Your SlideShare is downloading. ×
Rethink Intrusion Prevention System Testing  Rethink Intrusion Prevention System Testing  A Methodology to measure the per...
Rethink Intrusion Prevention System Testing  Table of Contents              Introduction ....................................
Rethink Intrusion Prevention System Testing  Introduction  With more and more corporate data being placed on corporate net...
Rethink Intrusion Prevention System Testing  Application Traffic with Malicious Traffic  Determine the ability of the IPS ...
Rethink Intrusion Prevention System Testing  Baseline Application Performance: Maximum Connections  RFC:     •        RFC ...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.        4.	   Select	C...
Rethink Intrusion Prevention System Testing        5.	   Under	the	Network	Neighborhoods	heading,	click	the	Create a new n...
Rethink Intrusion Prevention System Testing        7.	   Notice	four	Interface	tabs	are	available	for	configuration.	Only	...
Rethink Intrusion Prevention System Testing        9.	   Select	the	Interface	2	tab.	Configure	the	Network	IP	Address,	Net...
Rethink Intrusion Prevention System Testing        11.	 Under	the	Test	Quick	Steps,	click	Select the DUT/Network.        1...
Rethink Intrusion Prevention System Testing        13.	 When	prompted	about	switching	Network	Neighborhoods	because	the	cu...
Rethink Intrusion Prevention System Testing        16.	 Under	the	Information	tab	enter	a	name	of	Maximum	Connections	and	...
Rethink Intrusion Prevention System Testing        19.	 	Under	the	Data	Rate	section,	change	Minimum	data	rate	to	90%	of	t...
Rethink Intrusion Prevention System Testing        22.	 If	desired,	enter	a	description	for	the	test	under	the	Test	Inform...
Rethink Intrusion Prevention System Testing        26.	 Under	Test	Quick	Steps,	click	Save and Run.        27.	 When	promp...
Rethink Intrusion Prevention System Testing        28.	 Select	the	TCP	tab.	This	will	display	the	TCP	Connections	per	Seco...
Rethink Intrusion Prevention System Testing        30.	 Next,	select	the	View the report	button.        31.	 Expand	the	Te...
Rethink Intrusion Prevention System Testing        33.	 Select TCP Close Time.	The	shorter	the	TCP	Close	Time	the	better,	...
Rethink Intrusion Prevention System Testing  Baseline Application Performance: Throughput  RFC:     •        RFC 768 – Use...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.        4.	   Select	T...
Rethink Intrusion Prevention System Testing        6.	   In	the	Choose	a	device	under	test	and	network	neighborhood	window...
Rethink Intrusion Prevention System Testing        8.	   Under	Test	Quick	Steps,	click	Add a Test Component.        9.	   ...
Rethink Intrusion Prevention System Testing        11.	 Select	the	Interfaces	tab.	Verify	that	Interface	1	Client	is	enabl...
Rethink Intrusion Prevention System Testing        14.	 Next	under	the	Session	Ramp	Distribution	section,	several	paramete...
Rethink Intrusion Prevention System Testing        18.	 Before	running	the	test,	the	test	component	needs	to	be	saved	as	a...
Rethink Intrusion Prevention System Testing        21.	 When	prompted	to	save	the	test,	enter	a	name	of	IPS	Maximum	Throug...
Rethink Intrusion Prevention System Testing        23.	 Select	the	TCP	tab.	This	will	display	the	TCP	Connections	per	Seco...
Rethink Intrusion Prevention System Testing        25.	 Once	the	test	completes,	a	window	will	appear,	stating	the	test	pa...
Rethink Intrusion Prevention System Testing        27.	 Expand	the	Test	Results	for	Maximum	Throughput	folder,	and	select	...
Rethink Intrusion Prevention System Testing        29.	 Select	TCP Close Time.	The	shorter	the	TCP	close	time,	the	better,...
Rethink Intrusion Prevention System Testing        31.	 Select	Transmitted Frame Size.	This	provides	a	breakdown	of	frame	...
Rethink Intrusion Prevention System Testing        34.	 Select	Frame Data Rate	and	determine	the	maximum	throughput	the	DU...
Rethink Intrusion Prevention System Testing  Baseline Attack Mitigation: SYN Flood  RFC:     •        RFC 793 – Transmissi...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.        4.	   Select	T...
Rethink Intrusion Prevention System Testing        6.	   In	the	Choose	a	device	under	test	and	network	neighborhood	window...
Rethink Intrusion Prevention System Testing        8.	   Under	Test	Quick	Steps,	click	Add a Test Component.        9.	   ...
Rethink Intrusion Prevention System Testing        11.	 Select	the	Parameters	tab.	Several	parameters	will	be	changed	in	t...
Rethink Intrusion Prevention System Testing        14.	 Finally,	in	the	Session	Configuration	section,	verify	Maximum	Simu...
Rethink Intrusion Prevention System Testing        18.	 When	prompted	for	a	name	to	save	the	preset	as,	type	IPS	SYN	Flood...
Rethink Intrusion Prevention System Testing        21.	 Under	the	Summary	tab	it	is	possible	to	determine	how	the	IPS	is	h...
Rethink Intrusion Prevention System Testing        23.	 When	the	test	finishes,	a	new	window	will	appear,	stating	the	test...
Rethink Intrusion Prevention System Testing  Baseline Attack Mitigation: Malicious Traffic  RFC:     •        RFC 768 – Us...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.        4.	   Select	T...
Rethink Intrusion Prevention System Testing        6.	   In	the	Choose	a	device	under	test	and	network	neighborhood	window...
Rethink Intrusion Prevention System Testing        8.	   Under	Test	Quick	Steps,	click	Add a Test Component.        9.	   ...
Rethink Intrusion Prevention System Testing        11.	 Select	the	Interfaces	tab	and	verify	Interface	1	Client	is	enabled...
Rethink Intrusion Prevention System Testing        14.	 If	desired,	change	the	test	Description	under	the	Test	Information...
Rethink Intrusion Prevention System Testing        18.	 Finally,	under	Test	Quick	Steps,	click	Save and Run.             	...
Rethink Intrusion Prevention System Testing        21.	 When	the	test	completes,	a	window	will	appear,	stating	that	malici...
Rethink Intrusion Prevention System Testing              Other variations of this test can be performed. Below is a list o...
Rethink Intrusion Prevention System Testing  Application Traffic with SYN Flood  RFC:     •        RFC 768 – User Datagram...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.	        4.	   Use	a	p...
Rethink Intrusion Prevention System Testing        6.	   When	prompted	for	a	name	to	save	the	test	as,	type	App	Traff	with...
Rethink Intrusion Prevention System Testing        9.	   The	Information	tab	should	be	selected.	Type	the	name	SYN	Flood	a...
Rethink Intrusion Prevention System Testing        13.	 Under	Test	Quick	Steps,	click	Save and Run.              The Summa...
