have an all
NT environment and you are working with 10Mbps or less of bandwidth, either
the NT or the Solaris engine should be just fine. Just make sure your engine
has plenty of memory with a good processor and you'll be great. The more
memory, the better since much of the signature analysis is memory intensive
more than it is processor intensive.

Once you go to a 100Mbps link, things get a little less even. Our tentative
findings are that NDIS seems to be somewhat of a bottleneck at higher
speeds. That is why the Solaris engine is often better on a 100Mbps link
with very high SUSTAINED utilization. On the other hand, once you reach the
point where the card/driver gets overloaded to the point that it starts
dropping packets it *seems* that NT (NDIS) recovers better than Solaris. NT
will probably start dropping packets at lower sustained utilization rates
than Solaris, but once the cards start dropping packets, NT may drop 100
packets while Solaris may drop 10,000 packets before it recovers. Keep in
mind that these are very tentative and general results at this point.
Obviously, this is just one of the many possible bottlenecks that can occur
for this type of system, but I think it's the most relevant to your
question.

I'm sure the next question is...what is "high"...30%, 50%, 80% of a 100Mbps
link? I don't have an answer for you on that right now. We have three
engineering teams at ISS, including my team, doing extensive testing in this
area now. Our goal is to improve performance where we have control and to
determine where things "break" and what is causing the break point where we
don't have control. I anticipate that some of these findings will be made
available to customers and some will be used internally for development
only. Keep in touch with your local Systems Engineer and I'm sure they'll be
happy to pass on whatever we pass on to them after the 1st of the year.
Hope this helps at least a little,
sheila

===================================
Sheila M. Droski
Technical Product Manager
sdroskiiss.net

Internet Security Systems, Inc.
Austin, TX
Direct Dial: (512) 266-9323
http://www.iss.net

Adaptive Network Security for the Enterprise
===================================

-----Original Message-----
From: Dave Harrison [mailto:DHarrisonDial.Pipex.com]
Sent: Wednesday, November 17, 1999 4:23 AM
To: issforumiss.net
Subject: Real Secure

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

Hi all,

Does anyone have any performance figures of Real Secure on both Unix and NT
platforms? Im being told that I have to deploy RS on Sun as it "performs
better than NT". Given that its monitoring a 2Mbps link (E1 if your
European, T1 if not) I cant see why I need to deploy a single Unix box in
an otherwise NT only environment. I happily accept that Sun/Unix combo
gives better performance than NT however it would be useful to know where
NT's ceiling is e.g.. is it happy monitoring a 100Mbps Ethernet without any
delay or missed packets?

Thanks in advance.

Dave Harrison

btw the last time I posted to this forum I had "sorry Im out of the office"
messages for weeks afterwards together with one or two hate mails saying
"Ive asked you dozens of times, stop f*$kin sending me emails" or words to
that effect. I hope this isn't going to happen again :)

Next message: Justin Robbins: "Re: Windows 2000 Professional"
Previous message: ISSReading: "(no subject)"

This archive was generated by hypermail 2.0b3 on Tue Nov 23 1999 - 12:19:51 CST