Deep Packet Inspection Test Methodology

www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.

1

Rethink Deep Packet Inspection (DPI) Testing

Rethink Deep Packet Inspection TestingA Methodology to measure the performance, security, and stability of deep packet inspection (DPI) devices under realistic conditions


2


Table of ContentsIntroduction .................................................................................................................................................................................................................... 3

Maximum Performance ............................................................................................................................................................................................. 5

Maximum Performance Using Jumbo Frames ................................................................................................................................................... 18

Maximum TCP Connection Rate .............................................................................................................................................................................. 25

Maximum Concurrent TCP Connections .............................................................................................................................................................. 36

Strike Mitigation ............................................................................................................................................................................................................ 46

Strikes Blocking with IP Fragmentation ................................................................................................................................................................ 54

SYN Flood ......................................................................................................................................................................................................................... 61

Inappropriate Content Filtering ............................................................................................................................................................................... 70

Spam Email Blocking ................................................................................................................................................................................................... 84

Suspicious Content Detection .................................................................................................................................................................................. 100

Webmail Phrase Detection ........................................................................................................................................................................................ 114

About BreakingPoint ................................................................................................................................................................................................... 129


3


IntroductionDeep Packet Inspection (DPI) functionality enables network devices such as content-aware switches and routers, next generation firewalls,

intrusion prevention systems (IPS), and application delivery controllers to inspect and take action based on the content and context of

packets as they travel across the network. DPI functionality goes well beyond the protocol header into data protocol structures and the

actual payload of the message. This allows DPI-capable devices to identify and classify traffic, providing a granular level of packet inspection

to help mitigate buffer overflow attacks, Denial of Service (DoS) attacks, intrusions, worms and even spam. DPI technology also enables

solutions such as metering to ensure quality of service, lawful intercept of information and data leak prevention.

DPI has become a mainstream technology and something that businesses and individuals traversing networks come across, albeit

unintentionally, every day. One of the more high profile uses of DPI involves service providers who leverage DPI to ensure quality of service

to customers in the face of an explosion of peer-to-peer (P2P) traffic. Using DPI technology, service providers better manage bandwidth

in real time, allowing for non essential services such as P2P file sharing applications while giving priority to essential services during peak

times.

Since DPI plays such an important role in providing increased network security, tiered Internet services and data loss prevention, the ability

to test DPI functionality is critical. The following BreakingPoint Deep Pack Inspection Resiliency Methodology demonstrates how to create

realistic global network simulations in order to properly verify the DPI capabilities of your device.

Performing these series of tests using the BreakingPoint Storm CTM™ on a DPI device will help determine the device’s actual abilities under

different circumstances. For example, the DPI device may perform as expected under a light traffic load but when under a higher load

perform to a fraction of its stated ability. Performing these tests will help you better understand the impact of different scenarios and the

reasons behind the results.

Realism is key in network simulation; therefore, we recommend that the test environment emulate the deployment environment as closely

as possible. Directly connected devices such as routers, switches and firewalls impact packet loss latency and data integrity. Additionally,

the number of advertised host IP and MAC addresses, VLAN Tagging and NAT can also affect the performance of the DPI.

If it is not feasible to recreate the deployment environment, we recommend connecting the BreakingPoint Storm CTM directly to the device

under test (DUT). Regardless of how your deployment environment is set up, be certain that all DPI devices and builds that are under

evaluation use the same test environment to ensure consistent results.

Recommended tests included in the methodology:

Maximum Performance

This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect each packet’s

content. The overall throughput that the DPI device is able to support will be determined.

Maximum Performance Using Jumbo Frames

This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect the contents of

each jumbo frame. The overall throughput that the DPI device is able to support will be determined.

Maximum TCP Connection Rate

This test will validate DPI device performance by using only good traffic without requiring the DPI device to inspect each packet.

Various TCP metrics will be analyzed to determine how a greater number of TCP connections per second affects the time it takes to establish

a new TCP connection.


4


Maximum Concurrent TCP Connections

This test will validate the DPI device performance by using only good traffic and without requiring the DPI device to inspect each

packet. Various TCP metrics will be analyzed to determine how a greater number of TCP connections affects the time it takes to establish a

new TCP connection.

Strike Mitigation

This test validates the ability of the DPI device to remain stable while vulnerabilities, worms and backdoors are transmitted. To

perform this test, an Attack Series will be used that includes high-risk vulnerabilities, worms and backdoors. The number of attacks blocked

by the DPI device will be determined as well as the number of attacks that were successfully able to pass through.

Strike Blocking with IP Fragmentation

This test is identical to the “Strike Mitigation” test, except that IP fragmentation will be utilized as an evasion technique.

SYN Flood

This test determines how the DPI device performs when subjected to a SYN flood. The device should be able to detect and block the

SYN flood.

Inappropriate Content Filtering

This will test the DPI unit’s ability to recognize and block any session that contains inappropriate material. A major part of DPI

functionality is the ability to filter content that is either harmful or not supposed to be on the network. The ability to filter out packets that

contain blacklisted words is a major part of DPI.

