evaluating network and security devices
DESCRIPTION
Capabilities presentation covering use case scenarios for evaluating DPI, network and security devices.TRANSCRIPT
Evaluating Network and Security Devices
Escalating Network Mayhem
2
The Industry’s Answer
Application Delivery Controllers
• Content-aware• Layer 2-7 traffic
DedicatedApplication Servers
• Single server per application• Distributed network
Unified Computing/Cloud Computing
Load Balancers• Content-aware• Layer 2-4 traffic
Unified Multi-Purpose Systems,
Virtualized Systems• Multiple servers• Single application• Network-aware
Routers/Switches• Stateless• Layer 2-3 traffic
Network Devices
Application Servers
• Multiple applications
• Single server
Application Servers
The Crucial Role of Deep Packet Inspection (DPI)
• Visibility and control through inspection of packet data– Beyond header and basic packet filtering– Inspection of Layer 4-7 payload– Content across packets and flows
• Enabling technology for critical initiatives– Security: IDS/IPS, DoS– Data Loss Prevention– Rate Shaping (QoS) & SLAs (monetization)– Lawful Intercept– Copyright Enforcement
Validating DPI Capabilities is Challenging
• Static content is necessary but insufficient– Protocol changes between applications– Changes affect data rates– Security attacks are dynamic by nature– Security attacks are intentionally evasive
• Traditional techniques present challenges– Ever changing real exploits and targets– Large labs, massive hardware, and expensive software to scale
to today’s performance requirements– Debunking the value of PCAPs– Designed for shells, not testing
5 Essentials for Validating DPI-Enabled Products
1. Realism: Blended application traffic combined with live obfuscated attacks
2. Future-proof: The most current application protocols (P2P, Mail Services, Voice/Video, etc.) and all known security vulnerabilities
3. High performance: Line-rate traffic generation to validate DPI
4. High capacity: Millions of concurrent TCP sessions to emulate millions of users
5. Unified: Integrated performance and security testing in a flexible system.
Real Application Traffic Matters
Traffic Mix
Per
form
ance
(Meg
ab
its)
Comprehensive Resiliency Testing
Resiliency Testing ArchitectureTM TM
Application Protocols and Security Coverage
• 100+ stateful application protocols (as of December 15, 2009)– Encrypted BitTorrent, eDonkey, Chinese P2P Applications– IBM DB2, Oracle, Microsoft SQL, MySQL, Postgres– FIX, VMware VMotion, Microsoft CIFS/SMB, MAPI, RADIUS Voice, Video
• API for accelerating proprietary application traffic • API for writing and simulating custom security attacks• 4,300+ live security strikes (as of December 15, 2009)
– 100% Microsoft Tuesday coverage in 24 hours– Ability to simulate complex attacks such as Botnet and DDoS attacks– 80+ evasion techniques such as stream segmentation, packet fragmentation, URL obfuscation– SYN Flood attacks with up to 1 Million connections per second
• Data leak protection and anomaly detection testing
There’s An App for That….