Rethink Intrusion Prevention System Testing              Detailed results about each protocol can be viewed under the Appl...
Rethink Intrusion Prevention System Testing        15.	 Select	the	View the report	button.	This	will	open	more	detailed	re...
Rethink Intrusion Prevention System Testing        18.	 Select	TCP Response Time.	Just	as	with	TCP	Setup	Time,	the	quicker...
Rethink Intrusion Prevention System Testing        21.	 Expand	the	Detail	folder	and	also	expand	the	App	Throughput:	by	pr...
Rethink Intrusion Prevention System Testing Application Traffic with Malicious Traffic RFC:    •         RFC 768 – User Da...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.        4.	   Use	a	pr...
Rethink Intrusion Prevention System Testing        6.	   When	prompted	for	a	name	to	save	the	test	as,	type	App	Traff	Mali...
Rethink Intrusion Prevention System Testing        9.	   The	Information	tab	should	be	selected.	Type	Malicious	Traffic	fo...
Rethink Intrusion Prevention System Testing        12.	 Verify	that	Test	Status	has	a	green	checkmark	next	to	it.	If	it	do...
Rethink Intrusion Prevention System Testing              Detailed results about each protocol can be viewed under the Appl...
Rethink Intrusion Prevention System Testing        15.	 When	the	test	completes,	a	window	will	appear	saying	the	test	fail...
Rethink Intrusion Prevention System Testing        18.	 	Expand	the	Test Results for Generic Traffic	folder,	and	select	TC...
Rethink Intrusion Prevention System Testing        21.	 Select	Frame Latency,	and	determine	the	affect	malicious	traffic	h...
Rethink Intrusion Prevention System Testing        24.	 Finally,	select	Frame Data Rate, and	determine	how	the	malicious	t...
Rethink Intrusion Prevention System Testing  Application Traffic with Malicious Traffic and SYN Flood  RFC:     •        R...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.	        4.	   We	will...
Rethink Intrusion Prevention System Testing        6.	   When	prompted	for	a	name	to	save	the	test	as,	type	App	Traff	with...
Rethink Intrusion Prevention System Testing        9.	   The	Information	tab	should	be	selected.	Type	SYN	Flood	as	the	nam...
Rethink Intrusion Prevention System Testing        12.	 Verify	that	the	Test	Status	has	a	green	checkmark.	If	not,	click	o...
Rethink Intrusion Prevention System Testing              Detailed results about each protocol can be viewed under the Appl...
Rethink Intrusion Prevention System Testing        16.	 Once	the	test	completes,	a	new	window	will	appear,	stating	the	tes...
Rethink Intrusion Prevention System Testing        19.	 Expand	Test	Results	for	Malicious	Traffic	and	select	Strike Result...
Rethink Intrusion Prevention System Testing        21.	 Next,	select	TCP Response Time.	Again,	the	quicker	the	IPS	is	able...
Rethink Intrusion Prevention System Testing        23.	 Select	Frame Latency	and	determine	the	affect	malicious	traffic	an...
Rethink Intrusion Prevention System Testing        25.	 Repeat	the	previous	step	with	App	Transaction	Rates:	by	protocol,	...
Rethink Intrusion Prevention System Testing  Jumbo Frames  RFC        •     RFC 768 – User Datagram Protocol        •     ...
Rethink Intrusion Prevention System Testing        1.	   Launch	your	favorite	Web	browser,	and	connect	to	the	BreakingPoin...
Rethink Intrusion Prevention System Testing        3.	   Reserve	the	required	ports	to	run	the	test.	        4.	   We	will...
Rethink Intrusion Prevention System Testing        6.	   When	prompted	for	a	name	to	save	the	test	as,	type	IPS	Jumbo	Fram...
Rethink Intrusion Prevention System Testing        9.	   When	prompted	about	saving	the	test	due	to	changes,	click	Yes.   ...
Rethink Intrusion Prevention System Testing        12.	 To	return	to	the	test	configuration,	select	Test		Open Recent Tes...
Rethink Intrusion Prevention System Testing              The Summary tab will be visible and provides a great deal of info...
Rethink Intrusion Prevention System Testing        17.	 Click	the	View the report	button.	This	will	open	a	Webpage	contain...
Rethink Intrusion Prevention System Testing        19.	 Expand	the	Details	folder,	and	select	TCP Setup Time.		The	shorter...
Rethink Intrusion Prevention System Testing        21.	 Expand	the	Detail	folder.	Select	the	Frame Data Rate,	and	determin...
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
IPS Test Methodology
Upcoming SlideShare
Loading in...5
×

IPS Test Methodology

852

Published on

IPS test methodology provides step-by-step directions on how to properly test IPS devices with real-world network traffic.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
852
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
64
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "IPS Test Methodology"

  1. 1. Rethink Intrusion Prevention System Testing Rethink Intrusion Prevention System Testing A Methodology to measure the performance, security, and stability of intrusion prevention systems (IPS) under real-world conditionswww.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 1All other trademarks are the property of their respective owners.
  2. 2. Rethink Intrusion Prevention System Testing Table of Contents Introduction .................................................................................................................................................................................................................... 3 Baseline Application Performance: Maximum Connections ......................................................................................................................... 5 Baseline Application Performance: Throughput ............................................................................................................................................... 20 Baseline Attack Mitigation: SYN Flood .................................................................................................................................................................. 35 Baseline Attack Mitigation: Malicious Traffic ....................................................................................................................................................... 45 Application Traffic with SYN Flood ......................................................................................................................................................................... 55 Application Traffic with Malicious Traffic .............................................................................................................................................................. 65 Application Traffic with Malicious Traffic and SYN Flood................................................................................................................................ 76 Jumbo Frames ................................................................................................................................................................................................................ 88 IP, UDP and TCP Fuzzing ............................................................................................................................................................................................. 98 Protocol Fuzzing ............................................................................................................................................................................................................ 109 Evasion Techniques ...................................................................................................................................................................................................... 121 Negative Testing ............................................................................................................................................................................................................ 133 About BreakingPoint ................................................................................................................................................................................................... 147www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 2All other trademarks are the property of their respective owners.
  3. 3. Rethink Intrusion Prevention System Testing Introduction With more and more corporate data being placed on corporate networks, it is vitally important to protect that data from malicious activities. An Intrusion Prevention System (IPS) is designed to detect malicious activities and drop or sanitize the packets while allowing legitimate traffic to access the corporate network. Thoroughly testing IPS devices is essential to ensuring that they work properly. If the IPS device is not working properly, malicious traffic containing viruses, worms and backdoors can easily gain access to the corporate network and cause a great deal of problems, potentially bringing down the network. Performing a series of measurements using the BreakingPoint Storm CTM on the IPS will help determine the actual performance, security and stability of the IPS under real world conditions. For instance, the IPS device might be able to detect and mitigate malicious activity when network traffic is light. However, when network traffic becomes heavy, the IPS device might detect significantly less malicious activity. Using the BreakingPoint Storm CTM you can expose previously impossible to detect vulnerabilities in your IPS before they are exploited to compromise your customer data, corporate assets, brand reputation and even nation security. The test environment should emulate the actual deployment environment as closely as possible. Directly connected devices such as routers, switches and firewalls will have an effect on packet loss, latency and data integrity. The number of advertised host IP and MAC addresses, VLAN Tagging, and NAT will also affect the performance of an IPS. If it is not feasible to fully recreate the deployment environment, the BreakingPoint Storm CTM should be connected directly to the IPS. All IPS devices and builds being evaluated must use the same test environment to ensure consistent results. Baseline Application Performance: Maximum Connections Determine the number of connections per second that the IPS is able to handle. This will validate the performance of the IPS when sending only good traffic with an “Allow All” policy. The TCP setup time will be analyzed to determine how a greater number of TCP connections per second affect the time it takes to establish the TCP connection. Baseline Application Performance: Throughput Determine the throughput that the IPS is able to handle. This will validate the throughput performance the IPS is able to handle when sending only good traffic with an “Allow All” policy. The overall throughput that the IPS is able to support will be determined. Baseline Attack Mitigation Traffic: SYN Flood Determine a baseline measurement for how the IPS performs when handling a SYN flood. Once a baseline has been established, it will be compared with the results from the tests that blend both application and malicious traffic. The number of attempted sessions for the SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS. Baseline Attack Mitigation Traffic: Malicious Traffic Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and backdoors. IPS devices have functionality that may block some of the attacks. The number of attacks blocked by the IPS will be determined as well as the number of attacks that were able to pass through the IPS. Application Traffic with SYN Flood Determine a baseline measurement for how the IPS performs when handling a malicious SYN flood. Once a baseline has been established, it will be compared with the results from the tests that blend both application and malicious traffic. The number of attempted sessions for the SYN flood will be determined as well as the number of attempted sessions for the SYN flood that were blocked by the IPS.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 3All other trademarks are the property of their respective owners.
  4. 4. Rethink Intrusion Prevention System Testing Application Traffic with Malicious Traffic Determine the ability of the IPS to remain stable while vulnerabilities, worms and backdoors are transmitted through it. To perform this test, the BreakingPoint Storm CTM will be configured to use an Attack Series that includes high-risk vulnerabilities, worms and backdoors. Application Traffic with Malicious Traffic and SYN Flood This test determines the ability of the IPS to handle application traffic, a SYN flood and malicious traffic. The results will be compared to both the Throughput Test and the SYN Flood Test. Again, the IPS’s ability to detect and mitigate a SYN flood will be determined. Also, the effect of the malicious traffic on the application traffic’s throughput, latency time-to-open, and time-to-close will be analyzed. Finally, the IPS’s ability to detect and mitigate the same number of attacks as in the previous Security tests will be tested. Jumbo Frames This test uses the Throughput test, except the Maximum Segment Size (MMS) parameter will be increased. The maximum transmission unit (MTU) size of the port will be verified and increased if needed. This test will determine if the IPS was able to perform better, worse or the same when handling jumbo frames. These results will be compared to those from the Throughput Test. IP, UDP and TCP Fuzzing The BreakingPoint Storm CTM will be configured to use the Stack Scrambler component. This test component has the ability to send malformed IP, UDP, TCP and Ethernet packets to the IPS. The fuzzing technique will modify parts of the packet, such as checksums and protocol options, to generate the corrupted data. The IPS’s ability to handle malformed packets will be determined. Take notice if the IPS crashes during the test, as this is the most important sign that the IPS is not able to appropriately handle the malformed packets. Also, analyze the effects the malformed packets had on the application traffic and determine if the IPS’s attack detection and mitigation capabilities were affected. Protocol Fuzzing This test will utilize the Security test component. This time the Security test component will fuzz application layer frames. The IPS’s ability to handle malformed application layer frames will be determined. Evasion Techniques The Application Traffic with Malicious Traffic test will be used as a starting point for this test. The Security test component will have changes made to its configuration. These changes will configure different evasion techniques that might create false negatives. Negative Testing The Maximum Connections test will be used as a starting point. Changes will then be made to a Super Flow. This Super Flow will then be sent through the IPS. It will be determined how well the IPS unit was able to handle the negative testing.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 4All other trademarks are the property of their respective owners.
  5. 5. Rethink Intrusion Prevention System Testing Baseline Application Performance: Maximum Connections RFC: • RFC 793 – Transmission Control Protocol Overview: The specifications from the IPS data sheet will be used to determine if the IPS meets or exceeds the stated capacity. To determine the capabilities, a Session Sender test component will be used to push the IPS beyond its stated supported limits. Objective: To evaluate the IPS’s ability to create and maintain sessions. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 5All other trademarks are the property of their respective owners.
  6. 6. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, type your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 6All other trademarks are the property of their respective owners.
  7. 7. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Select Control Center  Network Neighborhood.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 7All other trademarks are the property of their respective owners.
  8. 8. Rethink Intrusion Prevention System Testing 5. Under the Network Neighborhoods heading, click the Create a new network neighborhood button. 6. In the Give the new network neighborhood a name box enter IPS Tests as the name and click OK.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 8All other trademarks are the property of their respective owners.
  9. 9. Rethink Intrusion Prevention System Testing 7. Notice four Interface tabs are available for configuration. Only two are required for the tests. The first interface tab should be selected; click the X to delete this interface. When prompted about removing the interface click Yes. The remaining interfaces will be renamed. Repeat this process unitl only two interfaces are left. 8. With Interface 1 selected, configure the Network IP Address, Netmask, Gateway IP Address, Router IP Address, the Minimum IP Address, and the Maximum IP Address. Click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 9All other trademarks are the property of their respective owners.
  10. 10. Rethink Intrusion Prevention System Testing 9. Select the Interface 2 tab. Configure the Network IP Address, Netmask and the Gateway IP Address. Using the Type drop-down menu select Host. Finally the Minimum IP Address and the Maximum IP Address can be configured. Click Apply Changes, then, click Save Network. 10. Now that the Network Neighborhood has been created, the test can be configured. Select Test  New Test.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 10All other trademarks are the property of their respective owners.
  11. 11. Rethink Intrusion Prevention System Testing 11. Under the Test Quick Steps, click Select the DUT/Network. 12. In the Choose a device under test and network neighborhood window under the Device Under Test(s) section, verify BreakingPoint Default is selected. Under Network Neighborhood(s), verify that the newly created one is selected. Click Accept.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 11All other trademarks are the property of their respective owners.