Spam Email Blocking

This test will determine the DPI device’s ability to recognize and block spam emails. With the growing amount of spam email on

today’s networks, it is important to limit the number of spam emails that are able to reach an inbox. Another part of DPI is the ability to

recognize and block spam emails.

Suspicious Content Detection

This test will help determine the DPI device’s ability to recognize, record and audit any suspicious content seen. Not all content is

harmful to the network, but some could be suspicious in its contents.

Webmail Phrase Detection

This test will determine the DPI device’s ability to inspect and record any Webmail emails that have either keywords or a key phrase

in the message. With more and more people using Web-based email products, it is important to be able to inspect the contents of the

emails being sent because they could contain information that should not be made public.


5


Maximum Performance

RFC:• RFC 768 – User Datagram Protocol

• RFC 791 – Internet Protocol

• RFC 793 – Transmission Control Protocol

• RFC 2068 – Hypertext Transfer Protocol

Overview:

This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint

Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic.

Objective:

Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real application traffic.

Setup:


6


1. LaunchaWebbrowserandconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Center.

2. Inthenewwindowthatappears,enteryourLoginIDandPassword.ClickLogin.


7


3. Reservetherequiredportstorunthetest.

4. SelectControl CenterNetwork Neighborhood.


8


5. UndertheNetwork Neighborhoodsheading,clicktheCreate a new network neighborhood button.

6. IntheGive the new network neighborhood a namebox,enterDPITestsasthename.ClickOK.


9


7. Fourinterfacetabsareavailableforconfiguration.Onlytwoarerequiredforthetests.ClicktheXtodeleteInterface 1.Whenpromptedaboutremovingtheinterface,clickYes.Theremaininginterfaceswillberenamed.Repeatthisprocessuntilonlytwointerfacesremain.

8. WithInterface 1selected,configuretheNetworkIPAddress,Netmask,GatewayIPAddress,RouterIPAddress,MinimumIPAddressandMaximumIPAddress.ClickApply Changes.


10


9. SelecttheInterface 2tab.ConfiguretheNetworkIPAddress,NetmaskandGatewayIPAddress.UsingtheTypedrop-downmenu,selectHost.ConfiguretheMinimumIPAddressandtheMaximumIPAddress.ClickApply ChangesandthenclickSave Network.

10. NowthattheNetworkNeighborhoodhasbeencreated,youcanconfigurethetest.SelectTestNew Test.


11


11. ClickSelect the DUT/NetworkundertheTest Quick Steps menu.

12. IntheChoose a device under test and network neighborhoodwindow,undertheDevice Under Test(s)section,verifythatBreakingPointDefaultisselected,andthatunderNetwork Neighborhood(s),thenewlycreatedoneisselected.ClickAccept.

13. WhenpromptedaboutswitchingNetwork Neighborhoodsbecausethenewtestsetuphasfewerinterfaces,clickYes.


12


14. SelectAdd a Test ComponentfromtheTest Quick Stepsmenu.

15. SelectApplication Simulator (L7)fromtheSelect a component typewindow.

16. TheInformationtabshouldalreadybeselected.EnterMaxBandwidthasthenameandclickApply Changes.


13


17. SelecttheInterfacestab.VerifythatInterface 1 ClientandInterface 2Serverareenabled.

18. SelectthePresetstabandchoosethe1Gbps Max Bandwidthoption.ClickApply Changes.

19. SelecttheParameterstab.Makeanyrequiredchangestotheparameterstomatchyourdevice’sability.Forexample,theMinimumdataratemightneedtobechanged.Ifanychangesaremade,makesuretoclickApply Changes.


14


20. ClickEdit DescriptiontoeditthetestdescriptionintheTest Informationsection.

21. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.

22. IntheTest Quick Stepsmenu,clickSave and Run.

23. Whenpromptedto Save Test As,enterDPIMaxBandwidthasthenameandclickSave.


15


24. TheSummarytabinitiallywillbedisplayedoncetheteststarts.TheSummarytabdisplaysmultipleapplication,TCP,andEthernetstatisticsinatabularform.

25. SelecttheTCPtab.ThistabdisplaysthenumberofbothattemptedandsuccessfulTCPconnections.


16


26. Whenthetestiscompleted,awindowappearsstatingthatthetestpassed.ClickClose.

27. ClicktheView the reportbutton.Thisprovidesmoredetailedresultsinyourbrowser.


17


28. ExpandtheTest Results for Max Bandwidthsection.Next,expandtheDetailsfolder.SelecttheFrame Data Rateresultview.Usingthechartandthegraph,determinethemaximumbandwidththeDUTisabletohandle.

Variations of this test that can be run include:

• Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached.

• Use different presets, such as the Service Provider App or a custom application profile.

• Increase the duration of the test time.


18


Maximum Performance Using Jumbo Frames




• RFC 894 – A Standard for the Transmission of IP Datagrams over Ethernet


Overview:

This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint

Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic.

Objective:

Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real state data and jumbo

frames.

Setup:


19





20



4. SelectTestOpen RecentDPI Max Bandwidth.


21


5. ClickSave Test As.

6. WhenpromptedtoSaveTestAs,enterDPIPerformanceJumboFramesasthename.ClickSave.

7. SelecttheParameterstab.LocatetheTCP Configuration Maximum SegmentSizeparameterandenteravalueof4096.ClickApply Changes.


