 |
|
|
IDS Test Results This section concentrates purely on the results of the Network IDS tests, since we found all the Host IDS products performed well, with an acceptable impact on the host on which they were installed, and generating acceptable amounts of traffic between agent and console. Note that not all the products in this report were re-tested for Edition 2, and thus slightly different methodologies were used for the two sets of products. The common baseline comparison between the two is to be found in Attack Detection Performance Under Load: 64 byte packets � the methodology for this particular test was consistent across both reports. During testing we noticed significant problems under Red Hat Linux (both 6.2 and 7.1) when using 3Com 3C905 network cards, where the driver appeared to be overwhelmed at 100 per cent network loads thus preventing the IDS sensor from detecting attacks. This effect was not limited to any one IDS product, and even occurred when using tcpdump with the interface in promiscuous mode. There is clearly a problem somewhere in the chain of network card � driver � packet capture library which were unable to resolve in the time available to us. For now, therefore, we could not recommend this combination of OS and network card as a platform for any IDS system. We tested various network card and chip set variations during the course of this testing project using three different software-only IDS products. We found that the Intel Pro/100+ offered the most stable operation and highest levels of performance in promiscuous mode, and this has become our �standard� NIC for use in IDS sensors. Note that it is important to use the Intel-provided driver under Red Hat Linux for optimum results. We found that the default Intel 10/100 driver under FreeBSD, however, provided excellent performance. Intrusion Inc SecureNet Pro 4.0 Click here to return to the IDS Index Section
|
 |
Send mail to [email protected] with
|
