OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Gigabit IDS solutions
From: Robert Graham (robert_david_grahamYAHOO.COM)
Date: Tue Nov 14 2000 - 19:26:02 CST

There has been some discussion of testing of gigabit solutions, mostly focused
on "rates". If you want a truly exact measurement, you should focus on exact
"counts" coming out of the IDS. The problem is that "rate" measurements are
highly prone to error.

For this reason, Network ICE doesn't have a "drop" counter (well, we do, but we
don't really expose it). We have found that we can't get reliable data out of
it (adapters often drop packets without telling us). Instead, the IDS provides
a total count of the number of packets it has processed.

For example, using a SmartBits traffic generator to transmit 200,000,000 (two
hundred million) packets at a certain rate. We reset the counters on BlackICE
Sentry, then start the test. At the end of the test, Sentry reports that it
successfully processed 200,000,004 packets (SmartBits also reported
transmitting 4 more packets than I asked for -- I don't know why, but the IDS
confirmed the number).

In order to find the limits on packets/second and bits/second, we keep doing
the test with ever increasing rates until the results reported by the IDS no
longer match the numbers reported by the traffic generator. The fault may be in
the cable, the adapter's chipset, the driver, or the IDS itself. The key point,
however, is to ask the IDS at very end of the chain how many packets that it
processed. If you are missing any packets, then you start debugging the other
components.

One of the problems in this mess is trying to get solid traffic generators;
most cannot get close to gigabit speeds. We've found that 100-mbps generators
attached to a switch is often a good way to test an IDS: the switch takes care
of the collisions. This is usually adequate up to 500-mbps without losing
packets. This is why generators like SmartBits can be valuable: they don't
generate good traffic, but at least they are very precise.

Therefore, when Network ICE quotes numbers, it is the results of transmitting
packets over an extended period of time at a certain rate where both the IDS
and the transmitters agree upon the number of packets that went across the
wire. This means that the IDS and transmitters must agree exactly after
billions of packets have been generated, if there is even one packet in
disagreement, then we lower the number until they match.

=====
Robert Graham
Personal: http://www.robertgraham.com Work: CTO Network ICE

__________________________________________________
Do You Yahoo!?
Yahoo! Calendar - Get organized for the holidays!
http://calendar.yahoo.com/