22


8. Ifdesired,editthetestdescriptionintheTest Informationsection.

9. VerifythattheTest Statuscontainsagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.

10. UndertheTest Quick Stepsmenu,clickSave and Run.



23


12. SelecttheTCPtab.ThiswilldisplaythenumberofbothattemptedandsuccessfulTCPconnections.

13. Whenthetestiscompleted,awindowwillappearstatingwhetherthetestpassedorfailed.ClickClose.


24


14. ClicktheView the reportbutton.Thiswillopenupmoredetailedresultsinyourbrowser.

15. ExpandTest Results for Max BandwidthandthenexpandtheDetailfolder.SelecttheFrame Data Rateresultview.Usingthechartandthegraph,determinethemaximumbandwidththeDUTisabletohandle.


• Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached.

• Use different presets, such as the Service Provider App or a custom application profile.

• Increase the duration of the test time.


25


Maximum TCP Connection Rate

RFC:• RFC 793 – Transmission Control Protocol

Overview:

This test will utilize an Application Simulator. The Application Simulator will be configured with the Service Provider Apps preset. The

Service Provider Apps preset contains HTTP, different Mail protocols, P2P and FTP traffic. This test will determine the maximum TP

connections per second using a stepping technique and values that match the DUT’s (Device Under Test) ability.

Objective:

Test the maximum peak rate of new connections that the DUT can handle using real stateful application traffic.

Setup:


26





27



4. SelectTestNew Test.

5. UndertheTest Quick Stepsmenu,clickSelect the DUT/Network.


28


6. IntheChoose a device under test and network neighborhoodwindow,selectBreakingPoint DefaultastheDevice Under Test(s)andDPI TestsastheNetwork Neighborhood(s).ClickAccept.

7. Whenpromptedthatthecurrenttestsetupcontainsmoreinterfacesthanthenewlyselectedone,clickYes.

8. UndertheTest Quick Stepsmenu,clickAdd a Test Component.


29



10. TheInformationtabshouldalreadybeselected.EnterMaxTCPConnectionRateasthenameandclickApply Changes.

11. SelectthePresetstab.SelectService Provider AppsasthecomponentpresetandclickApply Changes.


30


12. SelecttheParameterstab.Severaldifferentparameterswillbechangedinthissection.ChangetheseparameterstomatchyourDUT’sability.First,changetheMinimum data rateto100%oftheDUT’sability.ClickApply.

13. Next,changetheRamp Up SecondsintheSession Ramp Distributionsectionto25andclickApply.

14. IntheRamp Up Profile,severalparameterswillbechanged.Youmayneedtoscrollinordertochangeeachoneofthem.First,usetheRamp Up Profile Type drop-downmenuandselectStair Step.FortheMinimum Connection Rate,enteravaluethatis10%oftheDUT’sstatedmaximumconnectionrate.EntertheDUT’sstatedmaximumconnectionratefortheMaximum Connection Rate.Again,enter10%oftheDUT’sstatedmaximumconnectionratefortheIncrement N connections per secondparameter,andavalueof1forEvery N seconds.Oncecompleted,clickApply Changes.


31


15. IntheSession Configurationsection,enter7500000astheMaximum Simultaneous SessionsandtheDUT’sstatedmaximumconnectionrateintheMaximum Sessions Per Second.ClickApply Changes.

16. Ifdesired,editthetestDescriptionintheTest Informationsection.

17. VerifythattheTest Statuscontainsagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.



32


19. WhenpromptedforanametoSave Test As,enterDPIMaxTCPRateandclickSave.




33



23. Whenthetestiscompleted,clicktheView the reportbutton.


34


24. ExpandTest Results for Maximum TCP Connection RatefolderandselectTCP Setup Time.BecauseshorterTCPsetuptimesallowtheDUTtorespondquicklyandhandleincomingconnectionrequests,theyarepreferabletolongerTCPsetuptimes.

25. Next,selectTCP Response Time.BecauseshorterresponsetimesallowtheDUTtorespondquicklytorequestsandcontinuenormaloperation,theyarepreferabletolongerresponsetimes.


35


26. SelectFrame Latency Summary.Smallerframelatencymeasurementsmeantheframesarearrivingquicklywithoutmuchdelaythroughthedevice.

27. ExpandtheDetailfolder.SelectTCP Connection Ratefromthelistofavailableresults.Usingthegraphandthetable,determinethemaximumTCPconnectionratetheDUTisabletohandle.

Other tests can also be performed. The following are some examples that can be run:

• Vary the TCP Segment size.

• Change the Distribution type to random.

• Change the TCP Session Duration (segments).

• Increase the test time for a longer test.


36


Maximum Concurrent TCP Connections


Overview:

This test is very similar to the previous test configuration though a calculated Ramp Up Profile will be used. Also, the results from the

Maximum TCP Connection Rate test will be used in the Maximum Sessions Per Second parameter.

Objective:

Test the maximum number of established TCP connections the DUT could hold using real stateful application traffic.

