Skip Links

Enterprise security testing: What are you missing?

By Aswath Mohan, director of marketing, Spirent Communications, special to Network World
December 12, 2012 09:36 AM ET

Network World - This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

For all the advances in enterprise networking over the years there's been one big step backward: security testing. Relatively few enterprises today conduct regular security tests in-house, relying instead on occasional tests by outside consultants or, more dangerously, just taking vendor claims at face value.

Too often enterprise security testing takes one of two paths, neither satisfactory. Some enterprises buy complex security test tools, along with training, but then the tools gather dust once the trained staff leaves. Or they bring in outside consultants for security audits and penetration tests. While the results can be useful, they offer only a snapshot of the enterprise network at a given point in time. Obviously, both approaches have drawbacks.

ROUNDUP: Worst security snafus of 2012

What's really needed is an understanding that network security is an ongoing process, not a single product or service. Security test tools will continue to be important -- but only if they're actually used. With that in mind, here are some guidelines for assessing in-house security test tools:

* Ease of use and portability. The most common reason security test tools fall into disuse is their inherent complexity. We live in an age where children take to tablet interfaces with no instruction. There's no reason why security test tool interfaces should require a Ph.D. in network forensics to operate. And testers should get the same look and feel, regardless of whether a test is run from a desktop, tablet, smartphone or any other device.

* Meaningful, repeatable results: Test traffic should offer as much realism as possible. For example, tests that simply packet-blast a firewall with stateless small packets aren't very interesting, especially if the firewall's job is to guard against specific types of stateful application-layer attacks.

* DoS/DDoS protection: There are times when packet-blasting at high rates is exactly what's needed, and that's true for denial-of-service testing. Test tools need to have enough horsepower to saturate one or more backbone links with known forms of DoS and DDoS attacks, and they need to do so in a way that offers fine-grained control of key traffic parameters such as attack source addresses.

* Fuzzing. There's a bit of an arms race going on among vendors of signature-based security devices such as intrusion prevention devices (IPSs). One vendor will claim its IPS supports X number of signatures, while another will say its products are better because it has 2X signatures.

Unfortunately, neither vendor can claim totally effective protection because of a basic limitation with the signature-based approach: Signatures match only an exact sequence of bytes or packets. As a result, altering even one bit in a sequence is likely to "blind" a signature. Attackers know this, and make small changes to known vulnerabilities to escape detection. In effect, the attackers are fuzzing exploit traffic by changing parts of a known signature.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News