  12. 12. Rethink Intrusion Prevention System Testing 13. When prompted about switching Network Neighborhoods because the current setup contains more interfaces, click Yes. 14. Under Test Quick Steps, click Add a Test Component. 15. In the Select a component type window, click Session Sender (L4).www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 12All other trademarks are the property of their respective owners.
  13. 13. Rethink Intrusion Prevention System Testing 16. Under the Information tab enter a name of Maximum Connections and click Apply Changes. 17. Select the Interfaces tab. Verify that only Interface 1 Client and Interface 2 Server are enabled. 18. Select the Parameters tab. Several parameters will be change in this section. The first parameter that needs to be changed is the TCP Session Duration (segments) to a value of 4. Click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 13All other trademarks are the property of their respective owners.
  14. 14. Rethink Intrusion Prevention System Testing 19. Under the Data Rate section, change Minimum data rate to 90% of the total bandwidth possible, and click Apply Changes. 20. Next under the Session Ramp Distribution tab, several parameters will be changed. First, using the Ramp Up Behavior drop-down menu, select Full Open + Data + Close. Next, change Ramp Up Seconds to 30 and change Steady-State Seconds to 120. Finally, change Ramp Down Duration to 30 and click Apply Changes. Scrolling may be required in order to change some of the parameters. 21. The last parameters that need to be changed are in the Session Configuration section. The Maximum Simultaneous Sessions should be changed to 33% of the IPS’s stated maximum. The Maximum Sessions Per Second should be changed to 200% of the IPS’s ability. Click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 14All other trademarks are the property of their respective owners.
  15. 15. Rethink Intrusion Prevention System Testing 22. If desired, enter a description for the test under the Test Information section. 23. Verify that the Test Status has a green checkmark. If it does not have a green checkmark, click Test Status and make the required changes. 24. Before running the test, the test component needs to be saved as a preset. This will allow for quicker and easier configuration later. Right-click on the test component and select Save Component As Preset. 25. When prompted for a name to save the preset as, enter IPS Maximum Connections and click Save.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 15All other trademarks are the property of their respective owners.
  16. 16. Rethink Intrusion Prevention System Testing 26. Under Test Quick Steps, click Save and Run. 27. When prompted for a name to save the test as, enter IPS Maximum Connections and click Save. The Summary tab initially will be displayed. A great amount of information is seen on this screen from the TCP Connection Rate to the Cumulative TCP Connections to the Bandwidth being used.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 16All other trademarks are the property of their respective owners.
  17. 17. Rethink Intrusion Prevention System Testing 28. Select the TCP tab. This will display the TCP Connections per Second and allow the ability to determine the current number of Attempted and Successful TCP Connection Rate. Using this view determine the maximum number of new sessions per second open during the ramp-up phase, the maximum maintained during the steady-state phase and the maximum opened during the steady-state phase. 29. Once the test completes, a window will appear, stating the test passed. Click Close to continue.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 17All other trademarks are the property of their respective owners.
  18. 18. Rethink Intrusion Prevention System Testing 30. Next, select the View the report button. 31. Expand the Test Results for Maximum Connections folder, and select TCP Setup Time. The shorter the TCP setup time, the better, as the DUT is able to quickly react and handle the incoming connection requests. 32. Next, select TCP Response Time. The shorter the response time, the better, as the DUT is able to quickly respond to requests and continue normal operation. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 18All other trademarks are the property of their respective owners.
  19. 19. Rethink Intrusion Prevention System Testing 33. Select TCP Close Time. The shorter the TCP Close Time the better, as the DUT is able to close out the current connection quickly and free resources to be able to open a new connection. 34. Select Frame Latency. The shorter the frame latency, the better, as this means the frames are arriving quickly without much delay in the network. Other tests can also be performed. The following are some examples that can be run: • Vary the TCP Segment size. • Change the Distribution type to random. • Change the TCP Session Duration (segments). • Increase the test time for a longer test. • If Hot Standby is going to be used, perform a test that shows how traffic is affected.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 19All other trademarks are the property of their respective owners.
  20. 20. Rethink Intrusion Prevention System Testing Baseline Application Performance: Throughput RFC: • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol Overview: A similar test setup as the previous one will be used. An Application Simulator test component will be used to generate, at maximum, 33% of the effective session capacity of the IPS as determined in the previous test, while trying to maximize throughput. Objective: To evaluate the IPS’s ability to forward a wide variety of application traffic and the overall rate that it is able to do so. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 20All other trademarks are the property of their respective owners.
  21. 21. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 21All other trademarks are the property of their respective owners.
  22. 22. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Select Test  New Test. 5. Under Test Quick Steps, click Select the DUT/Network.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 22All other trademarks are the property of their respective owners.
  23. 23. Rethink Intrusion Prevention System Testing 6. In the Choose a device under test and network neighborhood window, make sure BreakingPoint Default is select under Device Under Test(s) and IPS Tests is selected under Network Neighborhood(s). Once completed click Accept. 7. When prompted that the current test setup contains more interfaces, click Yes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 23All other trademarks are the property of their respective owners.
  24. 24. Rethink Intrusion Prevention System Testing 8. Under Test Quick Steps, click Add a Test Component. 9. In the Select a component type, click Application Simulator (L7). 10. Under the Information tab enter a name of Maximum Throughput and click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 24All other trademarks are the property of their respective owners.
  25. 25. Rethink Intrusion Prevention System Testing 11. Select the Interfaces tab. Verify that Interface 1 Client is enabled and Interface 2 Server is enabled. 12. Select the Presets tab and select Enterprise Apps. Once completed, click Apply Changes. 13. Select the Parameters tab. Several parameters will need to be changed. The first parameter that needs to be changed is in the Data Rate section. Change the Minimum data rate to 90% of the total available bandwidth, and click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 25All other trademarks are the property of their respective owners.
  26. 26. Rethink Intrusion Prevention System Testing 14. Next under the Session Ramp Distribution section, several parameters will be changed. First, using the Ramp Up Behavior drop-down menu, select Full Open + Data + Close. Next, change Ramp Up Seconds to 30 and change Steady- state Seconds to 120. Finally, change Ramp Down Duration to 30 and click Apply Changes. Scrolling may be required to change some of the parameters. 15. The next parameters that need to be changed are in the Session Configuration section. Change Maximum Simultaneous Sessions to 33% of the session capacity of the DUT. Also, change the Maximum Sessions Per Second to 25% of the ability of the DUT. 16. If desired, enter a description for the test under the Test Information section. 17. Verify that the Test Status has a green checkmark. If it does not have a green checkmark, click Test Status and make the required changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 26All other trademarks are the property of their respective owners.
  27. 27. Rethink Intrusion Prevention System Testing 18. Before running the test, the test component needs to be saved as a preset. This will allow for quicker and easier configuration later. Right-click on the test component, and select Save Component As Preset. 19. Enter IPS Maximum Throughput as the name, and click Save. 20. Under Test Quick Steps, click Save and Run.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 27All other trademarks are the property of their respective owners.
