|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Palmer, Paul (ISSAtlanta) (PPalmer
iss.net)Date: Mon Sep 10 2001 - 15:50:19 CDT
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------
Cameron,
There are very significant bandwidth limitations with the packet drivers
that ship with Solaris. IMHO, 40Mb/sec is on the upper limit of what they
support (and leaves very little CPU resources remaining for any real work).
We at ISS are aware of Casper Dik's work. Unfortunately, his drivers are not
directly supported by Sun even in Solaris 2.8. They are available only as an
"experimental" patch. They also have an interface that is inconsistent with
the legacy interface. We have successfully integrated RealSecure with
Casper's drivers in a lab environment to monitor full 100Mb/sec bandwidth.
However, before we integrate this support into a shipping product we must
resolve the very significant support issues.
Paul
-----Original Message-----
From: Humphries, Cameron [mailto:Cameron.Humphriesisecure.com.au]
Sent: Sunday, September 09, 2001 8:25 PM
To: 'Yong, David '; 'BartholomewBJstate.gov '; 'issforumiss.net '
Subject: RE: RealSecure only sees 40% of the traffic?
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------
Hi David
What version of Solaris are you running? There are performance related
problems with respect to trying to get a Solaris box to monitor a 100Mb
network. Yes you have a 100Mb capable card but in practice that only means
it can negotiate with your properly with your switch. The real problem is
ripping a frame off the qfe card and into memory efficiently and then
processing it quickly.
Solaris 2.6 would have no hope. I played with it using NFR a couple of
years ago now with an Ultra 5 (not exactly a race horse) on a network that
was peaking at around 6Mb/s and had some packet loss. I spoke to Casper Dik
(Sun Eng from Holland) as he had written some improved (i.e. far more
efficient) streams drivers for Sol 2.6 and Sol 7 that he was hoping might
have been included in the Sol 7 code base. I am fairly sure that they
weren't so I don't have any expectation that Sol 7 is any more capable in
this regard (the code might still be around).
If you examine network throughput tests such as those you can do with
"netperf" you will certainly find that a pair of Suns with qfe cards will be
capable of moving traffic at something like 92Mb/s but in all these tests
there is no processing of data by the receiver and that is where the
difference lies.
I'll try to find some more concrete stuff for you rather than my gossip and
innuendo :-)
-Cameron
Cameron Humphries
Enterprise IT Security Engineer
iSecure
(a division of SecureNet Ltd)
+61 2 6268 9222
-----Original Message-----
From: Yong, David
To: BartholomewBJstate.gov; issforumiss.net
Sent: 9/7/2001 8:17 AM
Subject: RE: RealSecure only sees 40% of the traffic?
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
------------------------------------------------------------------------
----Sorry, somehow I think people took this statement:
> 5) Is this pertaining to NT as well as Solaris? I have Sun boxes.
And thought that I meant I was using NT boxes as monitors, but could move it to Sun equipment. That is NOT the case. I am running Ultra 60's with qfe cards. Since it's a fast ethernet card, I would only expect it to keep up with 100mbs of traffic. However, I am not sure that this is the case. I do not know how much of the traffic I am seeing is coming through.
Basically my question boils down to this: Theoretically, if I have a fast ethernet card, and the traffic that is going by it is less than 100mbs, will my console get all the messages that it should? Now of all the pieces between there, the card to the network sensor engine, the sensor engine to the event collector, and from the event collector to the console, which one is only getting 40% done? And is there at least some kind of counter to see how many packets are dropped? Where did this 40% come from and is it accurate?
NT doesn't come into play until after the packets are processed, and it's packet capturing engine is terrible, so I wouldn't ever use it for a sensor.
-----Original Message----- From: Bartholomew, Brian J [mailto:BartholomewBJ
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to majordomo
David, My experience...I have seen that on an NT box, Real Secure can only handle 40-50% of your bandwidth before it starts dropping packets. I don't know if this is what you're looking for, but that's all I can say for sure.
Brian J. Bartholomew U.S. Dept of State, Bureau of Diplomatic Security Computer Incident Response Team (202)663-2304
> -----Original Message----- > From: Yong, David [SMTP:David.Yong
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]