Re: BlackICE IDS

[robert_david_graham () yahoo com (Robert Graham)]

Hhhmm. The old WinNT vs. UNIX religious debate again.

If the task isn't OS-bound, then the underlying OS just doesn't make a
difference. (Just as the disk-drive subsystem doesn't make a bit of difference
if you aren't saving to disk, or the video doesn't make a difference if you
aren't writing to the screen). For an example, go to www.spec.org and check out
the Intel SE440BX 450-MHz SPECint95 results that Intel runs on both WinNT and
UnixWare; both platforms give identical results because SPECmark isn't OS-bound
(the C runtime libraries make more of a difference than the OS).

In my tests that captured+analyzed 148,800 frames/second, I ran on a
dual-Celeron 450-MHz system. I used a utility from MS to force processor
affinity: capture ran on one CPU, analysis on the other. The CPU doing the
packet capture (which is OS-bound) took about about 50% utilization, whereas
the CPU doing the IDS packet analysis took up about 90% of its CPU. The
analysis does not interact with the operating system at all. Moving to a faster
OS might help the packet capture, but it isn't the bottle neck.

The test I ran used carefully chosen frames from real-world tracefiles with
constantly varying IP addresses. I chose packets designed to test the major
code paths in the sensor, such as TCP stream reassembly, connection-table
management, etc. By matching up the counters, I confirmed that it captured and
analyzed every one of the hundreds of millions of packets I generated. In all
honesty, your mileage will vary widly. Some protocols take 10 times longer to
decode than others; BlackICE is optimized for the most common ones, though.

It's interesting to note that if you transmit 148,800 at a generic WinNT box,
you'll notice that it takes roughly 50% of a 450-Mhz CPU to receive and discard
the frames. You can run the tests yourself with a packet generator overriding
the MAC address. This indicates to me that our capture driver adds very little
overhead on top of the default WinNT behavior, and that capture is almost
totally OS bound. We tried a number of different cards (3Com, Intel, DEC 21140,
RealTek) and they all are pretty close in performance. But as I said, the
bottleneck is analysis, which isn't OS-bound.

Regards,
Rob.

--- John S Flowers <jflowers () hiverworld com> wrote:
> ---
> [This is a resend (from before 4PM PDT today).  The first message was
> rejected.  My apologies if you receive two copies of this message.]
>
> First of all -- I haven't properly introduced myself to the list.  My
> name is John S Flowers and I'm the founder and CTO (head geek) for a
> small security company called Hiverworld.  We're located in Berkeley, CA
> and we're the producers of a couple of pretty cool technologies that
> perform real-time network security assurance and risk management
> [imagine a version of ISS or CyberCop on steroids -- with 10x the number
> of vulnerabilities and customizable options].
>
> We've been primarly privately held, with only a few Fortune 500 clients
> funding our efforts, but we're beginning to take our technology public. 
> You can even search our vulnerability database on our website [we have
> more than 1,000 public vulnerabilities listed].
>
> Anyway, enough about me.  On to the post.
>
> Am I reading this quote [below] correctly?  148,000 packets per second. 
> That can't be right.  We're talking about a Windows NT product that
> requires the underlying hardware and software to be available enough
> (processing-wise) for the IDS to perform properly.
>
> Most IDSs, even dedicated to the task of performing IDS, with a lot of
> power and RAM, still can't perform this many operations.  I mean, if the
> NFR IDA can't do 140k packets a second, how do you expect some Windows
> system to perform?
>
> Oh, yeah.  You wanted advice.  "Unless you have 1,000 senior technical
> security people on your staff to manage the software, buy a Network
> IDS."  ;)
>
> P.S. Hey Ranum, speaking of cooking results.  Damn.  This *must* be a
> misprint of the Network ICE claim of performance.
>
> -- 
> John S Flowers                   <jflowers () hiverworld com>
> Chief Technology Officer         http://www.hiverworld.com
> Hiverworld, Inc.               Enterprise Network Security
> Network Forensics, Intrusion Detection and Risk Assessment
>
> "Riley, Steven" wrote:
> > ---------------------------------------------------------------------------
> > Have any of you guys come across BlackICE or NetworkICE. Has anyone
> > evaluated it? What do you think of it? This is what one of my colleagues
> has
> > told me:
> >
> > <QUOTE>blackice runs at 148,000 packets per second, checks all 7 layers of
> > the stack and rates each attack on a scale of 1 to 100 so that only attacks
> > it considers serious are alerted on</QUOTE>
> >
> > What questions would you ask? Could anyone validate or invalidate these
> > claims?
> >
> > Any advice would be greatly appreciated...
> >
> > Steve.
> >
> >
> > ===================================================
> > This communication contains information which is confidential and
> > may also be privileged.  It is for the exclusive use of the
> > intended recipient(s).  If you are not the intended recipient(s),
> > please note that any distribution, copying or use of this
> > communication or the information in it is strictly prohibited.
> > If you have received this communication in error, please notify
> > the sender immediately and then destroy any copies of it.
> > --
> > MCI WorldCom Year 2000 information http://www.wcom.co.uk/2000

=====
Robert Graham
"Anxiously awaiting the millenium so I can start programming
dates with 2-digits again."
__________________________________________________
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one place.
Yahoo! Shopping: http://shopping.yahoo.com