ips test methodology
DESCRIPTION
IPS test methodology provides step-by-step directions on how to properly test IPS devices with real-world network traffic.TRANSCRIPT
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
1
Rethink Intrusion Prevention System Testing
Rethink Intrusion Prevention System TestingA Methodology to measure the performance, security, and stability of intrusion prevention systems (IPS) under real-world conditions
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
2
Rethink Intrusion Prevention System Testing
Table of ContentsIntroduction .................................................................................................................................................................................................................... 3
Baseline Application Performance: Maximum Connections ......................................................................................................................... 5
Baseline Application Performance: Throughput ............................................................................................................................................... 20
Baseline Attack Mitigation: SYN Flood .................................................................................................................................................................. 35
Baseline Attack Mitigation: Malicious Traffic ....................................................................................................................................................... 45
Application Traffic with SYN Flood ......................................................................................................................................................................... 55
Application Traffic with Malicious Traffic .............................................................................................................................................................. 65
Application Traffic with Malicious Traffic and SYN Flood................................................................................................................................ 76
Jumbo Frames ................................................................................................................................................................................................................ 88
IP, UDP and TCP Fuzzing ............................................................................................................................................................................................. 98
Protocol Fuzzing ............................................................................................................................................................................................................ 109
Evasion Techniques ...................................................................................................................................................................................................... 121
Negative Testing ............................................................................................................................................................................................................ 133
About BreakingPoint ................................................................................................................................................................................................... 147
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
3
Rethink Intrusion Prevention System Testing
IntroductionWith more and more corporate data being placed on corporate networks, it is vitally important to protect that data from malicious activities.
An Intrusion Prevention System (IPS) is designed to detect malicious activities and drop or sanitize the packets while allowing legitimate
traffic to access the corporate network. Thoroughly testing IPS devices is essential to ensuring that they work properly. If the IPS device is
not working properly, malicious traffic containing viruses, worms and backdoors can easily gain access to the corporate network and cause
a great deal of problems, potentially bringing down the network.
Performing a series of measurements using the BreakingPoint Storm CTM on the IPS will help determine the actual performance, security
and stability of the IPS under real world conditions. For instance, the IPS device might be able to detect and mitigate malicious activity
when network traffic is light. However, when network traffic becomes heavy, the IPS device might detect significantly less malicious activity.
Using the BreakingPoint Storm CTM you can expose previously impossible to detect vulnerabilities in your IPS before they are exploited to
compromise your customer data, corporate assets, brand reputation and even nation security.
The test environment should emulate the actual deployment environment as closely as possible. Directly connected devices such as routers,
switches and firewalls will have an effect on packet loss, latency and data integrity. The number of advertised host IP and MAC addresses,
VLAN Tagging, and NAT will also affect the performance of an IPS.
If it is not feasible to fully recreate the deployment environment, the BreakingPoint Storm CTM should be connected directly to the IPS.
All IPS devices and builds being evaluated must use the same test environment to ensure consistent results.
Baseline Application Performance: Maximum Connections
Determine the number of connections per second that the IPS is able to handle. This will validate the performance of the IPS when
sending only good traffic with an “Allow All” policy. The TCP setup time will be analyzed to determine how a greater number of TCP
connections per second affect the time it takes to establish the TCP connection.
Baseline Application Performance: Throughput
Determine the throughput that the IPS is able to handle. This will validate the throughput performance the IPS is able to handle when
sending only good traffic with an “Allow All” policy. The overall throughput that the IPS is able to support will be determined.
Baseline Attack Mitigation Traffic: SYN Flood
Determine a baseline measurement for how the IPS performs when handling a SYN flood. Once a baseline has been established, it will
be compared with the results from the tests that blend both application and malicious traffic. The number of attempted sessions for the
SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS.
Baseline Attack Mitigation Traffic: Malicious Traffic
Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To
perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and
backdoors. IPS devices have functionality that may block some of the attacks. The number of attacks blocked by the IPS will be determined
as well as the number of attacks that were able to pass through the IPS.
Application Traffic with SYN Flood
Determine a baseline measurement for how the IPS performs when handling a malicious SYN flood. Once a baseline has been
established, it will be compared with the results from the tests that blend both application and malicious traffic. The number of attempted
sessions for the SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
4
Rethink Intrusion Prevention System Testing
Application Traffic with Malicious Traffic
Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To
perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and
backdoors.
Application Traffic with Malicious Traffic and SYN Flood
This test determines the ability of the IPS to handle application traffic, a SYN flood and malicious traffic. The results will be compared
to both the Throughput Test and the SYN Flood Test. Again, the IPS’s ability to detect and mitigate a SYN flood will be determined. Also, the
effect of the malicious traffic on the application traffic’s throughput, latency time-to-open, and time-to-close will be analyzed. Finally, the
IPS’s ability to detect and mitigate the same number of attacks as in the previous Security tests will be tested.
Jumbo Frames
This test uses the Throughput test, except the Maximum Segment Size (MMS) parameter will be increased. The maximum
transmission unit (MTU) size of the port will be verified and increased if needed. This test will determine if the IPS was able to perform
better, worse or the same when handling jumbo frames. These results will be compared to those from the Throughput Test.
IP, UDP and TCP Fuzzing
The BreakingPoint Storm CTM will be configured to use the Stack Scrambler component. This test component has the ability to
send malformed IP, UDP, TCP and Ethernet packets to the IPS. The fuzzing technique will modify parts of the packet, such as checksums
and protocol options, to generate the corrupted data. The IPS’s ability to handle malformed packets will be determined. Take notice if
the IPS crashes during the test, as this is the most important sign that the IPS is not able to appropriately handle the malformed packets.
Also, analyze the effects the malformed packets had on the application traffic and determine if the IPS’s attack detection and mitigation
capabilities were affected.
Protocol Fuzzing
This test will utilize the Security test component. This time the Security test component will fuzz application layer frames. The IPS’s ability
to handle malformed application layer frames will be determined.
Evasion Techniques
The Application Traffic with Malicious Traffic test will be used as a starting point for this test. The Security test component will have
changes made to its configuration. These changes will configure different evasion techniques that might create false negatives.
Negative Testing
The Maximum Connections test will be used as a starting point. Changes will then be made to a Super Flow. This Super Flow will then be
sent through the IPS. It will be determined how well the IPS unit was able to handle the negative testing.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
5
Rethink Intrusion Prevention System Testing
Baseline Application Performance: Maximum Connections
RFC:• RFC 793 – Transmission Control Protocol
Overview:
The specifications from the IPS data sheet will be used to determine if the IPS meets or exceeds the stated capacity. To determine the
capabilities, a Session Sender test component will be used to push the IPS beyond its stated supported limits.