ChatAOL IM V4 and V6IRCJabberQQ IMWindows Live MessengerYahoo! Messenger
AuthenticationRADIUS AccountingRADIUS Access
DatabasesIBM DB2InformixMicrosoft SQLMySQLOraclePostgresSybaseData TransferFTPGopherHTTPNNTPRSyncTFTP
Data Transfer / File SharingIPPNetBIOSRPC NFSSMB/CIFS
EmailIMAP4 (IMAPv4 Advanced)POP3 (POP3 Advanced)SMTP
FinancialFIXFIXT
GamesWorld of Warcraft
Remote AccessRLogin
Telnet
Secure Data TransferHTTPSSSH
Network/System AdminDNSIdentFingerLDAPNTPRPC BindRPC MountSNMPSun RPCSyslogTime
Testing & MeasurementChargenDaytimeDiscardEchoOWAMP ControlOWAMP TestQOTDTWAMP ControlTWAMP TestSocial Networking
Enterprise ApplicationsDCE/RPC Endpoint MapperDCE/RPC Exchange DirectoryDCE/RPC MAPI Exchange
Voice/MediaH.225.0H.245H.323RTPRTSP (Advanced)SIPSTUN
TelephonyMM1
Peer-to-PeerEncrypted BitTorrentBitTorrenteDonkeyGnutellaPPLiveQQLive
Distributed ComputingCitrixDCE/RPCVMware VMotion
Use Case: Server Load Testing
• Generates a mix of stateful application traffic at line-rate speed
• Validates performance/effectiveness under extreme load conditions
• Validates the integrity of server transactions
FirewallRouter IPS
Load Balancer
Switch
SSL Accelerator
High Performance Client Simulation
Application Server
4,200+ live security attacks
Use Case: Intrusion Prevention Systems
BlendedApplicationTraffic (ex:
eDonkey, AIM, etc.) +
LiveSecurity
Strikes
BlendedApplicationTraffic (ex: eDonkey, AIM, etc.) +LiveSecurity Strikes
Intrusion Prevention System
• Performance under load and under attack• Detection capabilities under load and under attack.• Performance of the protocol decoding engines.• Session ramp• Accuracy of protocol decoding engines under a variety of conditions• Loop complicated traffic continuously to test for memory leaks
Use Case: High Performance Firewalls• Performance with blended application traffic under maximum load conditions
-Max HTTP transaction/second-Max SQL queries/second-Max concurrent TCP connections-Max HTTP bandwidth and max SQL bandwidth
• Performance with security attacks under maximum load conditions
-Max HTTP attacks/second-Max SQL attacks/second
• Behavior under load, attack, at failure• IP, UDP, TCP fuzzing• Test with RFC 2544
Zone AClient & Server
Simulation
Zone BClient & Server
Simulation
Zone CClient & Server
Simulation
Zone DClient & Server
Simulation
10 Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit Ethernet
Firewall BlendedApplicationTraffic (ex: BitTorrent, FTP, HTTP, SMTP, etc.) +LiveSecurity Strikes
BlendedApplicationTraffic (ex:
BitTorrent, FTP, HTTP, SMTP, etc.) +
LiveSecurity
Strikes
Use Case: Web Application Firewalls
Web Application Firewall
HTTP/HTTPS/SQL HTTP/HTTPS/SQL
ServerSimulation
ClientSimulation
• Performance with blended application traffic under maximum load conditions• Performance with live security attacks under maximum load conditions• Detection and blocking capabilities under load and under attack• Maximum load capacity with blended application traffic • Stability and reliability under extended attack• Functionality under extended attack
BlendedApplicationTraffic (ex: MySQL, Oracle, HTTP, etc.) +LiveSecurity Strikes
BlendedApplication
Traffic (ex: MySQL, Oracle, HTTP, etc.)
+Live
Security Strikes
Use Case: WAN Optimization Appliances
• Performance and functionality under maximum load and under attack• Disk subsystem functionality with randomly generated realistic traffic • Workload capacity with user specified compression variables • Performance with mix of new and cached data
WAN Optimization Appliances
BlendedApplicationTraffic (CIFS/SMB, MS Exchange) +LiveSecurity Strikes
BlendedApplication
Traffic (CIFS/SMB, MS Exchange) +
LiveSecurity
Strikes
Use Case: Server Load Balancer• Performance and functionality under maximum load and under attack• Bandwidth constraints • HTTP caching performance• Ability to process malformed packets or errors• Test with RFCs 793, 1945, 2616, 2818, and 3501
Server Load BalancerApplication Delivery Controller
BlendedApplication
Traffic +Live
Security Strikes +
Application Fuzzing
BlendedApplicationTraffic +LiveSecurity
Strikes + Application Fuzzing
BreakingPoint Comprehensive Testing