  28. 28. Rethink Intrusion Prevention System Testing 21. When prompted to save the test, enter a name of IPS Maximum Throughput and click Save. 22. The Summary tab will initially be displayed. A great amount of information is seen on this screen: TCP Connection Rate, Cumulative TCP Connections and Interface Bandwidth.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 28All other trademarks are the property of their respective owners.
  29. 29. Rethink Intrusion Prevention System Testing 23. Select the TCP tab. This will display the TCP Connections per Second and allow the ability to determine the Attempted TCP Connection Rate and Successful TCP Connection Rate. . 24. Select the Application tab. Detailed results about each protocol may be viewed. Use the drop-down menus to select different applications.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 29All other trademarks are the property of their respective owners.
  30. 30. Rethink Intrusion Prevention System Testing 25. Once the test completes, a window will appear, stating the test passed. Click Close. 26. Next, select the View the report button.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 30All other trademarks are the property of their respective owners.
  31. 31. Rethink Intrusion Prevention System Testing 27. Expand the Test Results for Maximum Throughput folder, and select Setup Time. The shorter the TCP setup time, the better, as the DUT is able to quickly react and handle the incoming connection requests. 28. Next, select Response Time. The shorter the response time, the better, as the DUT is able to quickly respond to requests and continue normal operation. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 31All other trademarks are the property of their respective owners.
  32. 32. Rethink Intrusion Prevention System Testing 29. Select TCP Close Time. The shorter the TCP close time, the better, as the DUT is able to close out the current connection quickly and free resources to be able to open a new connection. 30. Select Frame Latency. The shorter the frame latency, the better, as this means the frames are arriving quickly without much delay in the network.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 32All other trademarks are the property of their respective owners.
  33. 33. Rethink Intrusion Prevention System Testing 31. Select Transmitted Frame Size. This provides a breakdown of frame sizes that were transmitted. 32. Next, expand the Detail folder and also expand the App Concurrent Flows: by protocol folder. Select the first item, App Concurrent Flows: protocol aol, and determine how the different protocols were handles. View the entire list. 33. Repeat the previous step with App Transaction Rates: by protocol, App Response Time: by protocol, and App Failures: by protocol. Determine how all the protocols were handled by the DUT. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 33All other trademarks are the property of their respective owners.
  34. 34. Rethink Intrusion Prevention System Testing 34. Select Frame Data Rate and determine the maximum throughput the DUT was able to handle. Other variations of this test can be run. The following are a few examples: • Increase both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10%, until 80% has been reached. • Use different presets, such as the Service Provider App or a custom application profile. • Increase the duration of the test time. • If Hot Standby is going to be used, perform a test that shows how traffic is affected.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 34All other trademarks are the property of their respective owners.
  35. 35. Rethink Intrusion Prevention System Testing Baseline Attack Mitigation: SYN Flood RFC: • RFC 793 – Transmission Control Protocol • RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations Overview: A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate TCP connections. This is harmful to an IPS, as it has to provide resources to the TCP connection requests. The IPS likely has the ability to detect and prevent the SYN Flood. A Session Sender test component will be used to create a SYN Flood to attack the IPS. Objective: To evaluate the IPS’s ability to detect and mitigate a SYN flood. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 35All other trademarks are the property of their respective owners.
  36. 36. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 36All other trademarks are the property of their respective owners.
  37. 37. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Select Test  New Test. 5. Under Test Quick Steps, click Select the DUT/Network.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 37All other trademarks are the property of their respective owners.
  38. 38. Rethink Intrusion Prevention System Testing 6. In the Choose a device under test and network neighborhood window, make sure BreakingPoint Default is selected under Device Under Test(s) and IPS Tests is selected under Network Neighborhood(s). Once completed, click Accept. 7. When prompted that the current test setup contains more interfaces click Yes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 38All other trademarks are the property of their respective owners.
  39. 39. Rethink Intrusion Prevention System Testing 8. Under Test Quick Steps, click Add a Test Component. 9. In the Select a component type window click Session Sender (L4). 10. The Information tab should already be selected. Change the name of the test component to SYN Flood and click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 39All other trademarks are the property of their respective owners.
  40. 40. Rethink Intrusion Prevention System Testing 11. Select the Parameters tab. Several parameters will be changed in this section. The first one that needs to be changed is TCP Sessions Duration (segments) to 0. Click Apply Changes once completed. 12. In the Data Rate section, change the Minimum data rate to 10% of overall bandwidth, and click Apply Changes. 13. Next, in the Session Ramp Distribution section, use the Ramp Up Behavior drop-down menu and select SYN Only. Change Ramp Up Seconds to 120, Steady-State Seconds to 0 and Ramp Down Seconds to 0. Scrolling down will be required to update some of the parameters. Click Apply Changes once complete.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 40All other trademarks are the property of their respective owners.
  41. 41. Rethink Intrusion Prevention System Testing 14. Finally, in the Session Configuration section, verify Maximum Simultaneous Sessions is set to 1,000,000. Change Maximum Sessions Per Second to 45,000. Click Apply Changes once completed. 15. If desired, change the test Description under the Test Information section. 16. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the needed changes. 17. Before running the test the test component needs to be saved as a preset for use in later tests (saving as a preset allows for quicker and easier configuration). Right-click on the test component, and select Save Component As Preset.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 41All other trademarks are the property of their respective owners.
  42. 42. Rethink Intrusion Prevention System Testing 18. When prompted for a name to save the preset as, type IPS SYN Flood and click Save. 19. Finally, under Test Quick Steps, click Save and Run. 20. When prompted to save test, type IPS SYN Flood as a name. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 42All other trademarks are the property of their respective owners.
  43. 43. Rethink Intrusion Prevention System Testing 21. Under the Summary tab it is possible to determine how the IPS is handling the SYN Flood attack. Under TCP Connection Rate under Client, there should be a value only for Attempted. For Cumulative TCP Connections, a value should be present only for Client Attempted. The Bandwidth for Rx should be very low, if not 0. 22. Select the TCP tab. No Successful connections should be present; this is another way of verifying that the IPS is successfully handling the SYN Flood attack.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 43All other trademarks are the property of their respective owners.
  44. 44. Rethink Intrusion Prevention System Testing 23. When the test finishes, a new window will appear, stating the test failed. This is expected, as no connections were successfully made. Click Close. 24. Click the View the Report button. 25. Expand the Test Results for SYN Flood folder and select TCP Summary. Verify that Client attempted has a value and that both Client established and Server established are 0. This means that the IPS was able to successfully handle the SYN Flood. Other test variations can also be run. The following are a couple of variations: • Increase the test length for a longer SYN attack. • If Hot Standby is going to be used, perform a test that shows how traffic is affected.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 44All other trademarks are the property of their respective owners.