Objective:
To evaluate the IPS’s ability to create and maintain sessions.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
6
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,typeyourLoginIDandPassword.ClickLogin.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
7
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. SelectControl CenterNetwork Neighborhood.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
8
Rethink Intrusion Prevention System Testing
5. UndertheNetworkNeighborhoodsheading,clicktheCreate a new network neighborhood button.
6. IntheGivethenewnetworkneighborhoodanameboxenterIPSTestsasthenameandclickOK.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
9
Rethink Intrusion Prevention System Testing
7. NoticefourInterfacetabsareavailableforconfiguration.Onlytwoarerequiredforthetests.Thefirstinterfacetabshouldbeselected;clicktheX todeletethisinterface.WhenpromptedaboutremovingtheinterfaceclickYes.Theremaininginterfaceswillberenamed.Repeatthisprocessunitlonlytwointerfacesareleft.
8. WithInterface1selected,configuretheNetworkIPAddress,Netmask,GatewayIPAddress,RouterIPAddress,theMinimumIPAddress,andtheMaximumIPAddress.ClickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
10
Rethink Intrusion Prevention System Testing
9. SelecttheInterface2tab.ConfiguretheNetworkIPAddress,NetmaskandtheGatewayIPAddress.UsingtheTypedrop-downmenuselectHost.FinallytheMinimumIPAddressandtheMaximumIPAddresscanbeconfigured.ClickApply Changes,then,clickSave Network.
10. NowthattheNetworkNeighborhoodhasbeencreated,thetestcanbeconfigured.Select TestNew Test.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
11
Rethink Intrusion Prevention System Testing
11. UndertheTestQuickSteps,clickSelect the DUT/Network.
12. IntheChooseadeviceundertestandnetworkneighborhoodwindowundertheDeviceUnderTest(s)section,verifyBreakingPointDefaultisselected.UnderNetworkNeighborhood(s),verifythatthenewlycreatedoneisselected.ClickAccept.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
12
Rethink Intrusion Prevention System Testing
13. WhenpromptedaboutswitchingNetworkNeighborhoodsbecausethecurrentsetupcontainsmoreinterfaces,clickYes.
14. UnderTestQuickSteps,clickAdd a Test Component.
15. IntheSelectacomponenttypewindow,clickSession Sender (L4).
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
13
Rethink Intrusion Prevention System Testing
16. UndertheInformationtabenteranameofMaximumConnectionsandclickApply Changes.
17. SelecttheInterfacestab.VerifythatonlyInterface1ClientandInterface2Serverareenabled.
18. SelecttheParameterstab.Severalparameterswillbechangeinthissection.ThefirstparameterthatneedstobechangedistheTCPSessionDuration(segments)toavalueof4.ClickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
14
Rethink Intrusion Prevention System Testing
19. UndertheDataRatesection,changeMinimumdatarateto90%ofthetotalbandwidthpossible,andclickApply Changes.
20. NextundertheSessionRampDistributiontab,severalparameterswillbechanged.First,usingtheRampUpBehaviordrop-downmenu,selectFull Open + Data + Close.Next,changeRampUpSecondsto30andchangeSteady-StateSecondsto120.Finally,changeRampDownDurationto30andclickApply Changes.Scrollingmayberequiredinordertochangesomeoftheparameters.
21. ThelastparametersthatneedtobechangedareintheSessionConfigurationsection.TheMaximumSimultaneousSessionsshouldbechangedto33%oftheIPS’sstatedmaximum.TheMaximumSessionsPerSecondshouldbechangedto200%oftheIPS’sability.ClickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
15
Rethink Intrusion Prevention System Testing
22. Ifdesired,enteradescriptionforthetestundertheTestInformationsection.
23. VerifythattheTestStatushasagreencheckmark.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.
24. Beforerunningthetest,thetestcomponentneedstobesavedasapreset.Thiswillallowforquickerandeasierconfigurationlater.Right-clickonthetestcomponentandselectSave Component As Preset.
25. Whenpromptedforanametosavethepresetas,enterIPSMaximumConnectionsandclickSave.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
16
Rethink Intrusion Prevention System Testing
26. UnderTestQuickSteps,clickSave and Run.
27. Whenpromptedforanametosavethetestas,enterIPSMaximumConnectionsandclickSave.
The Summary tab initially will be displayed. A great amount of information is seen on this screen from the TCP Connection Rate to the
Cumulative TCP Connections to the Bandwidth being used.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
17
Rethink Intrusion Prevention System Testing
28. SelecttheTCPtab.ThiswilldisplaytheTCPConnectionsperSecondandallowtheabilitytodeterminethecurrentnumberofAttemptedandSuccessfulTCPConnectionRate.Usingthisviewdeterminethemaximumnumberofnewsessionspersecondopenduringtheramp-upphase,themaximummaintainedduringthesteady-statephaseandthemaximumopenedduringthesteady-statephase.
29. Oncethetestcompletes,awindowwillappear,statingthetestpassed.ClickClosetocontinue.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
18
Rethink Intrusion Prevention System Testing
30. Next,selecttheView the reportbutton.
31. ExpandtheTestResultsforMaximumConnectionsfolder,andselectTCPSetup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.
32. Next,selectTCP Response Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
19
Rethink Intrusion Prevention System Testing
33. Select TCP Close Time.TheshortertheTCPCloseTimethebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestobeabletoopenanewconnection.
34. SelectFrame Latency.Theshortertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.
Other tests can also be performed. The following are some examples that can be run:
• Vary the TCP Segment size.
• Change the Distribution type to random.
• Change the TCP Session Duration (segments).
• Increase the test time for a longer test.
• If Hot Standby is going to be used, perform a test that shows how traffic is affected.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
20
Rethink Intrusion Prevention System Testing
Baseline Application Performance: Throughput
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:A similar test setup as the previous one will be used. An Application Simulator test component will be used to generate, at maximum, 33% of the effective session capacity of the IPS as determined in the previous test, while trying to maximize throughput.
Objective:To evaluate the IPS’s ability to forward a wide variety of application traffic and the overall rate that it is able to do so.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
21
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.ClickLogin.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
22
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. SelectTestNew Test.
5. UnderTestQuickSteps,clickSelect the DUT/Network.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
23
Rethink Intrusion Prevention System Testing
6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).OncecompletedclickAccept.
7. Whenpromptedthatthecurrenttestsetupcontainsmoreinterfaces,clickYes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
24
Rethink Intrusion Prevention System Testing
8. UnderTestQuickSteps,clickAdd a Test Component.
9. IntheSelectacomponenttype,clickApplication Simulator (L7).
10. UndertheInformationtabenteranameofMaximumThroughputandclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
25
Rethink Intrusion Prevention System Testing
11. SelecttheInterfacestab.VerifythatInterface1ClientisenabledandInterface2Serverisenabled.
12. SelectthePresetstabandselectEnterprise Apps.Oncecompleted,clickApply Changes.
13. SelecttheParameterstab.Severalparameterswillneedtobechanged.ThefirstparameterthatneedstobechangedisintheDataRatesection.ChangetheMinimumdatarateto90%ofthetotalavailablebandwidth,andclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
26
Rethink Intrusion Prevention System Testing
14. NextundertheSessionRampDistributionsection,severalparameterswillbechanged.First,usingtheRampUpBehaviordrop-downmenu,selectFull Open + Data + Close.Next,changeRampUpSecondsto30andchangeSteady-stateSecondsto120.Finally,changeRampDownDurationto30andclickApply Changes.Scrollingmayberequiredtochangesomeoftheparameters.
15. ThenextparametersthatneedtobechangedareintheSessionConfigurationsection.ChangeMaximumSimultaneousSessionsto33%ofthesessioncapacityoftheDUT.Also,changetheMaximumSessionsPerSecondto25%oftheabilityoftheDUT.
16. Ifdesired,enteradescriptionforthetestundertheTestInformationsection.
17. VerifythattheTestStatushasagreencheckmark.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
27
Rethink Intrusion Prevention System Testing
18. Beforerunningthetest,thetestcomponentneedstobesavedasapreset.Thiswillallowforquickerandeasierconfigurationlater.Right-clickonthetestcomponent,andselectSave Component As Preset.
19. EnterIPSMaximumThroughputasthename,andclickSave.
20. UnderTestQuickSteps,clickSave and Run.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
28
Rethink Intrusion Prevention System Testing
21. Whenpromptedtosavethetest,enteranameofIPSMaximumThroughputandclickSave.
22. TheSummarytabwillinitiallybedisplayed.Agreatamountofinformationisseenonthisscreen:TCPConnectionRate,CumulativeTCPConnectionsandInterfaceBandwidth.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
29
Rethink Intrusion Prevention System Testing
23. SelecttheTCPtab.ThiswilldisplaytheTCPConnectionsperSecondandallowtheabilitytodeterminetheAttemptedTCPConnectionRateandSuccessfulTCPConnectionRate.
.
24. SelecttheApplicationtab.Detailedresultsabouteachprotocolmaybeviewed.Usethedrop-downmenustoselectdifferentapplications.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
30
Rethink Intrusion Prevention System Testing
25. Oncethetestcompletes,awindowwillappear,statingthetestpassed.ClickClose.
26. Next,selecttheView the reportbutton.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
31
Rethink Intrusion Prevention System Testing
27. ExpandtheTestResultsforMaximumThroughputfolder,andselectSetup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.
28. Next,selectResponse Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
32
Rethink Intrusion Prevention System Testing
29. SelectTCP Close Time.TheshortertheTCPclosetime,thebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestobeabletoopenanewconnection.
30. SelectFrame Latency.Theshortertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
33
Rethink Intrusion Prevention System Testing
31. SelectTransmitted Frame Size.Thisprovidesabreakdownofframesizesthatweretransmitted.
32. Next,expandtheDetailfolderandalsoexpandtheAppConcurrentFlows:byprotocolfolder.Selectthefirstitem,App Concurrent Flows: protocol aol,anddeterminehowthedifferentprotocolswerehandles.Viewtheentirelist.
33. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.DeterminehowalltheprotocolswerehandledbytheDUT.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
34
Rethink Intrusion Prevention System Testing
34. SelectFrame Data RateanddeterminethemaximumthroughputtheDUTwasabletohandle.
Other variations of this test can be run. The following are a few examples:
• Increase both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10%, until 80% has been reached.
• Use different presets, such as the Service Provider App or a custom application profile.
• Increase the duration of the test time.
• If Hot Standby is going to be used, perform a test that shows how traffic is affected.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
35
Rethink Intrusion Prevention System Testing
Baseline Attack Mitigation: SYN Flood
RFC:• RFC 793 – Transmission Control Protocol
• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations
Overview:
A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate TCP connections. This is harmful
to an IPS, as it has to provide resources to the TCP connection requests. The IPS likely has the ability to detect and prevent the SYN Flood. A
Session Sender test component will be used to create a SYN Flood to attack the IPS.
Objective:
To evaluate the IPS’s ability to detect and mitigate a SYN flood.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
36
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
37
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. SelectTestNew Test.
5. UnderTestQuickSteps,clickSelect the DUT/Network.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
38
Rethink Intrusion Prevention System Testing
6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectedunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).Oncecompleted,clickAccept.
7. WhenpromptedthatthecurrenttestsetupcontainsmoreinterfacesclickYes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
39
Rethink Intrusion Prevention System Testing
8. UnderTestQuickSteps,clickAdd a Test Component.
9. IntheSelectacomponenttypewindowclickSession Sender (L4).
10. TheInformationtabshouldalreadybeselected.ChangethenameofthetestcomponenttoSYNFloodandclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
40
Rethink Intrusion Prevention System Testing
11. SelecttheParameterstab.Severalparameterswillbechangedinthissection.ThefirstonethatneedstobechangedisTCPSessionsDuration(segments)to0.ClickApply Changesoncecompleted.
12. IntheDataRatesection,changetheMinimumdatarateto10%ofoverallbandwidth,andclickApply Changes.
13. Next,intheSessionRampDistributionsection,usetheRampUpBehaviordrop-downmenuandselectSYN Only.ChangeRampUpSecondsto120,Steady-StateSecondsto0andRampDownSecondsto0.Scrollingdownwillberequiredtoupdatesomeoftheparameters.ClickApply Changesoncecomplete.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
41
Rethink Intrusion Prevention System Testing
14. Finally,intheSessionConfigurationsection,verifyMaximumSimultaneousSessionsissetto1,000,000.ChangeMaximumSessionsPerSecondto45,000.ClickApply Changesoncecompleted.
15. Ifdesired,changethetestDescriptionundertheTestInformationsection.
16. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketheneededchanges.
17. Beforerunningthetestthetestcomponentneedstobesavedasapresetforuseinlatertests(savingasapresetallowsforquickerandeasierconfiguration).Right-clickonthetestcomponent,andselectSave Component As Preset.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
42
Rethink Intrusion Prevention System Testing
18. Whenpromptedforanametosavethepresetas,typeIPSSYNFloodandclickSave.
19. Finally,underTestQuickSteps,clickSave and Run.
20. Whenpromptedtosavetest,typeIPSSYNFloodasaname.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
43
Rethink Intrusion Prevention System Testing
21. UndertheSummarytabitispossibletodeterminehowtheIPSishandlingtheSYNFloodattack.UnderTCPConnectionRateunderClient,thereshouldbeavalueonlyforAttempted.ForCumulativeTCPConnections,avalueshouldbepresentonlyforClientAttempted.TheBandwidthforRxshouldbeverylow,ifnot0.
22. SelecttheTCPtab.NoSuccessfulconnectionsshouldbepresent;thisisanotherwayofverifyingthattheIPSissuccessfullyhandlingtheSYNFloodattack.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
44
Rethink Intrusion Prevention System Testing
23. Whenthetestfinishes,anewwindowwillappear,statingthetestfailed.Thisisexpected,asnoconnectionsweresuccessfullymade.ClickClose.
24. ClicktheView the Reportbutton.
25. ExpandtheTestResultsforSYNFloodfolderandselectTCP Summary.VerifythatClientattemptedhasavalueandthatbothClientestablishedandServerestablishedare0.ThismeansthattheIPSwasabletosuccessfullyhandletheSYNFlood.
Other test variations can also be run. The following are a couple of variations:
• Increase the test length for a longer SYN attack.
• If Hot Standby is going to be used, perform a test that shows how traffic is affected.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
45
Rethink Intrusion Prevention System Testing
Baseline Attack Mitigation: Malicious Traffic
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
It is important to evaluate how malicious traffic will affect the performance of an IPS. A Security test component will be used in this test.
Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk
vulnerabilities in services often exposed to the Internet.
Objective:
To evaluate the IPS’s ability to detect and mitigate vulnerabilities, worms and backdoors.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
46
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
47
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. SelectTestNew Test.
5. UnderTestQuickSteps,clickSelect the DUT/Network.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
48
Rethink Intrusion Prevention System Testing
6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).Oncecompleted,clickAccept.
7. Whenpromptedthatthecurrenttestsetupcontainsmoreinterfaces,clickYes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
49
Rethink Intrusion Prevention System Testing
8. UnderTestQuickSteps,clickAdd a Test Component.
9. IntheSelectacomponenttypewindow,selecttheSecuritytestcomponent.
10. UndertheInformationtab,enterthenameMaliciousTrafficandclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
50
Rethink Intrusion Prevention System Testing
11. SelecttheInterfacestabandverifyInterface1ClientisenabledandInterface2Serverisenabled.
12. SelectthePresetstab,andselectSecurity Level 1.ClickApply Changes.
13. SelecttheParameterstab.Thedefaultsareallokayifrepeatablestrikesarerequired,changetheRandomSeedtoavaluehigherthan0.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
51
Rethink Intrusion Prevention System Testing
14. Ifdesired,changethetestDescriptionundertheTestInformationsection.
15. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Status andmaketheneededchanges.
16. Beforerunningthetest,thetestcomponentneedstobesavedasapresetforuseinlatertests(savingasapresetallowsforquickerandeasierconfiguration).Right-clickonthetestcomponent,andselectSave Component As Preset.
17. Whenpromptedforanametosavethepresetas,typeIPSMaliciousTrafficandclickSave.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
52
Rethink Intrusion Prevention System Testing
18. Finally,underTestQuickSteps,clickSave and Run.
19. Whenpromptedtosavethetest,typeIPSMaliciousTrafficasaname.
20. SelecttheAttackstab.ThisprovidesaviewthatshowsthenumberofblockedattacksandthenumberofattacksthathavebeenallowedtopassthroughtheDUT.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
53
Rethink Intrusion Prevention System Testing
21. Whenthetestcompletes,awindowwillappear,statingthatmalicioustrafficwasabletopassthroughtheDUT.ClickClose.
22. Whenthetestcompletes,clicktheView the reportbutton.
23. ExpandtheTestResultsforMaliciousTrafficfolderandselectStrike Results.DeterminethenumberofstrikesthatwereallowedtopassthroughtheDUTandthenumberthatwereblocked.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
54
Rethink Intrusion Prevention System Testing
Other variations of this test can be performed. Below is a list of some of the other tests:
• Increase the test length for a longer malicious traffic attack.
• Change the Security Level.
• Use different presets, such as the Service Provider App or a custom application profile.
• Use a different random seed.
• If Hot Standby is going to be used, perform a test that shows how traffic is affected.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
55
Rethink Intrusion Prevention System Testing
Application Traffic with SYN Flood
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations
Overview:
Since tests for application performance and a SYN Flood have already been configured and saved as presets, they will be used in this test.
Two test components will be used during this test, an Application Simulator and a Session Sender component.
Objective:
To combine application traffic with SYN flood traffic and compare the results against the results from the Throughput Test and the SYN
Flood Test.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
56
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
57
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Useaprevioustestasastartingpointforthistest.SelectTestOpenRecentTestsIPS Maximum Throughput.
5. Beforecontinuingwithconfigurationofthetest,clickSave As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
58
Rethink Intrusion Prevention System Testing
6. Whenpromptedforanametosavethetestas,typeAppTraffwithSYNFloodandclickSave.
7. UndertheTestQuickSteps,clickAdd a Test Component.
8. IntheSelectacomponenttypewindow,selecttheSession Sender (L4).
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
59
Rethink Intrusion Prevention System Testing
9. TheInformationtabshouldbeselected.TypethenameSYNFloodandclickApply Changes.
10. SelectthePresetstab,andselecttheIPS SYN Flood preset.ClickApplyChangesoncecomplete.
11. Ifdesired,changethetestDescriptionundertheTestInformationsection.
12. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTestStatusandmaketheneededchanges.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
60
Rethink Intrusion Prevention System Testing
13. UnderTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
61
Rethink Intrusion Prevention System Testing
Detailed results about each protocol can be viewed under the Application tab. Use the drop down menus to display results from
different protocols.
14. Oncethetestcompletes,anewwindowwillappear,statingthatthetestfailed.Thisisexpected,astheIPSshouldbeblockingamajorityoftheprotocolsbeingtransmitted.ClickClosetocontinue.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
62
Rethink Intrusion Prevention System Testing
15. SelecttheView the reportbutton.ThiswillopenmoredetailedresultsinaWebbrowser.
16. TodeterminetheabilityoftheIPStohandleaSYNfloodwhilealsoprocessinglegittraffic,expandTestResultsforSYNFloodandselectTCPSummary.Verifythatnoclientwasabletoestablishaconnectionandthatnoserversestablishedconnectionseither.Oncedoneviewingtheseresults,foreasiernavigationminimizeTestResultsforSYNFlood.
17. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.Again,thequickerthesetuptimes,thebetter,astheIPSisabletoreactandrespondtotheincomingrequest.DeterminetheeffecttheSYNfloodhadontheTCPsetuptimeoftheapplicationtraffic.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
63
Rethink Intrusion Prevention System Testing
18. SelectTCP Response Time.JustaswithTCPSetupTime,thequickertheresponsetimes,thebetter.DeterminetheeffecttheSYNfloodhadontheTCPresponsetimeoftheapplicationtraffic.
19. Next,selectTCP Close Time.ThequickertheIPSisabletoclosetheTCPconnection,thequickeritfreesupthoseresourcesandcanusethemtostartanewconnection.DeterminetheaffecttheSYNfloodhadontheTCPclosetimeoftheapplicationtraffic.
20. SelectFrame Latency,anddeterminehowtheSYNfloodaffectsthelatencyoftheapplicationtraffic.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
64
Rethink Intrusion Prevention System Testing
21. ExpandtheDetailfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aolanddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.
22. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.
23. Comparealltheresultscollectedfromthecurrenttestwiththebaselineteststodetermineanydifferences.
24. IfanytestvariationswererunwitheithertheBaselineApplicationPerfromance:ThroughputortheBaselineAttackMitigation:SYNFloodtests,makesuretorunthosevariationsonthistesttoo.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
65
Rethink Intrusion Prevention System Testing
Application Traffic with Malicious Traffic
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
Since tests for application performance and malicious traffic have already been configured and saved as presets, they will be used in this
test. Two test components will be used during this test, an Application Simulator and a Security component.
Objective:
To combine application traffic with malicious traffic and compare the results with the results from the security test.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
66
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
67
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Useaprevioustestasastartingpointforthistest.Select TestOpen RecentTestsIPS Maximum Throughput.
5. Beforecontinuingwithconfigurationofthetest,clickSave Test As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
68
Rethink Intrusion Prevention System Testing
6. Whenpromptedforanametosavethetestas,typeAppTraffMaliciousTrafficandclickSave.
7. UndertheTestQuickSteps,clickAdd a Test Component.
8. IntheSelectacomponenttypewindow,selecttheSecuritytestcomponent.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
69
Rethink Intrusion Prevention System Testing
9. TheInformationtabshouldbeselected.TypeMaliciousTrafficforthename,andclickApply Changes.
10. SelectthePresetstab.SelectIPS Malicious Traffic,andclickApply Changes.
11. Ifdesired,enteratestDescriptionundertheTestInformationsection.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
70
Rethink Intrusion Prevention System Testing
12. VerifythatTestStatushasagreencheckmarknexttoit.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.
13. UnderTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and the overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
71
Rethink Intrusion Prevention System Testing
Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from
different protocols.
14. SelecttheAttackstab.Thiswillprovidereal-timeinformationabouthowtheIPSisperformingwiththemalicioustraffic.Ascanbeseenintheimagebelow,someattackshavebeenallowed.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
72
Rethink Intrusion Prevention System Testing
15. Whenthetestcompletes,awindowwillappearsayingthetestfailed.ClickClose.
16. SelecttheView the reportbutton.Thiswillopenupmoredetailedresultsinthebrowser.
17. ExpandtheTestresultsforMaliciousTrafficfolderandselectStrike Results.DeterminehowwelltheDUTwasabletohandlethedifferentstrikesandmaintainblockingthemwhilestilltransmittingregulartraffic.Oncecompleted,collapseTestresultsforMaliciousTraffic.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
73
Rethink Intrusion Prevention System Testing
18. ExpandtheTest Results for Generic Trafficfolder,andselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnectionthebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.
19. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.
20. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStoquicklyfreethoseresources.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
74
Rethink Intrusion Prevention System Testing
21. SelectFrame Latency,anddeterminetheaffectmalicioustraffichadontheoveralllatency.
22. Next,expandtheDetailsfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aolanddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.
23. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
75
Rethink Intrusion Prevention System Testing
24. Finally,selectFrame Data Rate, anddeterminehowthemalicioustrafficaffectsthedatarate.
25. Comparealltheresultscollectedfromthecurrenttestwiththebaselineteststodetermineanydifferences.
26. IfanytestvariationswererunwitheithertheBaselineApplicationPerformanceTest:ThroughputortheBaselineAttackMitigation:SYNFlood,makesuretorunthosevariationsonthistesttoo.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
76
Rethink Intrusion Prevention System Testing
Application Traffic with Malicious Traffic and SYN Flood
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations
Overview:
Since tests for application performance, malicious traffic and a SYN Flood have already been configured and saved as presets, they will be
used in this test. Three test components will be used during this test, an Application Simulator, a Security component and a Session Sender
component. This test will determine the ability of the IPS to handle malicious traffic while also having to deal with a SYN Flood and allowing
good traffic to pass through.
Objective:
To send a blend of application traffic with a SYN Flood and malicious traffic to the IPS and to compare the results of this test against the
results of the baseline tests.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
77
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
78
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsApp Traff with Malicious Traffic.
5. Beforecontinuingwithconfigurationofthetest,clickSave Test As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
79
Rethink Intrusion Prevention System Testing
6. Whenpromptedforanametosavethetestas,typeAppTraffwithMaliciousTrafficandSYNFloodandclickSave.
7. UndertheTestQuickSteps,clickAdd a Test Component.
8. IntheSelectacomponenttypewindow,selecttheSession Sender (L4)testcomponent.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
80
Rethink Intrusion Prevention System Testing
9. TheInformationtabshouldbeselected.TypeSYNFloodasthenameandclickApply Changes.
10. SelectthePresetstab.LocateIPSSYNFloodinthelist,andclickApply Changes.
11. WiththeadditionoftheSessionSendertestcomponent,theinterfaceshavebecomeoversubscribed.SelecttheMaximum Throughputtestcomponent,andthenselecttheParameterstab.ChangetheMinimumdatarateto85%ofthetotalavailablebandwidth,andclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
81
Rethink Intrusion Prevention System Testing
12. VerifythattheTestStatushasagreencheckmark.Ifnot,clickonTest Statusandmaketherequiredchanges.
13. Ifdesired,editthetestDescriptionundertheTestInformationsection.
14. UndertheTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
82
Rethink Intrusion Prevention System Testing
Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from
different protocols.
15. SelecttheAttackstab.Thisprovidesareal-timelookintohowtheIPSisperformingwiththemalicioustraffic.Ascanbeseenfromtheimagebelow,someoftheattacksarebeingallowedtopassthroughtheIPS.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
83
Rethink Intrusion Prevention System Testing
16. Oncethetestcompletes,anewwindowwillappear,statingthetestcriteriafailed.ClickClosetocontinue.
17. ClicktheView the reportbutton.Thiswillopendetailedresultsinabrowserwindow.
18. ExpandTestResultsforSYNFloodandselectTCP Summary.VerifythatnoTCPconnectionswereestablished.CollapseTestResultsforSYNFloodoncecompleted.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
84
Rethink Intrusion Prevention System Testing
19. ExpandTestResultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheIPSwasabletoblockandnotallowdifferentstrikestopassthrough.Again,collapseTestResultsforMaliciousTrafficoncecompleted.
20. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.TheTCPsetuptimehasbeenaffectedandhasincreased.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
85
Rethink Intrusion Prevention System Testing
21. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetterastheconnectioncanbeestablishedquicker.Again,thetimeforTCPresponsetimehasincreased.
22. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.TheTCPclosetimehasalsoincreasedcomparedtothebaselinetests.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
86
Rethink Intrusion Prevention System Testing
23. SelectFrame LatencyanddeterminetheaffectmalicioustrafficandtheSYNfloodhadontheoveralllatency.
24. Next,expandtheDetailsfolder.Also,expandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
87
Rethink Intrusion Prevention System Testing
25. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.
