IPS Test Methodology

www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc.All other trademarks are the property of their respective owners.

1

Rethink Intrusion Prevention System Testing

Rethink Intrusion Prevention System TestingA Methodology to measure the performance, security, and stability of intrusion prevention systems (IPS) under real-world conditions


2


Table of ContentsIntroduction .................................................................................................................................................................................................................... 3

Baseline Application Performance: Maximum Connections ......................................................................................................................... 5

Baseline Application Performance: Throughput ............................................................................................................................................... 20

Baseline Attack Mitigation: SYN Flood .................................................................................................................................................................. 35

Baseline Attack Mitigation: Malicious Traffic ....................................................................................................................................................... 45

Application Traffic with SYN Flood ......................................................................................................................................................................... 55

Application Traffic with Malicious Traffic .............................................................................................................................................................. 65

Application Traffic with Malicious Traffic and SYN Flood................................................................................................................................ 76

Jumbo Frames ................................................................................................................................................................................................................ 88

IP, UDP and TCP Fuzzing ............................................................................................................................................................................................. 98

Protocol Fuzzing ............................................................................................................................................................................................................ 109

Evasion Techniques ...................................................................................................................................................................................................... 121

Negative Testing ............................................................................................................................................................................................................ 133

About BreakingPoint ................................................................................................................................................................................................... 147


3


IntroductionWith more and more corporate data being placed on corporate networks, it is vitally important to protect that data from malicious activities.

An Intrusion Prevention System (IPS) is designed to detect malicious activities and drop or sanitize the packets while allowing legitimate

traffic to access the corporate network. Thoroughly testing IPS devices is essential to ensuring that they work properly. If the IPS device is

not working properly, malicious traffic containing viruses, worms and backdoors can easily gain access to the corporate network and cause

a great deal of problems, potentially bringing down the network.

Performing a series of measurements using the BreakingPoint Storm CTM on the IPS will help determine the actual performance, security

and stability of the IPS under real world conditions. For instance, the IPS device might be able to detect and mitigate malicious activity

when network traffic is light. However, when network traffic becomes heavy, the IPS device might detect significantly less malicious activity.

Using the BreakingPoint Storm CTM you can expose previously impossible to detect vulnerabilities in your IPS before they are exploited to

compromise your customer data, corporate assets, brand reputation and even nation security.

The test environment should emulate the actual deployment environment as closely as possible. Directly connected devices such as routers,

switches and firewalls will have an effect on packet loss, latency and data integrity. The number of advertised host IP and MAC addresses,

VLAN Tagging, and NAT will also affect the performance of an IPS.

If it is not feasible to fully recreate the deployment environment, the BreakingPoint Storm CTM should be connected directly to the IPS.

All IPS devices and builds being evaluated must use the same test environment to ensure consistent results.

Baseline Application Performance: Maximum Connections

Determine the number of connections per second that the IPS is able to handle. This will validate the performance of the IPS when

sending only good traffic with an “Allow All” policy. The TCP setup time will be analyzed to determine how a greater number of TCP

connections per second affect the time it takes to establish the TCP connection.

Baseline Application Performance: Throughput

Determine the throughput that the IPS is able to handle. This will validate the throughput performance the IPS is able to handle when

sending only good traffic with an “Allow All” policy. The overall throughput that the IPS is able to support will be determined.

Baseline Attack Mitigation Traffic: SYN Flood

Determine a baseline measurement for how the IPS performs when handling a SYN flood. Once a baseline has been established, it will

be compared with the results from the tests that blend both application and malicious traffic. The number of attempted sessions for the

SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS.

Baseline Attack Mitigation Traffic: Malicious Traffic

Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To

perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and

backdoors. IPS devices have functionality that may block some of the attacks. The number of attacks blocked by the IPS will be determined

as well as the number of attacks that were able to pass through the IPS.

Application Traffic with SYN Flood

Determine a baseline measurement for how the IPS performs when handling a malicious SYN flood. Once a baseline has been

established, it will be compared with the results from the tests that blend both application and malicious traffic. The number of attempted

sessions for the SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS.


4


Application Traffic with Malicious Traffic

Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To

perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and

backdoors.

Application Traffic with Malicious Traffic and SYN Flood

This test determines the ability of the IPS to handle application traffic, a SYN flood and malicious traffic. The results will be compared

to both the Throughput Test and the SYN Flood Test. Again, the IPS’s ability to detect and mitigate a SYN flood will be determined. Also, the

effect of the malicious traffic on the application traffic’s throughput, latency time-to-open, and time-to-close will be analyzed. Finally, the

IPS’s ability to detect and mitigate the same number of attacks as in the previous Security tests will be tested.

Jumbo Frames

This test uses the Throughput test, except the Maximum Segment Size (MMS) parameter will be increased. The maximum

transmission unit (MTU) size of the port will be verified and increased if needed. This test will determine if the IPS was able to perform

better, worse or the same when handling jumbo frames. These results will be compared to those from the Throughput Test.

IP, UDP and TCP Fuzzing

The BreakingPoint Storm CTM will be configured to use the Stack Scrambler component. This test component has the ability to

send malformed IP, UDP, TCP and Ethernet packets to the IPS. The fuzzing technique will modify parts of the packet, such as checksums

and protocol options, to generate the corrupted data. The IPS’s ability to handle malformed packets will be determined. Take notice if

the IPS crashes during the test, as this is the most important sign that the IPS is not able to appropriately handle the malformed packets.

Also, analyze the effects the malformed packets had on the application traffic and determine if the IPS’s attack detection and mitigation

capabilities were affected.

Protocol Fuzzing

This test will utilize the Security test component. This time the Security test component will fuzz application layer frames. The IPS’s ability

to handle malformed application layer frames will be determined.

Evasion Techniques

The Application Traffic with Malicious Traffic test will be used as a starting point for this test. The Security test component will have

changes made to its configuration. These changes will configure different evasion techniques that might create false negatives.

Negative Testing

The Maximum Connections test will be used as a starting point. Changes will then be made to a Super Flow. This Super Flow will then be

sent through the IPS. It will be determined how well the IPS unit was able to handle the negative testing.


5


Baseline Application Performance: Maximum Connections

RFC:• RFC 793 – Transmission Control Protocol

Overview:

The specifications from the IPS data sheet will be used to determine if the IPS meets or exceeds the stated capacity. To determine the

capabilities, a Session Sender test component will be used to push the IPS beyond its stated supported limits.

Objective:

To evaluate the IPS’s ability to create and maintain sessions.

Setup:


6


1. LaunchyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.ClickStart BreakingPoint Systems Control Centeroncethepageloads.

2. Inthenewwindowthatappears,typeyourLoginIDandPassword.ClickLogin.


7


3. Reservetherequiredportstorunthetest.

4. SelectControl CenterNetwork Neighborhood.


8


5. UndertheNetworkNeighborhoodsheading,clicktheCreate a new network neighborhood button.

6. IntheGivethenewnetworkneighborhoodanameboxenterIPSTestsasthenameandclickOK.


9


7. NoticefourInterfacetabsareavailableforconfiguration.Onlytwoarerequiredforthetests.Thefirstinterfacetabshouldbeselected;clicktheX todeletethisinterface.WhenpromptedaboutremovingtheinterfaceclickYes.Theremaininginterfaceswillberenamed.Repeatthisprocessunitlonlytwointerfacesareleft.

8. WithInterface1selected,configuretheNetworkIPAddress,Netmask,GatewayIPAddress,RouterIPAddress,theMinimumIPAddress,andtheMaximumIPAddress.ClickApply Changes.


10


9. SelecttheInterface2tab.ConfiguretheNetworkIPAddress,NetmaskandtheGatewayIPAddress.UsingtheTypedrop-downmenuselectHost.FinallytheMinimumIPAddressandtheMaximumIPAddresscanbeconfigured.ClickApply Changes,then,clickSave Network.

10. NowthattheNetworkNeighborhoodhasbeencreated,thetestcanbeconfigured.Select TestNew Test.


11


11. UndertheTestQuickSteps,clickSelect the DUT/Network.

12. IntheChooseadeviceundertestandnetworkneighborhoodwindowundertheDeviceUnderTest(s)section,verifyBreakingPointDefaultisselected.UnderNetworkNeighborhood(s),verifythatthenewlycreatedoneisselected.ClickAccept.


12


13. WhenpromptedaboutswitchingNetworkNeighborhoodsbecausethecurrentsetupcontainsmoreinterfaces,clickYes.

14. UnderTestQuickSteps,clickAdd a Test Component.

15. IntheSelectacomponenttypewindow,clickSession Sender (L4).


13


16. UndertheInformationtabenteranameofMaximumConnectionsandclickApply Changes.

17. SelecttheInterfacestab.VerifythatonlyInterface1ClientandInterface2Serverareenabled.

18. SelecttheParameterstab.Severalparameterswillbechangeinthissection.ThefirstparameterthatneedstobechangedistheTCPSessionDuration(segments)toavalueof4.ClickApply Changes.


14


19. UndertheDataRatesection,changeMinimumdatarateto90%ofthetotalbandwidthpossible,andclickApply Changes.

20. NextundertheSessionRampDistributiontab,severalparameterswillbechanged.First,usingtheRampUpBehaviordrop-downmenu,selectFull Open + Data + Close.Next,changeRampUpSecondsto30andchangeSteady-StateSecondsto120.Finally,changeRampDownDurationto30andclickApply Changes.Scrollingmayberequiredinordertochangesomeoftheparameters.

21. ThelastparametersthatneedtobechangedareintheSessionConfigurationsection.TheMaximumSimultaneousSessionsshouldbechangedto33%oftheIPS’sstatedmaximum.TheMaximumSessionsPerSecondshouldbechangedto200%oftheIPS’sability.ClickApply Changes.


15


22. Ifdesired,enteradescriptionforthetestundertheTestInformationsection.

23. VerifythattheTestStatushasagreencheckmark.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.

24. Beforerunningthetest,thetestcomponentneedstobesavedasapreset.Thiswillallowforquickerandeasierconfigurationlater.Right-clickonthetestcomponentandselectSave Component As Preset.

25. Whenpromptedforanametosavethepresetas,enterIPSMaximumConnectionsandclickSave.


16


26. UnderTestQuickSteps,clickSave and Run.

27. Whenpromptedforanametosavethetestas,enterIPSMaximumConnectionsandclickSave.

The Summary tab initially will be displayed. A great amount of information is seen on this screen from the TCP Connection Rate to the

Cumulative TCP Connections to the Bandwidth being used.


17


28. SelecttheTCPtab.ThiswilldisplaytheTCPConnectionsperSecondandallowtheabilitytodeterminethecurrentnumberofAttemptedandSuccessfulTCPConnectionRate.Usingthisviewdeterminethemaximumnumberofnewsessionspersecondopenduringtheramp-upphase,themaximummaintainedduringthesteady-statephaseandthemaximumopenedduringthesteady-statephase.

29. Oncethetestcompletes,awindowwillappear,statingthetestpassed.ClickClosetocontinue.


18


30. Next,selecttheView the reportbutton.

31. ExpandtheTestResultsforMaximumConnectionsfolder,andselectTCPSetup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.

32. Next,selectTCP Response Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.


19


33. Select TCP Close Time.TheshortertheTCPCloseTimethebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestobeabletoopenanewconnection.

34. SelectFrame Latency.Theshortertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.

Other tests can also be performed. The following are some examples that can be run:

• Vary the TCP Segment size.

• Change the Distribution type to random.

• Change the TCP Session Duration (segments).

• Increase the test time for a longer test.

• If Hot Standby is going to be used, perform a test that shows how traffic is affected.


20


Baseline Application Performance: Throughput

RFC:• RFC 768 – User Datagram Protocol

• RFC 791 – Internet Protocol

• RFC 793 – Transmission Control Protocol

Overview:A similar test setup as the previous one will be used. An Application Simulator test component will be used to generate, at maximum, 33% of the effective session capacity of the IPS as determined in the previous test, while trying to maximize throughput.

Objective:To evaluate the IPS’s ability to forward a wide variety of application traffic and the overall rate that it is able to do so.

Setup:


21



2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.ClickLogin.


22



4. SelectTestNew Test.

5. UnderTestQuickSteps,clickSelect the DUT/Network.


23


6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).OncecompletedclickAccept.

7. Whenpromptedthatthecurrenttestsetupcontainsmoreinterfaces,clickYes.


24



9. IntheSelectacomponenttype,clickApplication Simulator (L7).

10. UndertheInformationtabenteranameofMaximumThroughputandclickApply Changes.


25


11. SelecttheInterfacestab.VerifythatInterface1ClientisenabledandInterface2Serverisenabled.

12. SelectthePresetstabandselectEnterprise Apps.Oncecompleted,clickApply Changes.

13. SelecttheParameterstab.Severalparameterswillneedtobechanged.ThefirstparameterthatneedstobechangedisintheDataRatesection.ChangetheMinimumdatarateto90%ofthetotalavailablebandwidth,andclickApply Changes.


26


14. NextundertheSessionRampDistributionsection,severalparameterswillbechanged.First,usingtheRampUpBehaviordrop-downmenu,selectFull Open + Data + Close.Next,changeRampUpSecondsto30andchangeSteady-stateSecondsto120.Finally,changeRampDownDurationto30andclickApply Changes.Scrollingmayberequiredtochangesomeoftheparameters.

15. ThenextparametersthatneedtobechangedareintheSessionConfigurationsection.ChangeMaximumSimultaneousSessionsto33%ofthesessioncapacityoftheDUT.Also,changetheMaximumSessionsPerSecondto25%oftheabilityoftheDUT.

16. Ifdesired,enteradescriptionforthetestundertheTestInformationsection.

17. VerifythattheTestStatushasagreencheckmark.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.


27


18. Beforerunningthetest,thetestcomponentneedstobesavedasapreset.Thiswillallowforquickerandeasierconfigurationlater.Right-clickonthetestcomponent,andselectSave Component As Preset.

19. EnterIPSMaximumThroughputasthename,andclickSave.



28


21. Whenpromptedtosavethetest,enteranameofIPSMaximumThroughputandclickSave.

22. TheSummarytabwillinitiallybedisplayed.Agreatamountofinformationisseenonthisscreen:TCPConnectionRate,CumulativeTCPConnectionsandInterfaceBandwidth.


29


23. SelecttheTCPtab.ThiswilldisplaytheTCPConnectionsperSecondandallowtheabilitytodeterminetheAttemptedTCPConnectionRateandSuccessfulTCPConnectionRate.

.

24. SelecttheApplicationtab.Detailedresultsabouteachprotocolmaybeviewed.Usethedrop-downmenustoselectdifferentapplications.


30


25. Oncethetestcompletes,awindowwillappear,statingthetestpassed.ClickClose.

26. Next,selecttheView the reportbutton.


31


27. ExpandtheTestResultsforMaximumThroughputfolder,andselectSetup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.

28. Next,selectResponse Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.


32


29. SelectTCP Close Time.TheshortertheTCPclosetime,thebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestobeabletoopenanewconnection.

30. SelectFrame Latency.Theshortertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.


33


31. SelectTransmitted Frame Size.Thisprovidesabreakdownofframesizesthatweretransmitted.

32. Next,expandtheDetailfolderandalsoexpandtheAppConcurrentFlows:byprotocolfolder.Selectthefirstitem,App Concurrent Flows: protocol aol,anddeterminehowthedifferentprotocolswerehandles.Viewtheentirelist.

33. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.DeterminehowalltheprotocolswerehandledbytheDUT.


34


34. SelectFrame Data RateanddeterminethemaximumthroughputtheDUTwasabletohandle.

Other variations of this test can be run. The following are a few examples:

• Increase both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10%, until 80% has been reached.

• Use different presets, such as the Service Provider App or a custom application profile.

• Increase the duration of the test time.



35


Baseline Attack Mitigation: SYN Flood

RFC:• RFC 793 – Transmission Control Protocol

• RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations

Overview:

A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate TCP connections. This is harmful

to an IPS, as it has to provide resources to the TCP connection requests. The IPS likely has the ability to detect and prevent the SYN Flood. A

Session Sender test component will be used to create a SYN Flood to attack the IPS.

Objective:

To evaluate the IPS’s ability to detect and mitigate a SYN flood.

Setup:


36



2. Inthenewwindowthatappears,enterinyourLoginIDandPassword.Click Login.


37






38


6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectedunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).Oncecompleted,clickAccept.

7. WhenpromptedthatthecurrenttestsetupcontainsmoreinterfacesclickYes.


39



9. IntheSelectacomponenttypewindowclickSession Sender (L4).

10. TheInformationtabshouldalreadybeselected.ChangethenameofthetestcomponenttoSYNFloodandclickApply Changes.


40


11. SelecttheParameterstab.Severalparameterswillbechangedinthissection.ThefirstonethatneedstobechangedisTCPSessionsDuration(segments)to0.ClickApply Changesoncecompleted.

12. IntheDataRatesection,changetheMinimumdatarateto10%ofoverallbandwidth,andclickApply Changes.

13. Next,intheSessionRampDistributionsection,usetheRampUpBehaviordrop-downmenuandselectSYN Only.ChangeRampUpSecondsto120,Steady-StateSecondsto0andRampDownSecondsto0.Scrollingdownwillberequiredtoupdatesomeoftheparameters.ClickApply Changesoncecomplete.


41


14. Finally,intheSessionConfigurationsection,verifyMaximumSimultaneousSessionsissetto1,000,000.ChangeMaximumSessionsPerSecondto45,000.ClickApply Changesoncecompleted.

15. Ifdesired,changethetestDescriptionundertheTestInformationsection.

16. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketheneededchanges.

17. Beforerunningthetestthetestcomponentneedstobesavedasapresetforuseinlatertests(savingasapresetallowsforquickerandeasierconfiguration).Right-clickonthetestcomponent,andselectSave Component As Preset.


42


18. Whenpromptedforanametosavethepresetas,typeIPSSYNFloodandclickSave.

19. Finally,underTestQuickSteps,clickSave and Run.

20. Whenpromptedtosavetest,typeIPSSYNFloodasaname.


43


21. UndertheSummarytabitispossibletodeterminehowtheIPSishandlingtheSYNFloodattack.UnderTCPConnectionRateunderClient,thereshouldbeavalueonlyforAttempted.ForCumulativeTCPConnections,avalueshouldbepresentonlyforClientAttempted.TheBandwidthforRxshouldbeverylow,ifnot0.

22. SelecttheTCPtab.NoSuccessfulconnectionsshouldbepresent;thisisanotherwayofverifyingthattheIPSissuccessfullyhandlingtheSYNFloodattack.


44


23. Whenthetestfinishes,anewwindowwillappear,statingthetestfailed.Thisisexpected,asnoconnectionsweresuccessfullymade.ClickClose.

24. ClicktheView the Reportbutton.

25. ExpandtheTestResultsforSYNFloodfolderandselectTCP Summary.VerifythatClientattemptedhasavalueandthatbothClientestablishedandServerestablishedare0.ThismeansthattheIPSwasabletosuccessfullyhandletheSYNFlood.

Other test variations can also be run. The following are a couple of variations:

• Increase the test length for a longer SYN attack.



45


Baseline Attack Mitigation: Malicious Traffic




Overview:

It is important to evaluate how malicious traffic will affect the performance of an IPS. A Security test component will be used in this test.

Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk

vulnerabilities in services often exposed to the Internet.

Objective:

To evaluate the IPS’s ability to detect and mitigate vulnerabilities, worms and backdoors.

Setup:


46





47






48


6. IntheChooseadeviceundertestandnetworkneighborhoodwindow,makesureBreakingPointDefaultisselectunderDeviceUnderTest(s)andIPSTestsisselectedunderNetworkNeighborhood(s).Oncecompleted,clickAccept.

7. Whenpromptedthatthecurrenttestsetupcontainsmoreinterfaces,clickYes.


49



9. IntheSelectacomponenttypewindow,selecttheSecuritytestcomponent.

10. UndertheInformationtab,enterthenameMaliciousTrafficandclickApply Changes.


50


11. SelecttheInterfacestabandverifyInterface1ClientisenabledandInterface2Serverisenabled.

12. SelectthePresetstab,andselectSecurity Level 1.ClickApply Changes.

13. SelecttheParameterstab.Thedefaultsareallokayifrepeatablestrikesarerequired,changetheRandomSeedtoavaluehigherthan0.


51



15. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Status andmaketheneededchanges.

16. Beforerunningthetest,thetestcomponentneedstobesavedasapresetforuseinlatertests(savingasapresetallowsforquickerandeasierconfiguration).Right-clickonthetestcomponent,andselectSave Component As Preset.

17. Whenpromptedforanametosavethepresetas,typeIPSMaliciousTrafficandclickSave.


52


18. Finally,underTestQuickSteps,clickSave and Run.

19. Whenpromptedtosavethetest,typeIPSMaliciousTrafficasaname.

20. SelecttheAttackstab.ThisprovidesaviewthatshowsthenumberofblockedattacksandthenumberofattacksthathavebeenallowedtopassthroughtheDUT.


53


21. Whenthetestcompletes,awindowwillappear,statingthatmalicioustrafficwasabletopassthroughtheDUT.ClickClose.

22. Whenthetestcompletes,clicktheView the reportbutton.

23. ExpandtheTestResultsforMaliciousTrafficfolderandselectStrike Results.DeterminethenumberofstrikesthatwereallowedtopassthroughtheDUTandthenumberthatwereblocked.


54


Other variations of this test can be performed. Below is a list of some of the other tests:

• Increase the test length for a longer malicious traffic attack.

• Change the Security Level.

• Use different presets, such as the Service Provider App or a custom application profile.

• Use a different random seed.



55


Application Traffic with SYN Flood





Overview:

Since tests for application performance and a SYN Flood have already been configured and saved as presets, they will be used in this test.

Two test components will be used during this test, an Application Simulator and a Session Sender component.

Objective:

To combine application traffic with SYN flood traffic and compare the results against the results from the Throughput Test and the SYN

Flood Test.

Setup:


56





57



4. Useaprevioustestasastartingpointforthistest.SelectTestOpenRecentTestsIPS Maximum Throughput.

5. Beforecontinuingwithconfigurationofthetest,clickSave As.


58


6. Whenpromptedforanametosavethetestas,typeAppTraffwithSYNFloodandclickSave.

7. UndertheTestQuickSteps,clickAdd a Test Component.

8. IntheSelectacomponenttypewindow,selecttheSession Sender (L4).


59


9. TheInformationtabshouldbeselected.TypethenameSYNFloodandclickApply Changes.

10. SelectthePresetstab,andselecttheIPS SYN Flood preset.ClickApplyChangesoncecomplete.


12. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTestStatusandmaketheneededchanges.


60



The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary

tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.


61


Detailed results about each protocol can be viewed under the Application tab. Use the drop down menus to display results from

different protocols.

14. Oncethetestcompletes,anewwindowwillappear,statingthatthetestfailed.Thisisexpected,astheIPSshouldbeblockingamajorityoftheprotocolsbeingtransmitted.ClickClosetocontinue.


62


15. SelecttheView the reportbutton.ThiswillopenmoredetailedresultsinaWebbrowser.

16. TodeterminetheabilityoftheIPStohandleaSYNfloodwhilealsoprocessinglegittraffic,expandTestResultsforSYNFloodandselectTCPSummary.Verifythatnoclientwasabletoestablishaconnectionandthatnoserversestablishedconnectionseither.Oncedoneviewingtheseresults,foreasiernavigationminimizeTestResultsforSYNFlood.

17. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.Again,thequickerthesetuptimes,thebetter,astheIPSisabletoreactandrespondtotheincomingrequest.DeterminetheeffecttheSYNfloodhadontheTCPsetuptimeoftheapplicationtraffic.


63


18. SelectTCP Response Time.JustaswithTCPSetupTime,thequickertheresponsetimes,thebetter.DeterminetheeffecttheSYNfloodhadontheTCPresponsetimeoftheapplicationtraffic.

19. Next,selectTCP Close Time.ThequickertheIPSisabletoclosetheTCPconnection,thequickeritfreesupthoseresourcesandcanusethemtostartanewconnection.DeterminetheaffecttheSYNfloodhadontheTCPclosetimeoftheapplicationtraffic.

20. SelectFrame Latency,anddeterminehowtheSYNfloodaffectsthelatencyoftheapplicationtraffic.


64


21. ExpandtheDetailfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aolanddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.

22. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.

23. Comparealltheresultscollectedfromthecurrenttestwiththebaselineteststodetermineanydifferences.

24. IfanytestvariationswererunwitheithertheBaselineApplicationPerfromance:ThroughputortheBaselineAttackMitigation:SYNFloodtests,makesuretorunthosevariationsonthistesttoo.


65


Application Traffic with Malicious Traffic




Overview:

Since tests for application performance and malicious traffic have already been configured and saved as presets, they will be used in this

test. Two test components will be used during this test, an Application Simulator and a Security component.

Objective:

To combine application traffic with malicious traffic and compare the results with the results from the security test.

Setup:


66





67



4. Useaprevioustestasastartingpointforthistest.Select TestOpen RecentTestsIPS Maximum Throughput.

5. Beforecontinuingwithconfigurationofthetest,clickSave Test As.


68


6. Whenpromptedforanametosavethetestas,typeAppTraffMaliciousTrafficandclickSave.


8. IntheSelectacomponenttypewindow,selecttheSecuritytestcomponent.


69


9. TheInformationtabshouldbeselected.TypeMaliciousTrafficforthename,andclickApply Changes.

10. SelectthePresetstab.SelectIPS Malicious Traffic,andclickApply Changes.

11. Ifdesired,enteratestDescriptionundertheTestInformationsection.


70


12. VerifythatTestStatushasagreencheckmarknexttoit.Ifitdoesnothaveagreencheckmark,clickTest Statusandmaketherequiredchanges.



tab provides information about the application flows, TCP connections and the overall bandwidth currently being utilized.


71


Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from


14. SelecttheAttackstab.Thiswillprovidereal-timeinformationabouthowtheIPSisperformingwiththemalicioustraffic.Ascanbeseenintheimagebelow,someattackshavebeenallowed.


72


15. Whenthetestcompletes,awindowwillappearsayingthetestfailed.ClickClose.

16. SelecttheView the reportbutton.Thiswillopenupmoredetailedresultsinthebrowser.

17. ExpandtheTestresultsforMaliciousTrafficfolderandselectStrike Results.DeterminehowwelltheDUTwasabletohandlethedifferentstrikesandmaintainblockingthemwhilestilltransmittingregulartraffic.Oncecompleted,collapseTestresultsforMaliciousTraffic.


73


18. ExpandtheTest Results for Generic Trafficfolder,andselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnectionthebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.

19. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.

20. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStoquicklyfreethoseresources.


74


21. SelectFrame Latency,anddeterminetheaffectmalicioustraffichadontheoveralllatency.

22. Next,expandtheDetailsfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aolanddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.



75


24. Finally,selectFrame Data Rate, anddeterminehowthemalicioustrafficaffectsthedatarate.


26. IfanytestvariationswererunwitheithertheBaselineApplicationPerformanceTest:ThroughputortheBaselineAttackMitigation:SYNFlood,makesuretorunthosevariationsonthistesttoo.


76


Application Traffic with Malicious Traffic and SYN Flood





Overview:

Since tests for application performance, malicious traffic and a SYN Flood have already been configured and saved as presets, they will be

used in this test. Three test components will be used during this test, an Application Simulator, a Security component and a Session Sender

component. This test will determine the ability of the IPS to handle malicious traffic while also having to deal with a SYN Flood and allowing

good traffic to pass through.

Objective:

To send a blend of application traffic with a SYN Flood and malicious traffic to the IPS and to compare the results of this test against the

results of the baseline tests.

Setup:


77





78



4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsApp Traff with Malicious Traffic.



79


6. Whenpromptedforanametosavethetestas,typeAppTraffwithMaliciousTrafficandSYNFloodandclickSave.


8. IntheSelectacomponenttypewindow,selecttheSession Sender (L4)testcomponent.


80


9. TheInformationtabshouldbeselected.TypeSYNFloodasthenameandclickApply Changes.

10. SelectthePresetstab.LocateIPSSYNFloodinthelist,andclickApply Changes.

11. WiththeadditionoftheSessionSendertestcomponent,theinterfaceshavebecomeoversubscribed.SelecttheMaximum Throughputtestcomponent,andthenselecttheParameterstab.ChangetheMinimumdatarateto85%ofthetotalavailablebandwidth,andclickApply Changes.


81


12. VerifythattheTestStatushasagreencheckmark.Ifnot,clickonTest Statusandmaketherequiredchanges.

13. Ifdesired,editthetestDescriptionundertheTestInformationsection.

14. UndertheTestQuickSteps,clickSave and Run.




82




15. SelecttheAttackstab.Thisprovidesareal-timelookintohowtheIPSisperformingwiththemalicioustraffic.Ascanbeseenfromtheimagebelow,someoftheattacksarebeingallowedtopassthroughtheIPS.


83


16. Oncethetestcompletes,anewwindowwillappear,statingthetestcriteriafailed.ClickClosetocontinue.

17. ClicktheView the reportbutton.Thiswillopendetailedresultsinabrowserwindow.

18. ExpandTestResultsforSYNFloodandselectTCP Summary.VerifythatnoTCPconnectionswereestablished.CollapseTestResultsforSYNFloodoncecompleted.


84


19. ExpandTestResultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheIPSwasabletoblockandnotallowdifferentstrikestopassthrough.Again,collapseTestResultsforMaliciousTrafficoncecompleted.

20. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.TheTCPsetuptimehasbeenaffectedandhasincreased.


85


21. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetterastheconnectioncanbeestablishedquicker.Again,thetimeforTCPresponsetimehasincreased.

22. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.TheTCPclosetimehasalsoincreasedcomparedtothebaselinetests.


86


23. SelectFrame LatencyanddeterminetheaffectmalicioustrafficandtheSYNfloodhadontheoveralllatency.

24. Next,expandtheDetailsfolder.Also,expandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.


87



26. Finally,selectFrame Data RateanddeterminehowthemalicioustrafficandSYNFloodaffectedthedatarate.


28. IfanytestvariationswererunwitheithertheBaselineApplicationPerformanceTest:Throughput,theBaselineAttackMitigation:MaliciousTrafficorBaselineAttackMitigation:SYNFlood,makesuretorunthosevariationsonthistesttoo.


88


Jumbo Frames

RFC• RFC 768 – User Datagram Protocol



• RFC 894– A Standard for the Transmission of IP Datagrams over Ethernet

Overview:

The Throughput test will be used as a starting point in this test. Once the test is opened, the Maximum Segment size will be changed to

4,000 to send jumbo frames.

Objective:

To analyze how the IPS handles jumbo frames.

Setup:


89





90



4. Wewilluseaprevioustestasastartingpointforthistest.SelectTestOpen Recent TestsIPS Maximum Throughput.



91


6. Whenpromptedforanametosavethetestas,typeIPSJumboFrames.

7. SelecttheParameterstabandundertheTCPConfigurationsection,changetheMaximumSegmentSize(MSS)toavaluegreaterthan1500butlessthan9142.Inthisexample,a4000-bytepacketwasused.Oncethechangeshavebeencompleted,clickApply Changes.

8. Next,selectControl CenterDevice Status.


92


9. Whenpromptedaboutsavingthetestduetochanges,clickYes.

10. Right-clickonareservedport,andselectConfigure Port.

11. VerifythattheMTUislargeenough,andclickClose.Ifneeded,increasetheMTUsize,andclickApply.Repeatthisprocessfortheotherreservedporttoo.


93


12. Toreturntothetestconfiguration,selectTestOpen Recent TestsIPS Jumbo Frames.

13. UndertheTestInformationsection,editthetestDescription.

14. VerifythattheTestStatushasagreencheckmark.Ifitdoesnotcontainagreencheckmark,clickTest Statusandmaketherequiredchanges.



94




16. Oncethetestcompletes,anewwindowwillappearstatingthatthetesteitherpassedorfailed.ClickClosetocontinue.


95


17. ClicktheView the reportbutton.ThiswillopenaWebpagecontainingmoredetailedresults.

18. ExpandtheTestResultsforMaximumThroughputfolder,andselectApp Bytes Transmitted.Thiswilldisplayabytecountthateachprotocoltransmitted.


96


19. ExpandtheDetailsfolder,andselectTCP Setup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyhandletherequestsandcontinueoperatingasexpected.

20. SelectTCP Response Time.Again,theshortertheTCPresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinueoperating.


97


21. ExpandtheDetailfolder.SelecttheFrame Data Rate,anddeterminethemaximumtransmitandreceiverateusingthegraphandthetable.

22. TodeterminehoweachprotocolwashandledbytheIPS,fivedifferentresultswillbeviewed.UndertheDetailfolder,expandandanalyzetheresultsofthefollowing:AppConcurrentFlows:byprotocol,AppThroughput:byprotocol,AppTransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.

23. UsingtheresultsfromthecurrenttestandtheresultsfromtheThroughputtest,determineiftheIPSperformedbetter,worseorthesamewhenhandlingjumboframes.Othertestvariationscanalsoberun.Thefollowingaresometestvariationexamples:

• Test several different sizes of jumbo frames, specifically making sure to test the 9,000-byte frame.

• Increase the test duration.



98


IP, UDP and TCP Fuzzing




Overview:

The Throughput test will be used as a starting point and a Stack Scrambler component will be used too. The Stack Scrambler tests the

integrity of different protocols by sending malformed IP, UDP, TCP and Ethernet packets to the IPS. The fuzzing technique will modify only a

single part of the packet to generate corrupt data.

Objective:

To send fuzzed traffic through the IPS and determine how it affects the IPS and other protocols.

Setup:


99


1. OpenyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.Oncethepagehasloaded,clickStart BreakingPoint Systems Control Center.

2. LogintotheBreakingPointStormCTMbyenteringyourLoginIDandPassword.Oncedone,clickLogin.


100


3. Onceloggedin,reservetherequiredportstorunthetest.

4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsIPS Maximum Throughput.

5. Inthelowerleft,clickSave Test As.


101


6. Adialogboxwillappearaskingforanametosavethetestas.TypeIPSFuzzingandclickSave.


8. FromtheSelectacomponenttype,choosetheStack Scrambler (Fuzzer)component.


102


9. UndertheInformationtab,changethenametoIPSFuzzerandclickApply Changes.

10. SelecttheInterfacestab.VerifythatonlytheInterface1ClientandInterface2Serverareenabled.

11. SelecttheParameterstab.DefinethepercentagesoftrafficthatwillhavemalformedIPversion,badTCPoptions,BadUrgentPointerandBadIPChecksums.Aftereachone,makesuretoclickApply Changes.


103


12. IffuzzingthroughastatefuldevicesuchasanIPSunit,itisimportantthatyousettheEstablishTCPSessionsparametertotrue.Otherwise,malformedTCPpacketswillbedropped.

13. WiththeadditionoftheStackScrambler,theinterfaceshavebecomeoversubscribed.SelecttheMaximum Throughputtestcomponent,andthenselecttheParameterstab.ChangetheMinimumdatarateparameterintheDataRatesectionto85%ofthetotalavailablebandwidth,andclickApply Changes.


104


14. Beforerunningthetest,thetestcomponentneedstobesavedasapresetforuseinlatertests.Savingasapresetallowsforquickerandeasierconfiguration.Right-clickonthetestcomponent,andselectSave Component As Preset.

15. Whenpromptedforanametosavethepresetas,typeIPSFuzzerandclickSave.

16. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Status andmaketherequiredchanges.


105



The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.


106


18. Whenthetestcompletes,awindowwillappearstatingthatthetestfailed.ClickClose.

19. Next,clicktheView the reportbutton.Thiswillopendetailedresultsinanewbrowserwindow.


107


20. ExpandTest Results for Maximum ThroughputandthenexpandtheDetailsfolder.SelecttheFrame Data Rate.Determinehowthefuzzingaffectedtheoveralldataframerate.

21. Next,expandtheApp Throughput: by protocol folderandselectthefirstitem,App Throughput: protocol aol.DeterminetheApplicationdatatransmitandreceiverateforeachofthelistedprotocols.


108


22. RepeattheaboveprocesswiththeApptransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.

23. Withtherecentlycollecteddata,determineifthemalformedpacketshadanyeffectontheapplicationtraffic.Also,determineifthemalformedpacketscausedanyissueswiththeIPS,suchasacrash.

24. IfanyvariationswerepreformedwiththeBaselineApplicationPerformanceTest:Throughput,makesuretorepeatthosevariationswiththistest.


109


Protocol Fuzzing




Overview:

The Application Traffic with Malicious Traffic and SYN Flood test will be used as a starting point, with the addition of the Security

component. The Security component will be used to fuzz the application level frames. This will determine if the IPS is able to handle fuzzed

application level frames and handle both malicious traffic and a SYN flood.

Objective:

To send fuzzed traffic at the application level through the IPS and determine how it affects the IPS and other protocols.

Setup:


110


1. OpenyourfavoriteWebbrowser,andconnecttotheBreakingPointStormCTM.Oncethepagehasloaded,clickStart BreakingPoint Systems Control Center.

2. LogintotheBreakingPointStormCTMbyenteringyourLoginIDandPassword.Oncedone,clickLogin.


111



4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent Tests IPS Maximum Throughput.

5. Inthelowerleft,clickSave Test As.


112


6. Adialogboxwillappear,askingforanametosavethetestas.TypeProtocolFuzzingandclickSave.


8. FromtheSelectacomponenttype,selecttheSecuritycomponent.


113


9. TheInformationtabshouldalreadybeselected.TypethenameProtocolFuzzerandclickApply Changes.

10. SelecttheParameterstabandsettheAttackSeriestoBreakingPoint Protocol Fuzzers.ClickApply Changesoncecompleted.

11. Ifdesired,changethetestDescriptionunderTestInformation.


114


12. VerifythattheTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.





115




14. Whenthetestcompletes,awindowwillappearstatingthetestfailed.ClickClose.



116


16. ExpandTestResultsforProtocolFuzzerandselectStrike Results.Determinethenumberofstrikesblocked.Formoredetailsaboutthestrikedetection,expandtheDetailfolderandviewthedifferentresults.

17. ExpandTestResultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheIPSwasabletoblockandnotallowdifferentstrikestopassthrough.Again,collapseTestResultsforMaliciousTrafficoncecompleted.


117


18. ExpandTestResultsforMaximumThroughputandselectTCP Setup Time.ThequickeranIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheeffectthemalicioustraffichadontheTCPsetuptime.TheTCPsetuptimehasbeenaffectedandhasincreased.

19. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.Again,theTCPresponsetimehasincreased.


118


20. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.TheTCPclosetimehasalsoincreasedcomparedtothebaselinetests.

21. SelectFrame LatencyanddeterminetheeffectmalicioustrafficandtheSYNfloodhadontheoveralllatency.


119


22. Next,expandtheDetailsfolderandalsoexpandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.

23. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocolandAppFailures:byprotocol.Determineiftransmittingblendedtraffichadaneffectonanyoftheprotocols.


120


24. Finally,selectFrame Data RateanddeterminehowthemalicioustrafficandSYNFloodaffectsthedatarate.


26. IfanyvariationswereperformedwiththeApplicationTrafficwithMaliciousTrafficandSYNFloodtest,makesuretorepeatthosevariationswiththistest.


121


Evasion Techniques




Overview:

The Application Traffic with Malicious Traffic test will be used as a starting point in this test. The Security test component will have changes

made to parameters in the Override tab. These changes will configure evasion techniques that will attempt to be transmitted through the

IPS.

Objective:

To add evasion techniques to disguise the attacks so that they can pass through the IPS undetected.

Setup:


122





123



4. Wewilluseaprevioustestasastartingpointforthistest.Select TestOpen Recent TestsApp Traff Malicious Traffic.


124



6. Whenpromptedforanametosavethetestas,typeIPSEvasion.


125


7. SelecttheMalicious TraffictestcomponentandtheOverridestab.Differentparameterscanbechangedinthissection,dependingontheevasiontechniquesdesired.Changethenecessaryparameters,andclickApply Changes.

8. Ifdesired,editthetestDescriptionunderTestInformation.

9. VerifythatTestStatushasagreencheckmark.Ifitdoesnot,clickTest Statusandmaketherequiredchanges.


126






127




11. SelecttheAttackstab.Thiswillprovidereal-timeinformationabouthowtheIPSisperformingwiththemalicioustraffic.Astheimagebelowshows,someattackshavebeenallowed.


128


12. Whenthetestcompletes,awindowwillappear,sayingthetestfailed.ClickClose.

13. SelectView the reportbutton.Thiswillopenupmoredetailedresultsinthebrowser.


129


14. ExpandTestresultsforMaliciousTrafficandselectStrike Results.DeterminehowwelltheDUTwasabletohandlethedifferentstrikesandmaintainblockingthemwhilestilltransmittingregulartraffic.Oncecompleted,collapseTestResultsforMaliciousTraffic.

15. ExpandTestResultsforMaximumThroughput,andselectTCP Setup Time.ThequickertheIPSisabletoreactandsetuptheTCPconnection,thebetter.DeterminetheaffectthemalicioustraffichadontheTCPsetuptime.


130


16. Next,selectTCP Response Time.Again,thequickertheIPSisabletorespondtotheincomingconnection,thebetter,astheconnectioncanbeestablishedquicker.

17. SelectTCP Close Time.TheabilityoftheIPStoquicklyterminateaconnectionallowstheIPStofreethoseresources.


131


18. SelectFrame Latency,anddeterminetheeffectmalicioustraffichadontheoveralllatency.

19. Next,expandtheDetailsfolderandtheAppThroughput:byprotocolfolder.Selectthefirstitem,App Throughput: protocol aol,anddetermineifanytrafficwasabletopassthroughtheIPS.Viewtheentirelisttodeterminehoweachprotocolwashandled.


132



21. Finally,selectFrame Data Rateanddeterminehowthemalicioustrafficaffectsthedatarate.

22. Withalltheresultscollectedfromthecurrenttest,comparethemwiththebaselineteststodetermineanydifferences.

23. IfanyvariationswerepreformedwiththeApplicationTrafficwithMaliciousTraffictest,makesuretorepeatthosevariationswiththistest.