  45. 45. Rethink Intrusion Prevention System Testing Baseline Attack Mitigation: Malicious Traffic RFC: • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol Overview: It is important to evaluate how malicious traffic will affect the performance of an IPS. A Security test component will be used in this test. Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk vulnerabilities in services often exposed to the Internet. Objective: To evaluate the IPS’s ability to detect and mitigate vulnerabilities, worms and backdoors. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 45All other trademarks are the property of their respective owners.
  46. 46. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 46All other trademarks are the property of their respective owners.
  47. 47. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Select Test  New Test. 5. Under Test Quick Steps, click Select the DUT/Network.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 47All other trademarks are the property of their respective owners.
  48. 48. Rethink Intrusion Prevention System Testing 6. In the Choose a device under test and network neighborhood window, make sure BreakingPoint Default is select under Device Under Test(s) and IPS Tests is selected under Network Neighborhood(s). Once completed, click Accept. 7. When prompted that the current test setup contains more interfaces, click Yes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 48All other trademarks are the property of their respective owners.
  49. 49. Rethink Intrusion Prevention System Testing 8. Under Test Quick Steps, click Add a Test Component. 9. In the Select a component type window, select the Security test component. 10. Under the Information tab, enter the name Malicious Traffic and click Apply Changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 49All other trademarks are the property of their respective owners.
  50. 50. Rethink Intrusion Prevention System Testing 11. Select the Interfaces tab and verify Interface 1 Client is enabled and Interface 2 Server is enabled. 12. Select the Presets tab, and select Security Level 1. Click Apply Changes. 13. Select the Parameters tab. The defaults are all okay if repeatable strikes are required, change the RandomSeed to a value higher than 0.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 50All other trademarks are the property of their respective owners.
  51. 51. Rethink Intrusion Prevention System Testing 14. If desired, change the test Description under the Test Information section. 15. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the needed changes. 16. Before running the test, the test component needs to be saved as a preset for use in later tests (saving as a preset allows for quicker and easier configuration). Right-click on the test component, and select Save Component As Preset. 17. When prompted for a name to save the preset as, type IPS Malicious Traffic and click Save.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 51All other trademarks are the property of their respective owners.
  52. 52. Rethink Intrusion Prevention System Testing 18. Finally, under Test Quick Steps, click Save and Run. 19. When prompted to save the test, type IPS Malicious Traffic as a name. 20. Select the Attacks tab. This provides a view that shows the number of blocked attacks and the number of attacks that have been allowed to pass through the DUT.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 52All other trademarks are the property of their respective owners.
  53. 53. Rethink Intrusion Prevention System Testing 21. When the test completes, a window will appear, stating that malicious traffic was able to pass through the DUT. Click Close. 22. When the test completes, click the View the report button. 23. Expand the Test Results for Malicious Traffic folder and select Strike Results. Determine the number of strikes that were allowed to pass through the DUT and the number that were blocked. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 53All other trademarks are the property of their respective owners.
  54. 54. Rethink Intrusion Prevention System Testing Other variations of this test can be performed. Below is a list of some of the other tests: • Increase the test length for a longer malicious traffic attack. • Change the Security Level. • Use different presets, such as the Service Provider App or a custom application profile. • Use a different random seed. • If Hot Standby is going to be used, perform a test that shows how traffic is affected.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 54All other trademarks are the property of their respective owners.
  55. 55. Rethink Intrusion Prevention System Testing Application Traffic with SYN Flood RFC: • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol • RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations Overview: Since tests for application performance and a SYN Flood have already been configured and saved as presets, they will be used in this test. Two test components will be used during this test, an Application Simulator and a Session Sender component. Objective: To combine application traffic with SYN flood traffic and compare the results against the results from the Throughput Test and the SYN Flood Test. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 55All other trademarks are the property of their respective owners.
  56. 56. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 56All other trademarks are the property of their respective owners.
  57. 57. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Use a previous test as a starting point for this test. Select Test  Open Recent Tests  IPS Maximum Throughput. 5. Before continuing with configuration of the test, click Save As.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 57All other trademarks are the property of their respective owners.
  58. 58. Rethink Intrusion Prevention System Testing 6. When prompted for a name to save the test as, type App Traff with SYN Flood and click Save. 7. Under the Test Quick Steps, click Add a Test Component. 8. In the Select a component type window, select the Session Sender (L4).www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 58All other trademarks are the property of their respective owners.
  59. 59. Rethink Intrusion Prevention System Testing 9. The Information tab should be selected. Type the name SYN Flood and click Apply Changes. 10. Select the Presets tab, and select the IPS SYN Flood preset. Click Apply Changes once complete. 11. If desired, change the test Description under the Test Information section. 12. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the needed changes.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 59All other trademarks are the property of their respective owners.
  60. 60. Rethink Intrusion Prevention System Testing 13. Under Test Quick Steps, click Save and Run. The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 60All other trademarks are the property of their respective owners.
  61. 61. Rethink Intrusion Prevention System Testing Detailed results about each protocol can be viewed under the Application tab. Use the drop down menus to display results from different protocols. 14. Once the test completes, a new window will appear, stating that the test failed. This is expected, as the IPS should be blocking a majority of the protocols being transmitted. Click Close to continue.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 61All other trademarks are the property of their respective owners.
  62. 62. Rethink Intrusion Prevention System Testing 15. Select the View the report button. This will open more detailed results in a Web browser. 16. To determine the ability of the IPS to handle a SYN flood while also processing legit traffic, expand Test Results for SYN Flood and select TCP Summary. Verify that no client was able to establish a connection and that no servers established connections either. Once done viewing these results, for easier navigation minimize Test Results for SYN Flood. 17. Expand Test Results for Maximum Throughput and select TCP Setup Time. Again, the quicker the setup times, the better, as the IPS is able to react and respond to the incoming request. Determine the effect the SYN flood had on the TCP setup time of the application traffic.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 62All other trademarks are the property of their respective owners.
  63. 63. Rethink Intrusion Prevention System Testing 18. Select TCP Response Time. Just as with TCP Setup Time, the quicker the response times, the better. Determine the effect the SYN flood had on the TCP response time of the application traffic. 19. Next, select TCP Close Time. The quicker the IPS is able to close the TCP connection, the quicker it frees up those resources and can use them to start a new connection. Determine the affect the SYN flood had on the TCP close time of the application traffic. 20. Select Frame Latency, and determine how the SYN flood affects the latency of the application traffic.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 63All other trademarks are the property of their respective owners.