Setup:


37





38



4. SelectTestOpen RecentDPI Max TCP Rate.


39



6. Whenpromptedforanametosavethetestas,enterMaxConcurrentTCPConnectionsandclickSave.

7. UndertheInformationtab,changethenametoMaxTCPConnectionsandclickApply Changes.


40


8. SelecttheParameterstab.Severalparameterswillbechangedinthissection.First,usingtheRamp Up Profile Typedrop-downmenu,changethevaluetoCalculatedintheRamp Up Profilesection.ClickApply Changes.

9. Next,intheSession Configurationsection,changetheMaximum Simultaneous SessionstothemaximumtheDUTisexpectedtobeabletoreach.Also,changetheMaximum Sessions Per SecondtotheratedeterminedbytheDPIMaxTCPRatetest.ClickApply Changes.

10. ThenextparametertobechangedistheRamp Up SecondsintheSession Ramp Distributionsection.Thisisacalculatedvalue.TaketheMaximum Simultaneous Sessions/Maximum Sessions Per Second(alwaysroundtothehighersecond).ClickApply Changes.


41


11. Ifdesired,editthetestdescriptionintheTest Informationsection.

12. VerifythattheTest Statushasagreencheckmark.Ifitdoesnot,clickTest Status andmaketherequiredchanges.

13. UndertheTest Quick Steps menu,clickSave and Run.


42


14. TheSummarytabinitiallywillbedisplayedoncetheteststarts.TheSummarytabdisplaysmultipleapplication,TCPandEthernetstatisticsinatabularform.



43



17. Whenthetestiscompleted,clicktheView the reportbutton.

18. ExpandTest Results for Max TCP ConnectionsfolderandselectTCP Setup Time.BecauseshortTCPsetuptimesallowtheDUTtoquicklyreactandhandletheincomingconnectionrequestsbetterthanlongerTCPsetuptimes,theyarepreferred.


44


19. Next,selectTCP Response Time.ShorterresponsetimesallowtheDUTtorespondquicklytorequestsandcontinuenormaloperation.

20. SelectFrame Latency Summary.Shortframelatencymeasurementsindicatethattheframesarearrivingquicklywithoutmuchdelaythroughthedevice.


45


21. ExpandtheDetailfolder.SelectTCP Concurrent Connectionsfromthelist.Usingthetableandthegraph,determinethemaximumnumberofconcurrentTCPconnectionsthattheDUTisabletohandle.

Other tests can also be performed. The following are some examples that can be run:

• Vary the TCP Segment size.

• Change the Distribution type to random.

• Change the TCP Session Duration (segments).

• Increase the test time for a longer test.


46


Strike Mitigation




Overview:

It is important to evaluate how malicious traffic will affect the performance of the DUT. A Security test component will be used in this test.

Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk

vulnerabilities in services often exposed to the Internet.

Objective:

Test the DUT’s ability to recognize and block malicious traffic.

Setup:


47





48




5. UndertheTest Quick Steps menu,clickSelect the DUT/Network.


49




8. Next,undertheTest Quick Steps menu,clickAdd a Test Component.


50


9. SelecttheSecuritycomponentfromtheSelect a component typewindow.

10. UndertheInformationtab,enterStrikeDetectionasthenameandclickApply Changes.

11. SelectthePresetstabandthenselectSecurity Level 1.ClickApply Changes.


51


12. Ifdesired,editthetestdescriptionundertheTest Informationsection.

13. VerifythattheTest Statushasagreencheckmarknextit.Ifitdoesnot,clickonTest Statusandmaketherequiredchanges.


15. Whenprompted,enterDPIStrikeDetectionasanameandclickSave.


52


16. Oncetheteststartstorun,selecttheAttackstab.ThiswilldisplayinformationabouthowmanyattackscouldbeblockedandhowmanywereactuallyabletopassthroughtheDUT.

17. Whenthetestiscompleted,awindowwillappearstatingthatthetestfailedbecausemalicioustrafficwasabletopassthroughtheDUT.ClickClose.


53


18. ClicktheView the reportbuttontoviewdetailedresultsinabrowserwindow.

19. ExpandTest Results for Strike DetectionandselectStrike Results.DeterminethenumberofstrikesthatweresuccessfullyblockedandthenumberthatcouldbetransmittedthroughtheDUT.


• Increase the test length for a longer Malicious Traffic Attack.

• Change the Security Level.

• Use a different random seed.


54


Strikes Blocking with IP Fragmentation




Overview:

This closely resembles the Strike Blocking test except the IP packets will be fragmented to determine how the DUT handles malicious traffic

that is arriving in fragmented packets.

Objective:

Test the DUT’s ability to recognize and block malicious traffic with fragmentation on IP packets.

Setup:


55





56



4. SelectTestOpen Recent TestsDPI Strike Detection.



57


6. EnterDPIStrikeDetectionFragmentationasthenameandclickSave.

7. SelecttheOverridestab.IntheIPsection,locateMaxFragSizeandenteravaluelessthan46.ClickApply Changes.

8. Ifdesired,editthetestDescriptionundertheTest Informationsection.

9. VerifythattheTest Statuscontainsagreencheckmark.Ifitdoesnot,clickTest Status andmaketherequiredchanges.


58



11. Oncetheteststartstorun,selecttheAttackstab.ThiswilldisplaythenumberofattacksthatweresuccessfullyblockedandthenumberofattacksthatwereabletosuccessfullypassthroughtheDUT.


59


12. Oncethetestiscompleted,awindowwillappearstatingthatthetestfailedbecausemalicioustrafficwasabletopassthroughtheDUT.ClickClose.

13. ClicktheView the reportbutton.Awindowwithdetailedresultswillopen.

14. ExpandTest Results for Strike DetectionandselectStrike Results.DeterminethenumberofstrikesthatwerelockedandthenumberofstrikesthatwereabletopassthroughtheDUT.Usingtheresultsfromtheprevioustest,determineiffragmentationmadeanydifference.


60



• Increase the test length for a longer Malicious Traffic Attack.

• Change the Security Level.

• Use a different random seed.


61


SYN Flood


• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations

Overview:

A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate a TCP connection. This can be

harmful to a DPI device, as it has to provide resources to the TCP connection requests. The DPI device likely has the ability to detect and

mitigate the SYN Flood. A Session Sender test component will be used to create a SYN Flood.

Objective:

Test the ability of the DUT to recognize and block SYN Flood attacks.

Setup:


62





63




5. UndertheTest Quick Steps section,clickSelect the DUT/Network.


64




8. UndertheTest Quick Steps section,clickAdd a Test Component.


65


9. SelectSession Sender (L4) fromtheSelect a component typewindow.

10. UndertheInformationtab,changethenametoSYNFloodandclickApply Changes.

11. SelectthePresetstabandlocatethe1Gbps SYN Flood.ClickApply Changes.


66


12. SelecttheParameterstab.Severalchangeswillbemadeinthissection.Thefirstone,ifneeded,istochangetheMinimum data ratetowhatissupportedbytheDUT.ClickApply Changesoncecompleted.

13. Next,twoparametersintheSession Configurationsectionneedtobechanged.ThefirstoneistheMaximum Simultaneous Sessions.ThisneedstobesettotheconnectionratesupportedbytheDUT(thisistheresultfromtheMaximumConcurrentTCPConnectionstest).ThesecondparameterthatneedstobechangedisMaximum Sessions Per Second(thisistheresultfromtheMaximumTCPConnectionRatetest).ClickApply Changes.

14. Ifdesired,editthetestdescriptionundertheTest Informationsection.


67


15. VerifythattheTest Statushasagreencheckmarknexttoit.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.


17. Whenpromptedforanametosavethetestas,enterDPISYNFloodDetectionandclickSave.


68


18. TheSummarytabwillautomaticallybedisplayedwhentheteststarts.ThistabdisplaysagreatdealofinformationaboutTCP.AscanbeseenintheTCPConnectionRatesection,theSYNfloodistryingtoestablishaconnectionbuttheconnectionisnotactuallycreated.

19. SelecttheTCPtab.ThiswilldisplayinformationaboutthenumberofTCP Connections per Second.Again,clientsareattemptingtoconnectbutarenotactuallysuccessful.


69


20. Oncethetestiscompleted,awindowwillappearstatingthatthetestpassed.ClickClose.

21. ClicktheView the reportbutton.Thiswillopenanewbrowserwindowwithdetailedresults.

22. ExpandTest Results for SYN FloodandselectTCP Summary.VerifythattherearenoClient establishedor Server establishedvalues.

Other test variations can be run. One variation is to increase the test length for a longer SYN Attack.


70


Inappropriate Content Filtering




Overview:

It is important to determine and evaluate how the DUT is able to handle inappropriate content. Also, it is important to determine how

the DUT’s performance is affected while having to perform content filtering. A new Super Flow will be created that will contain some

type of inappropriate content. This Super Flow will then be added to an Application Profile. The BreakingPoint Application Simulator test

component will be used to transmit the newly created application profile.

Objective:

Test the ability of the DUT to recognize and block sessions containing inappropriate material.

Setup:


71





72



4. SelectManagersApplication Manager.


73


5. SelecttheSuper FlowstabandlocatetheBreakingPoint HTTP Textfromthelist.ClickSave As.

6. Whenpromptedforaname,enterHTTPInappropriateandclickOk.


74


7. IntheDefine Actionssection,locatetheServer: Response 200 (OK)action.ClicktheEdit the selected action parameterbutton.

8. EnabletheString for response datasectionandentertheinappropriatetermsorphrasesintheString for response datafield.

9. SelectSave Super Flow.


75


10. SelecttheApp ProfilestabandclicktheCreate a new application profilebutton.

11. Whenpromptedforaname,enterDPIHTTPInappropriateandclickOK.


76


12. LocatethenewlycreatedSuperFlowinthelistofAvailableSuperFlows.ClicktheAdd the super flow to the profilebutton.

13. LocatetheBreakingPoint HTTP TextSuperFlowandclicktheAdd the Super Flow to the profilebutton.

14. VerifythatbothSuperFlowshaveaweightof100andclickSave App Profile.


77






78



19. UndertheTest Quick Steps menu,clickAdd a Test Component.



79


21. TheInformationtabshouldalreadybeselected.EnterInappropriateContentforthenameandclickApply Changes.

22. SelecttheParameterstab.Severalparametersinthissectionwillneedtobechanged.FirstverifythattheMinimum data rateissetto80%ofthetotalavailablebandwidth.MakesuretoclickApply Changesifanyvalueisupdated.

