Network and application layer tests reveal security gaps - Security

Computer Technology Review, August, 2003 by Josh Goldstein

The Slammer worm virus struck in late January 2003. Exploiting a design flaw in Microsoft SQL servers, it quickly attacked Internet hosts around the world. As it spread, it doubled in size every 8.5 seconds, and within 10 minutes had infected more than 90% of vulnerable servers. The virus worked by generating 55 million scans per second across the Internet, crippling the vast network. The virus didn't carry a malicious payload, which is code meant to damage individual computers. It didn't need to.

The virus cut off all Internet access in wired South Korea for 8 straight hours. On U.S. turf, Bank of America ATMs slowed to a crawl, while 911 call centers struggled to operate with slow or frozen emergency data. Thousands of other financial centers and corporations were shut down or severely slowed as the virus spread world-wide, many sites losing millions of dollars as thousands of networks and applications were loaded beyond their limits.

This was a Denial of Service (DoS) attack, which issues a flood of packets to overwhelm network resources and slow down (or take down) whole systems. A DoS attack may launch from a single source, or from several sources, called Distributed DoS (DDoS). (In a nod to '50s horror movies, distributed computer attack hosts are called "zombies.") Worse still, hacker DoS attack tools are publicly available.

Networks can defend against DoS attacks, as well as from heavy network loads resulting from more innocent causes. Part of a protection strategy includes intrusion protection and establishing tight security, but another important part is load balancing--the ability to shift processing loads between servers. If some servers will under high processing demands, load balancers will transparently shift processing tasks to servers with more I/O. However, DoS attacks can overwhelm load balancers, compromising the network and deeply impacting application service levels.

Of course, DoS viruses aren't the only threat to networks--so is healthy data traffic resulting from demanding applications like Web services, VoIP, e-mail and IP-based enterprise applications. The sheer amount of this data strains individual servers and clusters, yet operations are demanding 24x7 continuous uptime. When an hour of downtime can equal a loss in millions of dollars, firms need to be certain their networks can handle performance loads and severe data spikes. This is true for corporate users as well as network service providers, including intra-enterprise networks, Application Service Providers (ASPs), Storage Services Providers (SSPs), Managed Service Providers (MSPs), Content Delivery Networks (CDNs) and many others.

So network administrators test for flaws, guard against intrusion and put in load balancers. But how can they be sure they're sufficiently protected without realistically testing their setup? They can't, without running data traffic tests--unfortunately, it's hard to deliberately flood a network with huge amounts of data traffic. And even if they could, what if they're wrong about the network standing up to the performance hits? Network administrators need testing technologies that can spawn heavy data traffic without hurting the network, and be able to analyze and report on how that traffic affects the network and its enterprise applications.

Best practices in enterprise load testing include:

* Simulate heart data traffic and massive network loads, then measure end-to-end performance and scalability of network transactions. Testing applications can create thousands of virtual network clients to emulate heavy network loads up to 10 Gigabits per second. Once the network appears fully loaded, network administrators can measure end-to-end performance for both network and applications. This allows administrators to test the relative performance and scalability of the network and applications under heavy load conditions, and can also test the impact that new enterprise applications will have on the existing network.

* Use virtual network clients with high-speed connections to generate millions of Web-page requests, then analyze performance and isolate bottlenecks. This test should stress the entire infrastructure at once, including application-aware switches, server load balancers, intrusion detection systems, firewalls, and Web servers. Administrators can also measure application response times under the load of heavy Web traffic--the very type of traffic the Slammer worm generated.

* Use virtual private network (VPN) technology to establish and test secure gateways throughout the network. Administrators can generate enterprise application loads on virtual VPNs, then measure the resulting response times and compare their performance to application service level requirements. Testing technology can create thousands of these gateways to measure tunnel capacity and establishment rates under heavy load conditions, and can send application-layer traffic over the tunnels to measure data performance.

* Test for security vulnerabilities by simulating distributed denial-of-service attacks. Since denial of service is a favorite hacker trick, administrators should mount virtual DDoS attacks on firewalls, servers, routers, and switches to test their network for security and intrusion points.