  64. 64. Rethink Intrusion Prevention System Testing 21. Expand the Detail folder and also expand the App Throughput: by protocol folder. Select the first item, App determine how each protocol was handled. Throughput: protocol aol and determine if any traffic was able to pass through the IPS. View the entire list to 22. Repeat the previous step with App Transaction Rates: by protocol, App Response Time: by protocol, and App Failures: by protocol. Determine if transmitting blended traffic had an effect on any of the protocols. 23. Compare all the results collected from the current test with the baseline tests to determine any differences. 24. If any test variations were run with either the Baseline Application Perfromance: Throughput or the Baseline Attack Mitigation: SYN Flood tests, make sure to run those variations on this test too. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 64All other trademarks are the property of their respective owners.
  65. 65. Rethink Intrusion Prevention System Testing Application Traffic with Malicious Traffic RFC: • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol Overview: Since tests for application performance and malicious traffic have already been configured and saved as presets, they will be used in this test. Two test components will be used during this test, an Application Simulator and a Security component. Objective: To combine application traffic with malicious traffic and compare the results with the results from the security test. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 65All other trademarks are the property of their respective owners.
  66. 66. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 66All other trademarks are the property of their respective owners.
  67. 67. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. Use a previous test as a starting point for this test. Select Test  Open Recent Tests  IPS Maximum Throughput. 5. Before continuing with configuration of the test, click Save Test As.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 67All other trademarks are the property of their respective owners.
  68. 68. Rethink Intrusion Prevention System Testing 6. When prompted for a name to save the test as, type App Traff Malicious Traffic and click Save. 7. Under the Test Quick Steps, click Add a Test Component. 8. In the Select a component type window, select the Security test component.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 68All other trademarks are the property of their respective owners.
  69. 69. Rethink Intrusion Prevention System Testing 9. The Information tab should be selected. Type Malicious Traffic for the name, and click Apply Changes. 10. Select the Presets tab. Select IPS Malicious Traffic, and click Apply Changes. 11. If desired, enter a test Description under the Test Information section.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 69All other trademarks are the property of their respective owners.
  70. 70. Rethink Intrusion Prevention System Testing 12. Verify that Test Status has a green checkmark next to it. If it does not have a green checkmark, click Test Status and make the required changes. 13. Under Test Quick Steps, click Save and Run. The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and the overall bandwidth currently being utilized.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 70All other trademarks are the property of their respective owners.
  71. 71. Rethink Intrusion Prevention System Testing Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from different protocols. 14. Select the Attacks tab. This will provide real-time information about how the IPS is performing with the malicious traffic. As can be seen in the image below, some attacks have been allowed. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 71All other trademarks are the property of their respective owners.
  72. 72. Rethink Intrusion Prevention System Testing 15. When the test completes, a window will appear saying the test failed. Click Close. 16. Select the View the report button. This will open up more detailed results in the browser. 17. Expand the Test results for Malicious Traffic folder and select Strike Results. Determine how well the DUT was able to handle the different strikes and maintain blocking them while still transmitting regular traffic. Once completed, collapse Test results for Malicious Traffic.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 72All other trademarks are the property of their respective owners.
  73. 73. Rethink Intrusion Prevention System Testing 18. Expand the Test Results for Generic Traffic folder, and select TCP Setup Time. The quicker the IPS is able to react and setup the TCP connection the better. Determine the effect the malicious traffic had on the TCP setup time. 19. Next, select TCP Response Time. Again, the quicker the IPS is able to respond to the incoming connection, the better, as the connection can be established quicker. 20. Select TCP Close Time. The ability of the IPS to quickly terminate a connection allows the IPS to quickly free those resources. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 73All other trademarks are the property of their respective owners.
  74. 74. Rethink Intrusion Prevention System Testing 21. Select Frame Latency, and determine the affect malicious traffic had on the overall latency. 22. Next, expand the Details folder and also expand the App Throughput: by protocol folder. Select the first item, App determine how each protocol was handled. Throughput: protocol aol and determine if any traffic was able to pass through the IPS. View the entire list to 23. Repeat the previous step with App Transaction Rates: by protocol, App Response Time: by protocol, and App Failures: by protocol. Determine if transmitting blended traffic had an effect on any of the protocols.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 74All other trademarks are the property of their respective owners.
  75. 75. Rethink Intrusion Prevention System Testing 24. Finally, select Frame Data Rate, and determine how the malicious traffic affects the data rate. 25. Compare all the results collected from the current test with the baseline tests to determine any differences. 26. If any test variations were run with either the Baseline Application Performance Test: Throughput or the Baseline Attack Mitigation: SYN Flood, make sure to run those variations on this test too. www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 75All other trademarks are the property of their respective owners.
  76. 76. Rethink Intrusion Prevention System Testing Application Traffic with Malicious Traffic and SYN Flood RFC: • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol • RFC 4987 – TCP SYN Flooding Attacks and Common Mitigations Overview: Since tests for application performance, malicious traffic and a SYN Flood have already been configured and saved as presets, they will be used in this test. Three test components will be used during this test, an Application Simulator, a Security component and a Session Sender component. This test will determine the ability of the IPS to handle malicious traffic while also having to deal with a SYN Flood and allowing good traffic to pass through. Objective: To send a blend of application traffic with a SYN Flood and malicious traffic to the IPS and to compare the results of this test against the results of the baseline tests. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 76All other trademarks are the property of their respective owners.
  77. 77. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 77All other trademarks are the property of their respective owners.
  78. 78. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. We will use a previous test as a starting point for this test. Select Test  Open Recent Tests  App Traff with Malicious Traffic. 5. Before continuing with configuration of the test, click Save Test As.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 78All other trademarks are the property of their respective owners.
  79. 79. Rethink Intrusion Prevention System Testing 6. When prompted for a name to save the test as, type App Traff with Malicious Traffic and SYN Flood and click Save. 7. Under the Test Quick Steps, click Add a Test Component. 8. In the Select a component type window, select the Session Sender (L4) test component.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 79All other trademarks are the property of their respective owners.
  80. 80. Rethink Intrusion Prevention System Testing 9. The Information tab should be selected. Type SYN Flood as the name and click Apply Changes. 10. Select the Presets tab. Locate IPS SYN Flood in the list, and click Apply Changes. 11. With the addition of the Session Sender test component, the interfaces have become oversubscribed. Select the of the total available bandwidth, and click Apply Changes. Maximum Throughput test component, and then select the Parameters tab. Change the Minimum data rate to 85% www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 80All other trademarks are the property of their respective owners.
  81. 81. Rethink Intrusion Prevention System Testing 12. Verify that the Test Status has a green checkmark. If not, click on Test Status and make the required changes. 13. If desired, edit the test Description under the Test Information section. 14. Under the Test Quick Steps, click Save and Run. The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 81All other trademarks are the property of their respective owners.
  82. 82. Rethink Intrusion Prevention System Testing Detailed results about each protocol can be viewed under the Application tab. Use the drop-down menus to display results from different protocols. 15. Select the Attacks tab. This provides a real-time look into how the IPS is performing with the malicious traffic. As can be seen from the image below, some of the attacks are being allowed to pass through the IPS.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 82All other trademarks are the property of their respective owners.
