Manualshelf

HIDS 3.1 Sizing and Tuning Primer

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software
12345678910
3.0 Sizing and Tuning Recommendations
3.1 Sizing Guidelines
Any HP-UX platform that supports HP-UX 11iv1 or 11iv2 can be utilized to run HIDS. When
selecting a server platform for HIDS deployments, consider the following system parameters:
Single vs Multi-Processor
Number of CPUs
Memory
Disk Capacity
Note: These sizing guidelines apply to servers running the HIDS agent sensor and not the HIDS
System Manager (GUI).
3.1.1 Single vs. Multi-Processor
The component of HIDS that executes the intrusion detection logic is multi-threaded and therefore
benefits from multiple processors. The benefit on multiple processor systems of allowing intrusion
detection templates to run concurrently and therefore process events faster must be tempered with
the following:
More processors allows more applications to produce event loads that need to be consumed
by the HIDS agent. The impact of the HIDS agent depends on the system call activity of the
applications producing the load and therefore is highly server load specific.
The benefit of more processors diminishes when the number of processors exceeds the total
number of HIDS agent threads that process event loads. The total number of these HIDS
threads is (T + 2), where T is the number of detection templates running and has a maximum
value of 10 if HIDS is running only one instance of each template type.
3.1.2 Number of CPUs
For the majority of deployments, the performance bottleneck for HIDS will typically occur at CPU,
primarily from the idscor process. The idscor process is multi-threaded and can therefore utilize over
100% CPU. HIDS will generally reach the CPU limit before other constraints such as disk or memory
are realized.
The CPU consumption by the HIDS processes is charted against the rate of system call audit records
(events) in Appendix A.
3.1.3 Memory
As the sustained event load on the server is increased, a greater amount of resident memory may be
consumed, especially by the idscor process that dynamically allocates heap memory to store and
process events. On systems with a low amount of memory, or with memory contention with other
applications, virtual memory/disk I/O (i.e., process swapping) can affect the performance in these
circumstances. An additional 40 to 60 MB of memory is recommended for all of the HIDS agent’s
processes.
HP Company Internal Page 6 of 20