23. Next,changetheApplication Profileparameter.Usingthedrop-downmenu,selecttheDPI HTTP Inappropriateapplicationprofileandclick Apply Changes.


80


24. Ifdesired,intheTest Informationsection,editthetestdescription.

25. VerifythattheTest Statushasagreencheckmarknexttoit.Ifitdoesnot,clickonTest Statusandmaketheneededchanges.


27. EnterDPIInappropriateContentwhenpromptedforaname.ClickSave.


81


28. Oncetheteststarts,theSummarytabwillbedisplayed.Itcontainsagreatdealofinformationaboutapplicationflowsandapplicationtransactions.

29. SelecttheApplicationtab.Thiswilldisplayreal-timeinformationabouttheapplicationflowsthatarebeingtransmitted.


82


30. Whenthetestiscompleted,awindowwillappearstatingthatthetestfailed.ClickClose.

31. SelecttheView the reportbutton.Thiswillopenamoredetailedresultviewinabrowserwindow.


83


32. ExpandTest Results for Inappropriate ContentandselectApp Summary.Thiswillprovideagreatdealofinformationaboutalloftheapplicationsfrombytestransmittedtobytesreceivedtodetailsaboutfailures.Sincehalfofthecontentshouldbeblockedbecauseitisinappropriate,theApplication attempted valueshouldbeabouttwicethevalueoftheApplication successes.

33. LogintotheDUT,andviewthedifferentcounterstodetermineiftheDUTwassuccessfullyblockingtheinappropriatecontent.


• Increase the test length for a longer run time.

• Try different inappropriate key words.

• Try a larger number of inappropriate key words.


84


Spam Email Blocking




Overview:

It is important to determine and evaluate how the DUT is able to handle spam email. Also, it is important to determine how the DUT’s

performance is affected while having to block spam email. A new Super Flow will be created that will contain a spam email. This Super

Flow will then be added to an application profile. The Application Simulator test component will be used to transmit the newly created

application profile to test the DUT’s ability to block spam email.

Objective:

Test the ability of the DUT to recognize and block sessions containing spam email.

Setup:


85





86





87


5. SelecttheSuper FlowstabandlocatetheBreakingPoint SMTP Emailfromthelist.ClickSave As.

6. Whenprompted,enterDPISMTPSpamasthenameandclickOk.


88


7. IntheStep 3 – Define Actionssection,locateClient: Send Email.ClicktheEdit the selected action parameterbutton.

8. EnteranemailaddressintheProtocol FROM Username field.EnteradifferentemailaddressintheProtocol RCPT Username field.Next,scrolldownandlocatetheSubjectfield.EnterReceive15%offGoldWatchesastheSubject.Finally,enabletheAttachment Datafieldandclick Import Attachment Data.YoucanuploadthecontentintotheWebbrowserthatlaunches.


89


9. ClicktheChoose Filebuttontobrowseyourfilesystemtolocatespamemailtext.

10. Oncethespamemailhasbeenlocatedinyourfilesystem,clickUpload.

11. Waituntilthefileisuploadedsuccessfully,thenclosethebrowserwindow.


90


12. UsingtheAttachment Datadrop-downmenu,selectthenewlyuploadedfileandclickApply Changes.

13. ClickSave Super Flow.


91



15. Whenprompted,enterDPISpamEmailContentasanameandclickOk.


92


16. FromtheAvailable Super Flowslist,locatethenewlycreatedSuperFlowandclicktheAdd the Super Flow to the profilebutton.

17. Again,fromtheAvailable Super Flowslist,locatetheBreakingPoint SMTP Email Super FlowandclicktheAdd the Super Flow to the profile button.

18. VerifythateachSuperFlowhasaweightof100andclickSave App Profile.


93



20. UndertheTest Quick Steps menu,clickSelect the DUT/Network.



94






95


25. TheInformationtabshouldalreadybeselected.EnterSpamEmailContentforthenameandclickApply Changes.

26. SelecttheParameterstab.Severalparametersinthissectionwillneedtobechanged.FirstverifythattheMinimum data rateissetto80%ofthetotalavailablebandwidth.MakesuretoclickApply Changesifanyvalueisupdated.

27. Next,changetheApplication Profileparameter.Usingthedrop-downmenu,selecttheDPI Spam Email ContentapplicationprofileandclickApply Changes.


96




30. UndertheTest Quick Steps section,clickSave and Run.


97


31. EnterDPISpamEmailwhenpromptedforaname.ClickSave.




98


34. Whenthetestiscompleted,awindowwillappearstatingthatthetestfailed.ClickClose.



99


36. ExpandTest Results for Spam Email ContentandselectApp Summary.Thiswillprovideagreatdealofinformationaboutalloftheapplicationsincludingbytestransmitted,bytesreceivedanddetailsaboutfailures.Sincehalfofthecontentshouldbeblockedbecauseitisinappropriate,theApplication attemptedvalueshouldbeabouttwicethevalueoftheApplication successes.

