HP Host Intrusion Detection System (HIDS) Sizing and Tuning Recommendations, Sizing Guidelines

Page 6

3.0Sizing and Tuning Recommendations

3.1Sizing Guidelines

Any HP-UX platform that supports HP-UX 11iv1 or 11iv2 can be utilized to run HIDS. When selecting a server platform for HIDS deployments, consider the following system parameters:

Single vs Multi-Processor

Number of CPUs

Memory

Disk Capacity

Note: These sizing guidelines apply to servers running the HIDS agent sensor and not the HIDS System Manager (GUI).

3.1.1 Single vs. Multi-Processor

The component of HIDS that executes the intrusion detection logic is multi-threaded and therefore benefits from multiple processors. The benefit on multiple processor systems of allowing intrusion detection templates to run concurrently and therefore process events faster must be tempered with the following:

More processors allows more applications to produce event loads that need to be consumed by the HIDS agent. The impact of the HIDS agent depends on the system call activity of the applications producing the load and therefore is highly server load specific.

The benefit of more processors diminishes when the number of processors exceeds the total number of HIDS agent threads that process event loads. The total number of these HIDS threads is (T + 2), where T is the number of detection templates running and has a maximum value of 10 if HIDS is running only one instance of each template type.

3.1.2 Number of CPUs

For the majority of deployments, the performance bottleneck for HIDS will typically occur at CPU, primarily from the idscor process. The idscor process is multi-threaded and can therefore utilize over 100% CPU. HIDS will generally reach the CPU limit before other constraints such as disk or memory are realized.

The CPU consumption by the HIDS processes is charted against the rate of system call audit records (events) in Appendix A.

3.1.3 Memory

As the sustained event load on the server is increased, a greater amount of resident memory may be consumed, especially by the idscor process that dynamically allocates heap memory to store and process events. On systems with a low amount of memory, or with memory contention with other applications, virtual memory/disk I/O (i.e., process swapping) can affect the performance in these circumstances. An additional 40 to 60 MB of memory is recommended for all of the HIDS agent’s processes.

HP Company Internal

Page 6 of 20

Page 5 Page 7
Image 6
Page 5 Page 7
Contents HP Company Internal Legal Notices Contents Intended Audience Product IdentificationPurpose of Document GlossarySizing and Tuning Overview Product OverviewHP-UX Hids Deployments Sizing and Tuning Recommendations Sizing GuidelinesTuning Considerations Disk CapacityKernel Tuning System performance over security Executablestack Reference Documents/ Web sites Appendix a CPU Consumption CPU Consumption on PA Processors Way PAEvent/sec CPU Consumption on Itanium Processors Way IAWay IA Appendix B Resident Memory Consumption Memory Consumption on PA ProcessorsResident Memory KB Memory Consumption on Itanium Processors Way IA
Related manuals
Manual 55 pages 31.55 Kb Manual 270 pages 6.58 Kb
Top Page Image Contents