Ixia models attacks on your systems so you can test your defenses

How well have you built your IT security defenses? Can your system withstand an attack? The worst time to answer these questions is during an actual attack. Ixia helps you model a variety of attack scenarios so you can test your defenses before they are needed for real.

We can all take a lesson from NASA. When the space agency is planning an extravehicular activity (EVA) on any of its missions, the astronauts and support engineers practice the entire activity here on Earth. Numerous hours of practice allow the team to work out any kinks and prepare for unplanned scenarios. Being well trained and well prepared vastly increases the likelihood of mission success.

Let's take this lesson into the enterprise. As networks grow more complex and security threats more sophisticated, organizations need to test their defense strategies and learn what works well and what doesn't. This helps organizations gain confidence and reduce their risk posture as they move these defenses into a production environment.

Consider today's trend of increased distributed denial of service (DDoS) attacks. Practically every organization with a Web presence is at risk of this kind of attack. Organizations must ask themselves: Can our security infrastructure withstand a sustained DDoS attack? When we are under an attack, what is the impact to legitimate users? What level of customer and business operations can we maintain while subjected to different kinds of attacks? If we are experiencing a DDoS attack, can we detect a simultaneous intrusion attempt?

The worst time to answer these questions is during an actual attack.

Ixia helps organizations get the answers by enabling them to model a range of attack or configuration scenarios in a safe environment. Ixia's network security products are chassis-based devices that the IT team can use to do things like model the life cycle of DDoS attack scenarios; rigorously evaluate firewalls, routers and IPSs; or model the effects of configuration changes of any Web facing device.

Ixia works with three types of customers. Security equipment manufacturers test their own products' strengths and capabilities by pounding them with Ixia's attack models. Service providers use Ixia devices to model various types of attacks on their environment to understand how to detect and block the attacks. And the third customer segment, enterprise organizations (which includes government agencies), benefit from the knowledge gleaned from the equipment vendors and the service providers as well as from Ixia's own in-house research team.

Here are just a few use cases for enterprise security modeling using Ixia devices.

One company with a high profile Web presence wanted to test its DDoS mitigation capabilities. The company set up an Ixia chassis to emulate a million zombie PCs in a botnet and to listen to a live Internet relay chat (IRC) server. They set up an IRC server that sent commands over an SSL channel to the million simulated bots, including what machine to go attack and what URLs to use. The Ixia chassis was able to attack that site with a 30GB SYN flood attack.

The scenario shows that not everything has to be contained within the Ixia chassis; it's possible to interact with real external servers, whether it's DNS servers, Web servers, IRC servers, etc. This entire model allowed the company to see how well its security defenses could both detect the Command and Control (C&C) traffic and handle the high scale attack.

In another case, a company incorporated the Ixia solution as part of their change management process before they make any configuration changes to their firewalls, switches and IPS. They have a standardized set of tests that they run on the Ixia device, and they've developed a scoring system for the tests. For example, they make sure that the system performance metrics don't change by more than 3%, and they make sure that all the things they consider important to block are being blocked by their preconfigured system. They test standalone devices in isolation as well as the system as a whole. Because they have a cascade of an IPS and a firewall and then a router, they test these devices as a single unit, figuring that sometimes there can be interactions among those devices that wouldn't be noticed if they were just tested in isolation.

In any scenario, the organization defines what a transaction is; for example, grabbing an object off a Web page, or conducting a complete banking transaction. The company can establish a baseline of 'x' number of users making real transactions, and what the transaction latency is for those users. Then the organization can ramp up its simulated attack — start with a DDoS flood at a low rate and then maybe add on some application layer attacks. They can look at the throughput for the valid application traffic at different points through the test and also look at the transaction latency because it's a good indication of user experience.

Ixia has a library of thousands of types of attacks that an organization can send to their systems to see what percentage of the attacks are stopped, and what types are blocked and how they are blocked. This kind of information is very valuable for understanding vulnerabilities and finding ways to plug the holes before a real attack causes havoc.

Linda Musthaler is a Principal Analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10