34. LogintotheDUTandviewthedifferentcounterstodetermineiftheDUTwassuccessfullyblockingtheSPAMemail.



• Try different spam emails.

• Try a larger number of spam emails to determine if all are blocked.


100


Suspicious Content Detection




Overview:

It is important to determine and evaluate how the DUT is able to handle the detection of suspicious content. Also, it is important to

determine how the DUT’s performance is affected while having to handle suspicious content detection. A new Super Flow will be created

that will use a database protocol to simulate a credit card request by querying the database. This Super Flow will then be added to an

application profile. The Application Simulator test component will be used to transmit the newly created application profile to test the

DUT’s ability to detect suspicious content.

Objective:

Test the ability of the DUT to record and audit suspicious content.

Setup:


101





102





103


5. SelecttheSuper FlowstabandlocateBreakingPoint DB2 Databasefromthelist.ClickSave As.

6. Whenpromptedforaname,enterDPIDBCreditandclickOK.


104


7. MakesuretheseconditemisselectedundertheDefine FlowssectionandalsoselecttheClient: SQL QueryintheDefine Actionssection.ClicktheEdit the select actions parametersbutton.

8. IntheSQL Queryfield,enteraspecificquerythatwillbetrackedbytheDUT.ThequerycontentshouldbedefinedaccordingtotheDUT’spolicyanddetectionmodel.Agoodexampletouseis:“SELECT*fromcredit_card_table”.ClickApply Changes.


105


9. ClickSave Super Flow.



106


11. Whenprompted,enterDPISuspiciousasthenameandclickOK.

12. LocatethenewlycreatedSuperFlowintheAvailableSuperFlowslistandclicktheAdd the Super Flow to the profilebutton.

13. Next,locatetheBreakingPointDB2DatabaseSuperFlowintheAvailable Super FlowslistandclicktheAdd the Super Flow to the profilebutton.


107


14. VerifythatbothSuperFlowshaveaweightof100andclickSave App Profile.




108




19. UndertheTest Quick Steps menu,clickAdd a Test Component.


109



21. TheInformationtabshouldalreadybeselected.EnterSuspiciousContentforthenameandclickApply Changes.

22. SelecttheParameterstab.Someparametersinthissectionwillneedtobechanged.First,verifythattheMinimum data rateissetto80%ofthetotalavailablebandwidth.MakesuretoclickApply Changesifanyvalueisupdated.


110


23. Next,changetheApplication Profileparameter.Usingthedrop-downmenu,selecttheDPI SuspiciousapplicationprofileandclickApply Changes.





111


27. EnterDPISuspiciousContentwhenpromptedforaname.ClickSave.




112


30. Whenthetestsfinishes,awindowwillappearstatingthatthetestfailed.ClickClose.


32. ExpandTest Results for Suspicious ContentandselectApp Summary.Thiswillprovideagreatdealofinformationaboutalltheapplicationsfrombytestransmittedtobytesreceivedtodetailsaboutfailures.Sincehalfofthecontentshouldbeblockedbecauseitisinappropriate,theApplication attemptedvalueshouldbeabouttwicethevalueoftheApplication successes.

33. LogintotheDUTandviewthedifferentcounterstodetermineiftheDUTwassuccessfullyblockingthesuspiciouscontent.


113




• Try different suspicious elements (i.e., different protocols).

• Try a larger number of suspicious elements.


114


Webmail Phrase Detection



Overview:

It is important to determine if the DUT is able to record and audit keywords or key phrases. This is important because Webmail is becoming

more popular and company information that is not public could possibly be transmitted via Webmail. A new Super Flow will be created that

is a Webmail service. The Super Flows length will be configured and several words will be added to the body of the email. This newly created

Super Flow will be added to an application profile. The Application Simulator test component will be used to transmit the newly created

application profile to test the DUT’s ability.

Objective:

Test the ability of the DUT to record and audit keywords or word phrases.

Setup:


115





116





117


5. SelecttheSuper FlowstabandthenlocateBreakingPoint Webmail.ClickSave As.

6. Whenprompted,enterDPI WebmailasanameandclickOk.


118


7. AswewishonlytouseasingleWebmailserver,clickManage Hosts.

8. Selectoneoftheservers,andclicktheDelete the selected hostbutton.

9. Whenpromptedaboutbeingsureyouwanttodeletetheselectedhost,clickYes.


119


10. RepeattheprevioustwostepswithanotheroneoftheWebmailservers.Oncecompleted,onlyoneWebmailservershouldremain.ClickClose.

11. UnderStep 3 – Define Actions,selectClient: Send MessageandclicktheEdit the selected action parametersbutton.


120


12. IntheSend Messagewindow,severalparameterswillneedtobechanged.Ifdesired,itispossibletochangethelanguagebyenablingtheLanguagecheckboxandusingthedrop-downmenutoselectadifferentlanguage.Next,enableMessage Wordcount Minandsetavalueof100.Also,enableMessage Wordcount Maxandsetthistoavalueof1000.Themessagewillcontainarandommessagebetween100and1000words.SeveralitemsarealreadyintheKeyword Listfield.ChangethesevaluestomatchkeywordsconfiguredontheDUT.Finally,enableRandom Attachment?andsetthevaluetoFalse.ClickApply Changes.

