Re: [PEN-TEST] Recourse Technologies -- info wanted

[Peter Van Epp <vanepp () SFU CA>]

> I've come to believe that this is more of a marketing tactic than an actual
> fact.  I can believe that this would be true for an IDS with only a few
> signatures enabled, or one doing offline processing, but an IDS that is
> doing pattern matches on over 700 signatures in realtime, this is
> practically infeasible.  Feel free to prove me wrong, but I've heard from
<snip>

        Or presumably help demonstrate you are likely right. On a PC class
platform (i.e. without interleaved memory) a standard DIMM will do about
600 mbytes per second. NEC VC channel RAM gets that up to around a Gigabyte
per second (i.e. 8 memory cycles available to process a full tilt boogie gig
link). With VC channel ram that leaves you 6 or 7 memory cycles (depending on
single cycle DMA from the card, and a cache system that doesn't need to copy
the word across a kernel boundry in the OS which I find unlikely ...) to do
your processing and run your OS in. If you have a high end Sun, SGI or other
such (very uncheap!) machine you will get somewhat better performance (mostly
due to interleaved RAM and faster busses) you will get a few more cycles but
you will also get a likely inpractically large bill ... I expect even on a
high end machine at inpractical cost you are looking at a couple of signatures
max (i.e. impractically small in the real world, although we all know marketing
people don't live there ...).
        Does anyone know what machine this performance is supposed to be
achieved on (i.e. a several million dollar SGI origin2000 or a Cray)?
        Gig is going to be exciting (== expensive) to do IDS or firewalls on ...

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada