Testing Darwinsim: The History and Evolution of Network Resiliency

Similar documents

Firewall Testing Methodology W H I T E P A P E R

VALIDATING DDoS THREAT PROTECTION

Network Security Equipment The Ever Changing Curveball

IxLoad-Attack: Network Security Testing

For IT Infrastructure, Mobile and Cloud Computing - Why and how

The CISO s Guide to Security

Data Center security trends

Firewalls in the Data Center: Main Strategies and Metrics

Business Case for a DDoS Consolidated Solution

4 Delivers over 20,000 SSL connections per second (cps), which

Spirent Journal of Cloud Application and Security Services PASS Test Methodologies. June 2011 Edition. February 2011 Edition PASS

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Reduce Your Network's Attack Surface

Cyber Range Training Services

What to Look for When Evaluating Next-Generation Firewalls

Load Balancing Security Gateways WHITE PAPER

FortiGate-3950B Scores 95/100 on BreakingPoint Resiliency Score (Security, Performance, & Stability)

Secure Cloud-Ready Data Centers Juniper Networks

Performance and Scalability with the Juniper SRX5400

Lab Testing Summary Report

Using Palo Alto Networks to Protect the Datacenter

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Server Load Balancing (SLB) Testing IxLoad

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model: MX64 MX64W MX84 MX100 MX400 MX600

TEST METHODOLOGY. Network Firewall Data Center. v1.0

Extreme Security Threat Protection G2 - Intrusion Prevention Integrated security, visibility, and control for nextgeneration network protection

Non-Geeks Guide to. Network Threat Prevention

Comparative Performance and Resilience Test Results - UTM Appliances. Miercom tests comparing Sophos SG Series appliances against the competition

Is the Security Industry Ready for SSL Decryption?

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Network Security Solution. Arktos Lam

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

The SIEM Evaluator s Guide

What s Next for Network Security - Visibility is king! Gøran Tømte March 2013

Appliance Comparison Chart

IBM Security Network Intrusion Prevention System

How to Build a Massively Scalable Next-Generation Firewall

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Cisco Meraki MX products come in 6 models. The chart below outlines MX hardware properties for each model: MX60 MX60W MX80 MX100 MX400 MX600

TIME TO RETHINK NETWORK SECURITY

Server Load Balancer Testing

Critical Controls for Cyber Security.

DDoS Protection on the Security Gateway

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

DPtech ADX Application Delivery Platform Series

Unified Threat Management Throughput Performance

High Performance NGFW Extended

Security Solutions for the New Threads

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Host-based Intrusion Prevention System (HIPS)

CS5008: Internet Computing

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

Cisco ASA 5500 Series Business Edition

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Next Generation Firewalls and Sandboxing

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Intro to Firewalls. Summary

SourceFireNext-Generation IPS

Accelerating the Deployment of the Evolved Cyber Range

Internet Services. Amcom. Support & Troubleshooting Guide

ISS X-Force. IBM Global Services. Angel NIKOLOV Country Manager BG, CZ, HU, RO and SK IBM Internet Security Systems

A TASTE OF HTTP BOTNETS

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Networking for Caribbean Development

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Next-Generation Firewalls: Critical to SMB Network Security

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Guidance Regarding Skype and Other P2P VoIP Solutions

Check Point submitted the SWG Secure Web Gateway for

Huawei Eudemon200E-N Next-Generation Firewall

Arbor s Solution for ISP

Firewall Sandwich. Aleksander Kijewski Presales Engineer Dell Software Group. Dell Security Peak Performance

Application Delivery Testing at 100Gbps and Beyond

Cisco Integrated Services Routers Performance Overview

Router Throughput Tests

IBM Advanced Threat Protection Solution

Information Security Basic Concepts

Transcription:

Testing Darwinsim: The History and Evolution of Network Resiliency Mike Hamilton Ixia Communications Session ID: SPO-210 Session Classification: General Interest

Why Should I Care? 2

RESILIENCY Defining Resiliency Performance How Application load, attacks, and impairments. Why Measure and improve performance under high-stress conditions. Security Latest attacks, evasions, malware, and spam. Identify and remediate vulnerabilities. Perform under DoS attack. Stability Impairments combined with application load. Ensure reliable performance and availability. 3

Performance Performance How Application load, attacks, and impairments. Why Measure and improve performance under high-stress conditions. 4

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 5

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (Max) 150 Gbps 560 Gbps 640 Gbps *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 6

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (Max) Throughput (IMIX) 150 Gbps 560 Gbps 640 Gbps 37.8 Gbps 560 Gbps 135 Gbps *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 7

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (Max) Throughput (IMIX) Throughput (64B) 150 Gbps 560 Gbps 640 Gbps 37.8 Gbps 560 Gbps 135 Gbps 7.7 Gbps** 560 Gbps 31 Gbps** *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 8

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (Max) Throughput (IMIX) Throughput (64B) Connections per Second* 150 Gbps 560 Gbps 640 Gbps 37.8 Gbps 560 Gbps 135 Gbps 7.7 Gbps** 560 Gbps 31 Gbps** 380,000 3.29M 320,000 *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 9

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (Max) Throughput (IMIX) Throughput (64B) Connections per Second* Concurrent Connections 150 Gbps 560 Gbps 640 Gbps 37.8 Gbps 560 Gbps 135 Gbps 7.7 Gbps** 560 Gbps 31 Gbps** 380,000 3.29M 320,000 20M 280M 100M *3WHS+D+3WC **Derived from PPS Connectivity Stated as Application 10

The Datasheet Game Carrier Class Firewall 11

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C 12

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (64B) 7.7 Gbps 560 Gbps 31 Gbps 13

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (64B) 7.7 Gbps 560 Gbps 31 Gbps CPS 380,000 3.29M 320,000 14

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (64B) 7.7 Gbps 560 Gbps 31 Gbps CPS 380,000 3.29M 320,000 Worst-case Throughput 1.8 Gbps 15.8 Gbps 1.5 Gbps 15

The Datasheet Game Carrier Class Firewall Metric Firewall A Firewall B Firewall C Throughput (64B) 7.7 Gbps 560 Gbps 31 Gbps CPS 380,000 3.29M 320,000 Worst-case Throughput Worst-case Goodput 1.8 Gbps 15.8 Gbps 1.5 Gbps 6 Mbps 52 Mbps 5.1 Mbps 16

Performance Performance How Application load, attacks, and impairments. Why Measure and improve performance under high-stress conditions. 17

Security Performance How Application load, attacks, and impairments. Why Measure and improve performance under high-stress conditions. Security Latest attacks, evasions, malware, and spam. Identify and remediate vulnerabilities. Perform under DoS attack. 18

Does Mark the Spot? 19

IPS Imprecise Performance Systems Firewall A Firewall B Firewall C Throughput (64B) 7.7 Gbps 560 Gbps 31 Gbps CPS 380,000 3.29M 320,000 Worst-case Throughput Worst-case Goodput IPS Throughput 1.8 Gbps 15.8 Gbps 1.5 Gbps 6 Mbps 52 Mbps 5.1 Mbps 26 Gbps 131.6 Gbps 40 Gbps 20

DDoS Are You Ready? 21

Why Should I Care? 22

$,,, 23

DLP Dollar Loss Prevention 24

RESILIENCY Stability Performance How Application load, attacks, and impairments. Why Measure and improve performance under high-stress conditions. Security Latest attacks, evasions, malware, and spam. Identify and remediate vulnerabilities. Perform under DoS attack. Stability Impairments combined with application load. Ensure reliable performance and availability. 25

Stability 26

How to Measure? 27

Why Should I Care? 28

Combinations and Permutations 48 + 48 + 16 + 16 + 32 = 160 4 + 4 + 8 + 16 + 16 + 3 + 13 + 8 + 8 + 16 + 32 + 32 = 160 16 + 16+ 16 + 16 = 64 OR 16 + 16 + 32 + 32 + 4 + 3 + 9 + 16 + 16 + 16 = 160 29

Combinations 2 160+160+160 = 2 480 = 3.121749 x 10 144 packets On a 10 Gbps link at 15mm PPS = 2.08x10 137 seconds = 3.46x10 135 minutes = 5.78x10 133 hours = 2.41x10 132 days = 6.59x10 129 years = 4.7x10 119 lifetimes of the Universe 30

Why Should I Care? 31

Combinations and Permutations 48 + 48 + 16 + 16 + 32 = 160 4 + 4 + 8 + 16 + 16 + 3 + 13 + 8 + 8 + 16 + 32 + 32 = 160 = 96 16 + 16+ 16 + 16 = 64 OR 16 + 16 + 32 + 32 + 4 + 3 + 9 + 16 + 16 + 16 = 160 = 144 32

Combinations 2 96+144 = 2 240 = 1.77 x 10 72 packets On a 10 Gbps link at 15mm PPS = 1.18x10 65 seconds = 1.96x10 63 minutes = 3.27x10 61 hours = 1.36x10 60 days = 3.73x10 57 years = 2.66x10 47 lifetimes of the Universe 33

Resiliency 34

Resiliency Testing: A History Lesson Internet Growth Leads to Technology Standards IETF Testing Standards RFC 1944 RFC 2544 RFC 3511 35

RFC 2544: Right Standard, Wrong Time Original Goal Create Vendor-Agnostic Comparisons 18 years later (Today) Industry continues to apply RFC 2544 to nextgeneration and content aware devices 36

RFC 3511: False Sense of Security? HTTP is NOT an Application 37

Mobility in Action 38

Moving Ahead: Evolving Testing Standards IETF Benchmarking Working Group Content-aware device methodology Industry consortiums DPIbench 39

Resiliency = Battle-Tested Apply emerging standards today Download the most recent work Understand your network traffic Enterprise, service provider, government, etc. 40

Apply: Takeaways Ask your vendor*: 1. Are you keeping up with emerging testing standards? 2. What application mixes and weights do you use during testing? 3. Do you combine applications and high-stress user load during testing? 4. What have the results been when you have tested using malformed traffic? 5. How does the device perform against application-layer attacks? 6. Can I test your product with my unique network, application, and user conditions? *Vendors, ask yourself the same questions. 41

Apply: Final Thoughts Read between the lines Money matters Just because code hasn t been touched doesn t mean it is not the problem Never leave a test port idle Utilize industry resources 42

Questions? $,,, Contact information: Mike Hamilton Director of Global Systems Engineering BreakingPoint Systems mhamilton@breakingpoint.com 43