26. Finally,selectFrame Data RateanddeterminehowthemalicioustrafficandSYNFloodaffectedthedatarate.
27. Comparealltheresultscollectedfromthecurrenttestwiththebaselineteststodetermineanydifferences.
28. IfanytestvariationswererunwitheithertheBaselineApplicationPerformanceTest:Throughput,theBaselineAttackMitigation:MaliciousTrafficorBaselineAttackMitigation:SYNFlood,makesuretorunthosevariationsonthistesttoo.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
88
Rethink Intrusion Prevention System Testing
Jumbo Frames
RFC• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
• RFC 894– A Standard for the Transmission of IP Datagrams over Ethernet
Overview:
The Throughput test will be used as a starting point in this test. Once the test is opened, the Maximum Segment size will be changed to
4,000 to send jumbo frames.
Objective:
To analyze how the IPS handles jumbo frames.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
89
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
90
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.SelectTestOpen Recent TestsIPS Maximum Throughput.
5. Beforecontinuingwithconfigurationofthetest,clickSave Test As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
91
Rethink Intrusion Prevention System Testing
6. Whenpromptedforanametosavethetestas,typeIPSJumboFrames.
7. SelecttheParameterstabandundertheTCPConfigurationsection,changetheMaximumSegmentSize(MSS)toavaluegreaterthan1500butlessthan9142.Inthisexample,a4000-bytepacketwasused.Oncethechangeshavebeencompleted,clickApply Changes.
8. Next,selectControl CenterDevice Status.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
92
Rethink Intrusion Prevention System Testing
9. Whenpromptedaboutsavingthetestduetochanges,clickYes.
10. Right-clickonareservedport,andselectConfigure Port.
11. VerifythattheMTUislargeenough,andclickClose.Ifneeded,increasetheMTUsize,andclickApply.Repeatthisprocessfortheotherreservedporttoo.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
93
Rethink Intrusion Prevention System Testing
12. Toreturntothetestconfiguration,selectTestOpen Recent TestsIPS Jumbo Frames.
13. UndertheTestInformationsection,editthetestDescription.
14. VerifythattheTestStatushasagreencheckmark.Ifitdoesnotcontainagreencheckmark,clickTest Statusandmaketherequiredchanges.
15. UnderTestQuickSteps,clickSave and Run.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
94
Rethink Intrusion Prevention System Testing
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
16. Oncethetestcompletes,anewwindowwillappearstatingthatthetesteitherpassedorfailed.ClickClosetocontinue.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
95
Rethink Intrusion Prevention System Testing
17. ClicktheView the reportbutton.ThiswillopenaWebpagecontainingmoredetailedresults.
18. ExpandtheTestResultsforMaximumThroughputfolder,andselectApp Bytes Transmitted.Thiswilldisplayabytecountthateachprotocoltransmitted.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
96
Rethink Intrusion Prevention System Testing
19. ExpandtheDetailsfolder,andselectTCP Setup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyhandletherequestsandcontinueoperatingasexpected.
20. SelectTCP Response Time.Again,theshortertheTCPresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinueoperating.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
97
Rethink Intrusion Prevention System Testing
21. ExpandtheDetailfolder.SelecttheFrame Data Rate,anddeterminethemaximumtransmitandreceiverateusingthegraphandthetable.
22. TodeterminehoweachprotocolwashandledbytheIPS,fivedifferentresultswillbeviewed.UndertheDetailfolder,expandandanalyzetheresultsofthefollowing:AppConcurrentFlows:byprotocol,AppThroughput:byprotocol,AppTransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.
23. UsingtheresultsfromthecurrenttestandtheresultsfromtheThroughputtest,determineiftheIPSperformedbetter,worseorthesamewhenhandlingjumboframes.Othertestvariationscanalsoberun.Thefollowingaresometestvariationexamples:
• Test several different sizes of jumbo frames, specifically making sure to test the 9,000-byte frame.
• Increase the test duration.
• If Hot Standby is going to be used, perform a test that shows how traffic is affected.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
98
Rethink Intrusion Prevention System Testing
IP, UDP and TCP Fuzzing
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
The Throughput test will be used as a starting point and a Stack Scrambler component will be used too. The Stack Scrambler tests the
integrity of different protocols by sending malformed IP, UDP, TCP and Ethernet packets to the IPS. The fuzzing technique will modify only a
single part of the packet to generate corrupt data.
Objective:
To send fuzzed traffic through the IPS and determine how it affects the IPS and other protocols.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
99
Rethink Intrusion Prevention System Testing
1. OpenyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.Oncethepagehasloaded,clickStart BreakingPoint Systems Control Center.
2. LogintotheBreakingPointStormCTMbyenteringyourLoginIDandPassword.Oncedone,clickLogin.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
100
Rethink Intrusion Prevention System Testing
3. Onceloggedin,reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsIPS Maximum Throughput.
5. Inthelowerleft,clickSave Test As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
101
Rethink Intrusion Prevention System Testing
6. Adialogboxwillappearaskingforanametosavethetestas.TypeIPSFuzzingandclickSave.
7. UndertheTestQuickSteps,clickAdd a Test Component.
8. FromtheSelectacomponenttype,choosetheStack Scrambler (Fuzzer)component.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
102
Rethink Intrusion Prevention System Testing
9. UndertheInformationtab,changethenametoIPSFuzzerandclickApply Changes.
10. SelecttheInterfacestab.VerifythatonlytheInterface1ClientandInterface2Serverareenabled.
11. SelecttheParameterstab.DefinethepercentagesoftrafficthatwillhavemalformedIPversion,badTCPoptions,BadUrgentPointerandBadIPChecksums.Aftereachone,makesuretoclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
103
Rethink Intrusion Prevention System Testing
12. IffuzzingthroughastatefuldevicesuchasanIPSunit,itisimportantthatyousettheEstablishTCPSessionsparametertotrue.Otherwise,malformedTCPpacketswillbedropped.
13. WiththeadditionoftheStackScrambler,theinterfaceshavebecomeoversubscribed.SelecttheMaximum Throughputtestcomponent,andthenselecttheParameterstab.ChangetheMinimumdatarateparameterintheDataRatesectionto85%ofthetotalavailablebandwidth,andclickApply Changes.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
104
Rethink Intrusion Prevention System Testing
14. Beforerunningthetest,thetestcomponentneedstobesavedasapresetforuseinlatertests.Savingasapresetallowsforquickerandeasierconfiguration.Right-clickonthetestcomponent,andselectSave Component As Preset.