  83. 83. Rethink Intrusion Prevention System Testing 16. Once the test completes, a new window will appear, stating the test criteria failed. Click Close to continue. 17. Click the View the report button. This will open detailed results in a browser window. 18. Expand Test Results for SYN Flood and select TCP Summary. Verify that no TCP connections were established. Collapse Test Results for SYN Flood once completed.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 83All other trademarks are the property of their respective owners.
  84. 84. Rethink Intrusion Prevention System Testing 19. Expand Test Results for Malicious Traffic and select Strike Results. Determine how well the IPS was able to block and not allow different strikes to pass through. Again, collapse Test Results for Malicious Traffic once completed. 20. Expand Test Results for Maximum Throughput and select TCP Setup Time. The quicker the IPS is able to react and set up the TCP connection, the better. Determine the effect the malicious traffic had on the TCP setup time. The TCP setup time has been affected and has increased.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 84All other trademarks are the property of their respective owners.
  85. 85. Rethink Intrusion Prevention System Testing 21. Next, select TCP Response Time. Again, the quicker the IPS is able to respond to the incoming connection, the better as the connection can be established quicker. Again, the time for TCP response time has increased. 22. Select TCP Close Time. The ability of the IPS to quickly terminate a connection allows the IPS to free those resources. The TCP close time has also increased compared to the baseline tests.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 85All other trademarks are the property of their respective owners.
  86. 86. Rethink Intrusion Prevention System Testing 23. Select Frame Latency and determine the affect malicious traffic and the SYN flood had on the overall latency. 24. Next, expand the Details folder. Also, expand the App Throughput: by protocol folder. Select the first item, App determine how each protocol was handled. Throughput: protocol aol, and determine if any traffic was able to pass through the IPS. View the entire list to www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 86All other trademarks are the property of their respective owners.
  87. 87. Rethink Intrusion Prevention System Testing 25. Repeat the previous step with App Transaction Rates: by protocol, App Response Time: by protocol, and App Failures: by protocol. Determine if transmitting blended traffic had an effect on any of the protocols. 26. Finally, select Frame Data Rate and determine how the malicious traffic and SYN Flood affected the data rate. 27. Compare all the results collected from the current test with the baseline tests to determine any differences. 28. If any test variations were run with either the Baseline Application Performance Test: Throughput, the Baseline Attack Mitigation: Malicious Traffic or Baseline Attack Mitigation: SYN Flood, make sure to run those variations on this test too.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 87All other trademarks are the property of their respective owners.
  88. 88. Rethink Intrusion Prevention System Testing Jumbo Frames RFC • RFC 768 – User Datagram Protocol • RFC 791 – Internet Protocol • RFC 793 – Transmission Control Protocol • RFC 894– A Standard for the Transmission of IP Datagrams over Ethernet Overview: The Throughput test will be used as a starting point in this test. Once the test is opened, the Maximum Segment size will be changed to 4,000 to send jumbo frames. Objective: To analyze how the IPS handles jumbo frames. Setup:www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 88All other trademarks are the property of their respective owners.
  89. 89. Rethink Intrusion Prevention System Testing 1. Launch your favorite Web browser, and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center once the page loads. 2. In the new window that appears, enter in your Login ID and Password. Click Login.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 89All other trademarks are the property of their respective owners.
  90. 90. Rethink Intrusion Prevention System Testing 3. Reserve the required ports to run the test. 4. We will use a previous test as a starting point for this test. Select Test  Open Recent Tests  IPS Maximum Throughput. 5. Before continuing with configuration of the test, click Save Test As.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 90All other trademarks are the property of their respective owners.
  91. 91. Rethink Intrusion Prevention System Testing 6. When prompted for a name to save the test as, type IPS Jumbo Frames. 7. Select the Parameters tab and under the TCP Configuration section, change the Maximum Segment Size (MSS) to a value greater than 1500 but less than 9142. In this example, a 4000-byte packet was used. Once the changes have been completed, click Apply Changes. 8. Next, select Control Center  Device Status.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 91All other trademarks are the property of their respective owners.
  92. 92. Rethink Intrusion Prevention System Testing 9. When prompted about saving the test due to changes, click Yes. 10. Right-click on a reserved port, and select Configure Port. 11. Verify that the MTU is large enough, and click Close. If needed, increase the MTU size, and click Apply. Repeat this process for the other reserved port too.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 92All other trademarks are the property of their respective owners.
  93. 93. Rethink Intrusion Prevention System Testing 12. To return to the test configuration, select Test  Open Recent Tests  IPS Jumbo Frames. 13. Under the Test Information section, edit the test Description. 14. Verify that the Test Status has a green checkmark. If it does not contain a green checkmark, click Test Status and make the required changes. 15. Under Test Quick Steps, click Save and Run.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 93All other trademarks are the property of their respective owners.
  94. 94. Rethink Intrusion Prevention System Testing The Summary tab will be visible and provides a great deal of information about the current running test and results. The Summary tab provides information about the application flows, TCP connections and overall bandwidth currently being utilized. 16. Once the test completes, a new window will appear stating that the test either passed or failed. Click Close to continue.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 94All other trademarks are the property of their respective owners.
  95. 95. Rethink Intrusion Prevention System Testing 17. Click the View the report button. This will open a Webpage containing more detailed results. 18. Expand the Test Results for Maximum Throughput folder, and select App Bytes Transmitted. This will display a byte count that each protocol transmitted.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 95All other trademarks are the property of their respective owners.
  96. 96. Rethink Intrusion Prevention System Testing 19. Expand the Details folder, and select TCP Setup Time. The shorter the TCP setup time, the better, as the DUT is able to quickly handle the requests and continue operating as expected. 20. Select TCP Response Time. Again, the shorter the TCP response time, the better, as the DUT is able to quickly respond to requests and continue operating.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 96All other trademarks are the property of their respective owners.
  97. 97. Rethink Intrusion Prevention System Testing 21. Expand the Detail folder. Select the Frame Data Rate, and determine the maximum transmit and receive rate using the graph and the table. 22. To determine how each protocol was handled by the IPS, five different results will be viewed. Under the Detail folder, expand and analyze the results of the following: App Concurrent Flows: by protocol, App Throughput: by protocol, App Transaction Rates: by protocol, App Response Time: by protocol and App Failures: by protocol. 23. Using the results from the current test and the results from the Throughput test, determine if the IPS performed better, worse or the same when handling jumbo frames. Other test variations can also be run. The following are some test variation examples: • Test several different sizes of jumbo frames, specifically making sure to test the 9,000-byte frame. • Increase the test duration. • If Hot Standby is going to be used, perform a test that shows how traffic is affected.www.breakingpoint.com© 2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. 97All other trademarks are the property of their respective owners.

×