2. Why Validate IPS Resiliency? Product comparison Objective Realistic yet repeatable Qualitative Deterministic Understand the impact of upgrades Impact on performance Impact on security Impact on other devices Understand the impact of various loads High data rate High session setup rate High concurrent session level on various functions of the device 2
3. Why Care About “Difficult Conditions”? What is your load? Peak load is your MOST important load, figure it out and test with it. The network is ever changing YouTube was introduced 3 years ago and now makes up 28% of Internet Traffic (T-Mobile). The average HTTP transaction went from 450 bytes to more than a megabyte. New applications are introduced EVERY day. It is dangerous out there Thousands of vulnerabilities & strikes, MORE introduced each day. Traditional tools are insufficient Hard-to-use, not powerful enough, non-realistic traffic and rarely up-to-date.
4. How to Validate IPS Resiliency Static content is necessary but insufficient Not just HTTP, but Flash over HTTP. Not just SMTP, but IMAP, POP3, Gmail and Hotmail. Use the worst case scenario for sessions Find out the maximum number of sessions ever and double it. Run every Microsoft attack from the last 3 years You are using mostly Microsoft, are you sure every server is patched? Your IPS should block 100% of the attacks. Run every security strike you can get your hands on The more the better. Keep up to date on the latest strikes. Simulate evasions, obfuscation, DDoS, botnets… 4
5. BreakingPoint IPS Validation Realism: Blended application traffic combined with live obfuscated attacks. Future-proof: The most current application protocols (P2P, Mail Services, Voice/Video, etc.) and all known security vulnerabilities. Performance: Line-rate traffic generation. Capacity: Millions of concurrent TCP sessions. Ease-of-use: All-in-one automated system, built-in traffic profiles, scalable and flexible.
6. BreakingPoint Systems 6 Download IPS Test Methodology http://www.breakingpointsystems.com/resources/testmethodologies Join the conversation www.breakingpointlabs.com Request a demonstration http://www.breakingpointsystems.com/demo
Editor's Notes
It’s no secret that product capabilities and performance numbers are promoted using best case traffic conditions, conditions rarely seen in the real world.Yet, IPS devices performance and capabilities will vary widely based on the traffic encountered in your network.Deploying a new IPS or updated IPS without validating for resiliency is a surefire way to introduce vulnerabilities into your hardened critical infrastructure. There are several reasons for validating Intrusion Prevention Systems using BreakingPoint. First is to perform an “apples to apples” comparison between several devices to find one that best meets the requirements of a particular application. The data derived from any test must be objective, realistic and repeatable, qualitative, and deterministic. PRNG plays a critical role in ensuring accurate results from product bakeoffs because it allows buyers to level the playing field with randomly generated yet repeatable traffic. But this is only part of the value of PRNG. It also eliminates the possibility that devices under test can be programmed to recognize and react to codes embedded in test traffic. An example of this includes traditional testing products that brand their exploits with trademarks or other recognizable content. Vendors can easily exploit this code by programming their products to recognize the code and trigger filters to easily pass product validation. While it may appear that these products are working as promised, this is no indication that the equipment is capable of recognizing and filtering real security attacks in a production network. This is an artificial technique used to demonstrate capabilities that provides a false sense of security. Then, there is resiliency testing to validate devices before deploying into hardened IT infrastructures. Organizations should look for the appropriate resiliency score when purchasing or validate resiliency by conducting realistic and thorough product evaluations to mitigate risk of changes to networks, improve performance and security coverage, and reduce costs. The third purpose of testing is to understand the impact an upgrade will have on an IPS already deployed in the network. Update are notorious for changing the performance characteristics of a device. It is possible that an improvement in security detection will affect the throughput or latency of a device. Finally it is important to understand the impact of various loads (e.g., high data rate, high session setup rate, and high concurrent session level) on various functions of the device. Most interesting would probably be the impact on the accuracy of attack detection (both false positives and false negatives). Management interface responsiveness, reporting, and other functions may be impacted as well. In each instance, real network traffic simulation at increasingly high performance levels is key to validating today’s IPS’s before deploying into hardened infrastructures.
In reality, difficult conditions are simply the traffic your IPS is going to see on a daily basis. If not today, certainly tomorrow.
Static content is necessary but insufficientProtocol changes between applicationsChanges affect data ratesSecurity attacks are dynamic by natureSecurity attacks are intentionally evasive – many Intrusion Prevention Systems (IPS) cannot detect evasionsTraditional techniques present challengesEver changing real exploits and targetsLarge labs, massive hardware, and expensive software to scale to today’s performance requirementsPCAPs and synthetic traffic not effectiveDesigned for shells, not testing
There are several reasons for validating Intrusion Prevention Systems using BreakingPoint. First is to perform an “apples to apples” comparison between several devices to find one that best meets the requirements of a particular application. The data derived from any test must be objective, realistic and repeatable, qualitative, and deterministic. PRNG plays a critical role in ensuring accurate results from product bakeoffs because it allows buyers to level the playing field with randomly generated yet repeatable traffic. But this is only part of the value of PRNG. It also eliminates the possibility that devices under test can be programmed to recognize and react to codes embedded in test traffic. An example of this includes traditional testing products that brand their exploits with trademarks or other recognizable content. This is no indication that the equipment is capable of recognizing and filtering real security attacks in a production network. This is an artificial technique used to demonstrate capabilities that provides a false sense of security.