15. Whenpromptedforanametosavethepresetas,typeIPSFuzzerandclickSave.
16. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Status andmaketherequiredchanges.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
105
Rethink Intrusion Prevention System Testing
17. UnderTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
106
Rethink Intrusion Prevention System Testing
18. Whenthetestcompletes,awindowwillappearstatingthatthetestfailed.ClickClose.
19. Next,clicktheView the reportbutton.Thiswillopendetailedresultsinanewbrowserwindow.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
107
Rethink Intrusion Prevention System Testing
20. ExpandTest Results for Maximum ThroughputandthenexpandtheDetailsfolder.SelecttheFrame Data Rate.Determinehowthefuzzingaffectedtheoveralldataframerate.
21. Next,expandtheApp Throughput: by protocol folderandselectthefirstitem,App Throughput: protocol aol.DeterminetheApplicationdatatransmitandreceiverateforeachofthelistedprotocols.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
108
Rethink Intrusion Prevention System Testing
22. RepeattheaboveprocesswiththeApptransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.
23. Withtherecentlycollecteddata,determineifthemalformedpacketshadanyeffectontheapplicationtraffic.Also,determineifthemalformedpacketscausedanyissueswiththeIPS,suchasacrash.
24. IfanyvariationswerepreformedwiththeBaselineApplicationPerformanceTest:Throughput,makesuretorepeatthosevariationswiththistest.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
109
Rethink Intrusion Prevention System Testing
Protocol Fuzzing
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
The Application Traffic with Malicious Traffic and SYN Flood test will be used as a starting point, with the addition of the Security
component. The Security component will be used to fuzz the application level frames. This will determine if the IPS is able to handle fuzzed
application level frames and handle both malicious traffic and a SYN flood.
Objective:
To send fuzzed traffic at the application level through the IPS and determine how it affects the IPS and other protocols.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
110
Rethink Intrusion Prevention System Testing
1. OpenyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.Oncethepagehasloaded,clickStart BreakingPoint Systems Control Center.
2. LogintotheBreakingPointStormCTMbyenteringyourLoginIDandPassword.Oncedone,clickLogin.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
111
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent Tests IPS Maximum Throughput.
5. Inthelowerleft,clickSave Test As.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
112
Rethink Intrusion Prevention System Testing
6. Adialogboxwillappear,askingforanametosavethetestas.TypeProtocolFuzzingandclickSave.
7. UndertheTestQuickSteps,clickAdd a Test Component.
8. FromtheSelectacomponenttype,selecttheSecuritycomponent.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
113
Rethink Intrusion Prevention System Testing
9. TheInformationtabshouldalreadybeselected.TypethenameProtocolFuzzerandclickApply Changes.
10. SelecttheParameterstabandsettheAttackSeriestoBreakingPoint Protocol Fuzzers.ClickApply Changesoncecompleted.
11. Ifdesired,changethetestDescriptionunderTestInformation.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
114
Rethink Intrusion Prevention System Testing
12. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.
13. UnderTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
115
Rethink Intrusion Prevention System Testing
Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from
different protocols.
14. Whenthetestcompletes,awindowwillappearstatingthetestfailed.ClickClose.
15. Next,clicktheView the reportbutton.Thiswillopendetailedresultsinanewbrowserwindow.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
116
Rethink Intrusion Prevention System Testing
16. ExpandTestResultsforProtocolFuzzerandselectStrike Results.Determinethenumberofstrikesblocked.Formoredetailsaboutthestrikedetection,expandtheDetailfolderandviewthedifferentresults.
17. ExpandTestResultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheIPSwasabletoblockandnotallowdifferentstrikestopassthrough.Again,collapseTestResultsforMaliciousTrafficoncecompleted.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
117
Rethink Intrusion Prevention System Testing
18. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.ThequickeranIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.TheTCPsetuptimehasbeenaffectedandhasincreased.
19. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.Again,theTCPresponsetimehasincreased.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
118
Rethink Intrusion Prevention System Testing
20. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.TheTCPclosetimehasalsoincreasedcomparedtothebaselinetests.
21. SelectFrame LatencyanddeterminetheeffectmalicioustrafficandtheSYNfloodhadontheoveralllatency.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
119
Rethink Intrusion Prevention System Testing
22. Next,expandtheDetailsfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.
23. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
120
Rethink Intrusion Prevention System Testing
24. Finally,selectFrame Data RateanddeterminehowthemalicioustrafficandSYNFloodaffectsthedatarate.
25. Comparealltheresultscollectedfromthecurrenttestwiththebaselineteststodetermineanydifferences.
26. IfanyvariationswereperformedwiththeApplicationTrafficwithMaliciousTrafficandSYNFloodtest,makesuretorepeatthosevariationswiththistest.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
121
Rethink Intrusion Prevention System Testing
Evasion Techniques
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
The Application Traffic with Malicious Traffic test will be used as a starting point in this test. The Security test component will have changes
made to parameters in the Override tab. These changes will configure evasion techniques that will attempt to be transmitted through the
IPS.
Objective:
To add evasion techniques to disguise the attacks so that they can pass through the IPS undetected.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
122
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
123
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsApp Traff Malicious Traffic.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
124
Rethink Intrusion Prevention System Testing
5. Beforecontinuingwithconfigurationofthetest,clickSave Test As.
6. Whenpromptedforanametosavethetestas,typeIPSEvasion.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
125
Rethink Intrusion Prevention System Testing
7. SelecttheMalicious TraffictestcomponentandtheOverridestab.Differentparameterscanbechangedinthissection,dependingontheevasiontechniquesdesired.Changethenecessaryparameters,andclickApply Changes.
8. Ifdesired,editthetestDescriptionunderTestInformation.
9. VerifythatTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
126
Rethink Intrusion Prevention System Testing
10. UnderTestQuickSteps,clickSave and Run.
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
127
Rethink Intrusion Prevention System Testing
Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from
different protocols.
11. SelecttheAttackstab.Thiswillprovidereal-timeinformationabouthowtheIPSisperformingwiththemalicioustraffic.Astheimagebelowshows,someattackshavebeenallowed.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
128
Rethink Intrusion Prevention System Testing
12. Whenthetestcompletes,awindowwillappear,sayingthetestfailed.ClickClose.
13. SelectView the reportbutton.Thiswillopenupmoredetailedresultsinthebrowser.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
129
Rethink Intrusion Prevention System Testing
14. ExpandTestresultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheDUTwasabletohandlethedifferentstrikesandmaintainblockingthemwhilestilltransmittingregulartraffic.Oncecompleted,collapseTestResultsforMaliciousTraffic.
15. ExpandTestResultsforMaximumThroughput,andselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheaffectthemalicioustraffichadontheTCPsetuptime.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
130
Rethink Intrusion Prevention System Testing
16. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.
17. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
131
Rethink Intrusion Prevention System Testing
18. SelectFrame Latency,anddeterminetheeffectmalicioustraffichadontheoveralllatency.
19. Next,expandtheDetailsfolderandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
132
Rethink Intrusion Prevention System Testing
20. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.
