Testing can tighten your security: identify vulnerabilities before they are exploited through analysis done in lab simulations

Communications News, Dec, 2005 by Joe Tomasello

In today's risk-filled online environment, testing network security solutions is essential. When your network is always on and globally accessible, how can you be sure that you are adequately protected?

Even if your security systems are kept current with relevant patches, the threat level remains high. Zero-day attacks are becoming the norm, and the window of vulnerability is hard to keep closed. The way to stay ahead of vulnerabilities is to identify them before they are exploited, and the best way to do this is by testing your security infrastructure with a realistic mixture of both good and hostile network traffic.

A perimeter defense using stateful firewalls no longer offers adequate protection against the frequency and complexity of modern-day threats. Recent threats have taken the form of exploits that appear to be legitimate business applications, generating traffic that can bypass traditional firewalls. Nimbda and CodeRed are prime examples of exploits using http protocol to create havoc.

A new generation of net work security products is being used to address these potent challenges. Devices such as application-aware firewalls, intrusion detection and prevention systems (IPS), and deep-packet inspection engines combined with perimeter firewalls are now being used to deliver a layered network security strategy. The challenge becomes how to test a strategy that is designed to allow good traffic in and keep malicious traffic out.

In order to create a comprehensive testing strategy, you need to be able to generate test traffic in the lab environment that simulates not only normal, positive IP traffic, but also negative traffic that contains malicious threats to the network. In the real world, your network is exposed to both positive traffic, such as e-commerce, e-mail, and file transfers, as well as negative traffic, such as viruses, worms and other types of malware.

Until now, this diverse range of traffic has been difficult to simulate in the lab environment, forcing companies to deploy hardware or software without pre-testing the solution. Known in the industry as "plug and pray," this approach is fraught with peril. The battle against hostile traffic cannot be won simply by relying on manufacturer's specifications. IT professionals need a solution that enables them to benchmark performance thresholds and quantify the security capabilities of their networks.

Creating a comprehensive security testing program involves two key factors:

* how the network behaves under heavy loads; and

* how the network behaves when it is under attack.

In order to quantify network security and evaluate end-to-end network performance, both of these factors should be assessed. The more realistically the production environment can be emulated in a controlled lab setting, the more meaningful the test results will be. Testing should be conducted both at the device level and system level, and any device that is inline to the data flow should be tested. This includes application-aware firewalls, IPS systems, deep-packet inspection systems and security systems designed to protect against distributed denial-of-service (DDOS) attacks.

STRESS TESTING NECESSARY

Simply testing the network throughput and measuring system latency is not enough. Testing with actual application traffic is the only way to accurately assess the performance impact your security systems have on the network. Latency-sensitive applications such as voice over IP can be seriously impacted as network loading increases up to and beyond calculated thresholds.

By stress-testing the network with a highly realistic stream of application traffic, precise thresholds where network performance starts to be impacted can be establisbed. These thresholds include connections per second, transactions per second, available bandwidth and accuracy of threat detection.

At the same time performance begins to decline, certain security vulnerabilities become apparent as the network elements start to overload. These vulnerabilities are only detectable under heavy network loading, underscoring the need for stress-testing the network. Creating a comprehensive security strategy requires testing of both individual devices and the overall system's ability to accurately detect malware, as well as the performance impact that occurs while malicious traffic is mitigated and stopped.

Confronting malicious traffic in the lab environment is far more desirable than coping with ir after it has entered your production network. Most perimeter devices can protect against DDOS attacks, but the current generation of threats is penetrating network security by attaching themselves to legitimate business applications.

One way to safeguard against this threat is lab-based testing of hostile traffic's effect on the network. That is why immediate access to a current, frequently updated knowledge base of archived threats can be important in securing the enterprise.

In the continuing chess game between IT professionals and hostile entities, new malware outbreaks can occur at any time. Companies are fighting back by downloading threat signatures on a zero-day basis. This allows in-house testing to begin almost as soon as the outbreak occurs, mitigating the risks of network downtime or a serious security breach.