13. OncecompletedwitheditingtheSend Messageaction,clickSave Super Flow.


121


14. Next,selecttheApp ProfilestabandclicktheCreate a new application profilebutton.

15. Whenpromptedforanappprofilename,enterDPIWebmailandclickOK.


122


16. IntheAvailable Super Flowslist,locatethenewlycreateDPI Webmail Super FlowandclicktheAdd Super Flow to the profilebutton.

17. Next,locatetheBreakingPointWebmailSuperFlowandclicktheAdd Super Flow to the profilebuttonagain.

18. VerifythatbothhaveaWeightof100andclickSave App Profile.


123



20. UndertheTest Quick Stepsmenu,clickSelect the DUT/Network.



124






125


25. TheInformationtabshouldalreadybeselected.EnterWebmailforthenameandclickApply Changes.

26. SelecttheParameterstab.Someparametersinthissectionwillneedtobechanged.FirstverifythattheMinimum data rateissetto80%ofthetotalavailablebandwidth.MakesuretoclickApply Changesifanyvalueisupdated.

27. Next,changetheApplication Profileparameter.Usingthedrop-downmenu,selecttheDPI WebmailapplicationprofileandclickApply Changes.


126



29. VerifythattheTest Statushasagreencheckmarknexttoit.Ifitdoesnot,clickTest Statusandmaketheneededchanges.


31. EnterDPIWebmailwhenpromptedforanametosavethetest.ClickSave.


127





128


34. Whenthetestfinishes,awindowwillappearstatingthatthetestpassed.ClickClose.


36. ExpandTest Results for WebmailandselectApplication Summary.Thiswillprovideagreatdealofinformationaboutalltheapplicationsfrombytestransmittedtobytesreceivedtodetailsaboutfailures.

37. LogintotheDUTandviewthedifferentcounterstodetermineiftheDUTwassuccessfullyauditingthekeywordsand/orphrases.



• Try different Webmail clients/servers.


129


About BreakingPointBreakingPoint pioneered the first and only Cyber Tomography Machine

(CTM) to expose previously impossible-to-detect stress fractures within

cyber infrastructure components before they are exploited to compromise

customer data, corporate assets, brand reputation and even national security.

BreakingPoint products are the standard by which the world’s governments,

enterprises, and service providers optimize the resiliency of their cyber

infrastructures. For more information, visit www.breakingpoint.com.

BreakingPoint Storm CTM

BreakingPoint has pioneered Cyber Tomography with the introduction of

the BreakingPoint Storm CTM, enabling users to see for the first time the

virtual stress fractures lurking within their cyber infrastructure through the

simulation of crippling attacks, high-stress traffic load and millions of users.

BreakingPoint Storm CTM is a three-slot chassis that provides the equivalent

performance and simulation of racks and racks of servers, including:

• 40 Gigabits per second of blended stateful application traffic

• 30 million concurrent TCP sessions

• 1.5 million TCP sessions per second

• 600,000+ complete TCP sessions per second

• 80,000+ SSL sessions per second

• 100+ stateful applications

• 4,500+ live security strikes

BreakingPoint Resources

Hardening cyber infrastructure is not easy work, but nothing that is this

important has ever been easy. Enterprises, service providers, government

agencies and equipment vendors are under pressure to establish a cyber

infrastructure that can not only repel attack but is resilient to application

sprawl and maximum load. BreakingPoint’s Cyber Tomography Machine

(CTM) provides the technology and solutions that allow these organizations

to create a hardened and resilient cyber infrastructure. BreakingPoint also

provides the very latest industry resources to make this process that much

easier, including Resiliency Methodologies, How-to Guides, white papers,

webcasts, and a newsletter. To learn more, visit

www.breakingpoint.com/resources.

BreakingPoint Labs Community

Join discussions on the latest developments in hardening cyber

infrastructure. BreakingPoint Labs brings together a diverse community of

people leveraging the most current insight to harden cyber infrastructure to

withstand crippling attack and high-stress application load.

Visit www.breakingpointlabs.com.

Contact BreakingPoint

Learn more about BreakingPoint

products and services by contacting a

representative in your area.

1.866.352.6691 U.S. Toll Free

www.breakingpoint.com

BreakingPoint Global Headquarters

3900 North Capital of Texas Highway

Austin, TX 78746

email: [email protected]

tel: 512.821.6000

toll-free: 866.352.6691

BreakingPoint EMEA Sales Office

Paris, France


tel: + 33 6 08 40 43 93

BreakingPoint APAC Sales Office

Suite 2901, Building #5, Wanda Plaza

No. 93 Jianguo Road

Chaoyang District, Beijing, 100022, China


tel: + 86 10 5960 3162

Deep Packet Inspection Test Methodology

Documents

continue normal

minimum data

shorter response

define actions

minimum ip

gateway ip

tcp segment

app profiles