21. Finally,selectFrame Data Rateanddeterminehowthemalicioustrafficaffectsthedatarate.
22. Withalltheresultscollectedfromthecurrenttest,comparethemwiththebaselineteststodetermineanydifferences.
23. IfanyvariationswerepreformedwiththeApplicationTrafficwithMaliciousTraffictest,makesuretorepeatthosevariationswiththistest.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
133
Rethink Intrusion Prevention System Testing
Negative Testing
RFC:• RFC 768 – User Datagram Protocol
• RFC 791 – Internet Protocol
• RFC 793 – Transmission Control Protocol
Overview:
The Throughput test will be used as a starting point. One of the default provided Super Flows will be changed in the Application Manager.
The actions of the Super Flow either will be rearranged and/or have parameters changed. This newly created Super Flow will then be added
to a new Application Profile and then be transmitted through the IPS.
Objective:
Send a mix a negative traffic through the IPS and see how it is handled.
Setup:
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
134
Rethink Intrusion Prevention System Testing
1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.
2. InthenewwindowthatappearsenterinyourLoginIDandPassword.Click Login.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
135
Rethink Intrusion Prevention System Testing
3. Reservetherequiredportstorunthetest.
4. Wewilluseaprevioustestasastartingpointforthistest.SelectTestOpen Recent TestsIPS Maximum Throughput.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
136
Rethink Intrusion Prevention System Testing
5. BeforecontinuingwithconfigurationofthetestclickSave Test As.
6. Whenpromptedforanametosavethetestas,typeIPSNegativeTesting.
7. SelectManagersApplication Manager.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
137
Rethink Intrusion Prevention System Testing
8. SelecttheSuper Flowstab,andthenlocateBreakingPointHTTPText.ClickSave AstocreateacopyofthisSuperFlow.
9. WhenpromptedforanametosavetheSuperFlowas,typeIPSHTTPNegativeTestandclickOK.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
138
Rethink Intrusion Prevention System Testing
10. UndertheDefineActionssection,modifyanyoftheactionsbychangingtheactionparametersorrearrangingthem.ClickSave Super Flowoncecompleted.Inthisexample,theactionswererearranged.
11. SelecttheApp Profiles,tabandclicktheCreate new application profilebutton.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
139
Rethink Intrusion Prevention System Testing
12. Whenpromptedforanewname,typeIPSNegativeTest.
13. LocatethenewlycreatedSuperFlow,andclicktheAdd the Super Flow to the profile button.ClickSave App Profileoncecompleted.
14. ClicktheReturn to previous screenbutton.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
140
Rethink Intrusion Prevention System Testing
15. SelecttheParameterstab,andlocatetheApplicationProfileparameter.Usethedrop-downmenutoselectthenewlycreatedapplicationprofile.
16. UnderTestQuickSteps,clickSave and Run.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
141
Rethink Intrusion Prevention System Testing
The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary
tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.
Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from
different protocols.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
142
Rethink Intrusion Prevention System Testing
17. Whenthetestcompletes,awindowwillappear.ClickClose.
18. Next,clicktheView the reportbutton.Thiswillopendetailedresultsinanewbrowserwindow.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
143
Rethink Intrusion Prevention System Testing
19. ExpandtheTestResultsforMaximumThroughputfolderandselectTCP Setup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.
20. Next,selectTCP Response Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
144
Rethink Intrusion Prevention System Testing
21. SelectTCP Close Time.TheshortertheTCPclosetime,thebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestoopenanewconnection.
22. SelectFrame Latency.Thesmallertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
145
Rethink Intrusion Prevention System Testing
23. SelectTransmitted Frame Size.Thisprovidesabreakdownofframesizesthatweretransmitted.
24. Next,expandtheDetailsfolder.Also,expandtheAppThroughput:byprotocolfolder.Selecttheseconditem,App Throughput: protocol httpadv,anddeterminehowthedifferentprotocolwashandled.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
146
Rethink Intrusion Prevention System Testing
25. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.DeterminehowallthehttpadvwashandledbytheDUT.
26. SelectFrame Data Rate,anddeterminethemaximumthroughputtheDUTwasabletohandle.
If any variations were performed with the Baseline Application Performance: Throughput test, make sure to repeat those
variations with this test.
www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.
147
Rethink Intrusion Prevention System Testing
About BreakingPointBreakingPoint pioneered the first and only Cyber Tomography Machine
(CTM) to expose previously impossible-to-detect stress fractures within
cyber infrastructure components before they are exploited to compromise
customer data, corporate assets, brand reputation and even national security.
BreakingPoint products are the standard by which the world’s governments,
enterprises, and service providers optimize the resiliency of their cyber
infrastructures. For more information, visit www.breakingpoint.com.
BreakingPoint Storm CTM
BreakingPoint has pioneered Cyber Tomography with the introduction of
the BreakingPoint Storm CTM, enabling users to see for the first time the
virtual stress fractures lurking within their cyber infrastructure through the
simulation of crippling attacks, high-stress traffic load and millions of users.
BreakingPoint Storm CTM is a three-slot chassis that provides the equivalent
performance and simulation of racks and racks of servers, including:
• 40 Gigabits per second of blended stateful application traffic
• 30 million concurrent TCP sessions
• 1.5 million TCP sessions per second
• 600,000+ complete TCP sessions per second
• 80,000+ SSL sessions per second
• 100+ stateful applications
• 4,500+ live security strikes
BreakingPoint Resources
Hardening cyber infrastructure is not easy work, but nothing that is this
important has ever been easy. Enterprises, service providers, government
agencies and equipment vendors are under pressure to establish a cyber
infrastructure that can not only repel attack but is resilient to application
sprawl and maximum load. BreakingPoint’s Cyber Tomography Machine
(CTM) provides the technology and solutions that allow these organizations
to create a hardened and resilient cyber infrastructure. BreakingPoint also
provides the very latest industry resources to make this process that much
easier, including Resiliency Methodologies, How-to Guides, white papers,
webcasts, and a newsletter. To learn more, visit
www.breakingpoint.com/resources.
BreakingPoint Labs Community
Join discussions on the latest developments in hardening cyber
infrastructure. BreakingPoint Labs brings together a diverse community of
people leveraging the most current insight to harden cyber infrastructure to
withstand crippling attack and high-stress application load.
Visit www.breakingpointlabs.com.
Contact BreakingPoint
Learn more about BreakingPoint
products and services by contacting a
representative in your area.
1.866.352.6691 U.S. Toll Free
www.breakingpoint.com
BreakingPoint Global Headquarters
3900 North Capital of Texas Highway
Austin, TX 78746
email: [email protected]
tel: 512.821.6000
toll-free: 866.352.6691
BreakingPoint EMEA Sales Office
Paris, France
email: [email protected]
tel: + 33 6 08 40 43 93
BreakingPoint APAC Sales Office
Suite 2901, Building #5, Wanda Plaza
No. 93 Jianguo Road
Chaoyang District, Beijing, 100022, China
email: [email protected]
tel: + 86 10 5960 3162