133


Negative Testing




Overview:

The Throughput test will be used as a starting point. One of the default provided Super Flows will be changed in the Application Manager.

The actions of the Super Flow either will be rearranged and/or have parameters changed. This newly created Super Flow will then be added

to a new Application Profile and then be transmitted through the IPS.

Objective:

Send a mix a negative traffic through the IPS and see how it is handled.

Setup:


134



2. InthenewwindowthatappearsenterinyourLoginIDandPassword.Click Login.


135



4. Wewilluseaprevioustestasastartingpointforthistest.SelectTestOpen Recent TestsIPS Maximum Throughput.


136


5. BeforecontinuingwithconfigurationofthetestclickSave Test As.

6. Whenpromptedforanametosavethetestas,typeIPSNegativeTesting.

7. SelectManagersApplication Manager.


137


8. SelecttheSuper Flowstab,andthenlocateBreakingPointHTTPText.ClickSave AstocreateacopyofthisSuperFlow.

9. WhenpromptedforanametosavetheSuperFlowas,typeIPSHTTPNegativeTestandclickOK.


138


10. UndertheDefineActionssection,modifyanyoftheactionsbychangingtheactionparametersorrearrangingthem.ClickSave Super Flowoncecompleted.Inthisexample,theactionswererearranged.

11. SelecttheApp Profiles,tabandclicktheCreate new application profilebutton.


139


12. Whenpromptedforanewname,typeIPSNegativeTest.

13. LocatethenewlycreatedSuperFlow,andclicktheAdd the Super Flow to the profile button.ClickSave App Profileoncecompleted.

14. ClicktheReturn to previous screenbutton.


140


15. SelecttheParameterstab,andlocatetheApplicationProfileparameter.Usethedrop-downmenutoselectthenewlycreatedapplicationprofile.



141







142


17. Whenthetestcompletes,awindowwillappear.ClickClose.



143


19. ExpandtheTestResultsforMaximumThroughputfolderandselectTCP Setup Time.TheshortertheTCPsetuptime,thebetter,astheDUTisabletoquicklyreactandhandletheincomingconnectionrequests.

20. Next,selectTCP Response Time.Theshortertheresponsetime,thebetter,astheDUTisabletoquicklyrespondtorequestsandcontinuenormaloperation.


144


21. SelectTCP Close Time.TheshortertheTCPclosetime,thebetter,astheDUTisabletocloseoutthecurrentconnectionquicklyandfreeresourcestoopenanewconnection.

22. SelectFrame Latency.Thesmallertheframelatency,thebetter,asthismeanstheframesarearrivingquicklywithoutmuchdelayinthenetwork.


145


23. SelectTransmitted Frame Size.Thisprovidesabreakdownofframesizesthatweretransmitted.

24. Next,expandtheDetailsfolder.Also,expandtheAppThroughput:byprotocolfolder.Selecttheseconditem,App Throughput: protocol httpadv,anddeterminehowthedifferentprotocolwashandled.


146


25. RepeatthepreviousstepwithAppTransactionRates:byprotocol,AppResponseTime:byprotocol,andAppFailures:byprotocol.DeterminehowallthehttpadvwashandledbytheDUT.

26. SelectFrame Data Rate,anddeterminethemaximumthroughputtheDUTwasabletohandle.

If any variations were performed with the Baseline Application Performance: Throughput test, make sure to repeat those

variations with this test.


147


About BreakingPointBreakingPoint pioneered the first and only Cyber Tomography Machine

(CTM) to expose previously impossible-to-detect stress fractures within

cyber infrastructure components before they are exploited to compromise

customer data, corporate assets, brand reputation and even national security.

BreakingPoint products are the standard by which the world’s governments,

enterprises, and service providers optimize the resiliency of their cyber

infrastructures. For more information, visit www.breakingpoint.com.

BreakingPoint Storm CTM

BreakingPoint has pioneered Cyber Tomography with the introduction of

the BreakingPoint Storm CTM, enabling users to see for the first time the

virtual stress fractures lurking within their cyber infrastructure through the

simulation of crippling attacks, high-stress traffic load and millions of users.

BreakingPoint Storm CTM is a three-slot chassis that provides the equivalent

performance and simulation of racks and racks of servers, including:

• 40 Gigabits per second of blended stateful application traffic

• 30 million concurrent TCP sessions

• 1.5 million TCP sessions per second

• 600,000+ complete TCP sessions per second

• 80,000+ SSL sessions per second

• 100+ stateful applications

• 4,500+ live security strikes

BreakingPoint Resources

Hardening cyber infrastructure is not easy work, but nothing that is this

important has ever been easy. Enterprises, service providers, government

agencies and equipment vendors are under pressure to establish a cyber

infrastructure that can not only repel attack but is resilient to application

sprawl and maximum load. BreakingPoint’s Cyber Tomography Machine

(CTM) provides the technology and solutions that allow these organizations

to create a hardened and resilient cyber infrastructure. BreakingPoint also

provides the very latest industry resources to make this process that much

easier, including Resiliency Methodologies, How-to Guides, white papers,

webcasts, and a newsletter. To learn more, visit

www.breakingpoint.com/resources.

BreakingPoint Labs Community

Join discussions on the latest developments in hardening cyber

infrastructure. BreakingPoint Labs brings together a diverse community of

people leveraging the most current insight to harden cyber infrastructure to

withstand crippling attack and high-stress application load.

Visit www.breakingpointlabs.com.

Contact BreakingPoint

Learn more about BreakingPoint

products and services by contacting a

representative in your area.

1.866.352.6691 U.S. Toll Free

www.breakingpoint.com

BreakingPoint Global Headquarters

3900 North Capital of Texas Highway

Austin, TX 78746

email: [email protected]

tel: 512.821.6000

toll-free: 866.352.6691

BreakingPoint EMEA Sales Office

Paris, France


tel: + 33 6 08 40 43 93

BreakingPoint APAC Sales Office

Suite 2901, Building #5, Wanda Plaza

No. 93 Jianguo Road

Chaoyang District, Beijing, 100022, China


tel: + 86 10 5960 3162

IPS Test Methodology

Technology

malicious traffic

application traffic

breakingpoint logo

malicious activities

ips devices

breakingpoint storm

corporate data

ips device isnot