ICSA Labs Network IPS Certification Testing Report Network IPS Enterprise Certification Testing Criteria - Version 1.4.

ICSA Labs Network IPS Certification Testing Report Network IPS Enterprise Certification Testing Criteria - Version 1.4 IBM Corporation IBM Security Network Intrusion Prevention System GX Family December 18, 2013 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 www.icsalabs.com Replacing NIPS-IBMCORPORA-2013-1218-01

Table of Contents EXECUTIVE SUMMARY... 1 Introduction... 1 Product Overview... 1 Scope of Assessment... 2 Summary of Findings... 2 Certification Maintenance... 2 PRODUCT OVERVIEW... 3 Hardware... 3 Software... 3 TESTING METHODOLOGY HIGHLIGHTS... 4 Background... 4 Security Coverage Tests... 4 Network Performance Tests... 5 Administrative Tests... 6 SUMMARY OF FINDINGS... 6 ANALYST NOTES... 10 FROM PATCHED TO GENERALLY AVAILABLE... 11 CONCLUSION... 12 APPENDIX 1: TOOLS VENDOR PARTNERS... 13 CORE IMPACT, Core Security Technologies... 13 IXIA XM2 Portable Chassis with IxNetwork and IxLoad applications... 13 APPENDIX 2... 15 TESTING INFORMATION... 16 Lab Report Date... 16 Test Location... 16 Product Developer s Headquarters... 16 Page i of i

Executive Summary Introduction Note: this report, originally published on Dec. 18, 2013 was updated to correct an error in the name of the product family and a couple of formatting issues. Comprehensive enterprise network security is increasingly important. Savvy network and security professionals realize that a strong defense that incorporates deep packet inspection with appropriate real-time action is not optional. These professionals know it is essential to detect and block malicious and other unwanted traffic from entering and damaging the enterprise network, while introducing little latency and allowing valid business traffic to pass unimpeded. These needs are addressed by a class of security devices known as network intrusion prevention systems (network IPS). In attempting to make an informed purchasing decision about a network IPS solution, it is easy to be baffled by the array of features and claims made by network IPS product developers. This is where ICSA Labs adds its value. ICSA Labs has a rich heritage of rigorous security testing and is recognized throughout the world for setting high standards in computer and network security certification testing. For more than 20 years, ICSA Labs has been testing and certifying the world s leading security products against criteria developed with input from key industry stakeholders. The test suite incorporates a proper combination of rigorous security coverage protection, network performance, and administrative testing all aimed at the needs of enterprise end users. The testing brings to bear ICSA Labs considerable security testing expertise. The outcome is a network IPS test set that is thorough, objective, and exacting which produces relevant and useful results benefiting the enterprise end user community. This report documents the testing results for the certified product named below and provides end users with details about how the network IPS solution performed against the full battery of hundreds of test cases each developed to ensure that one or more criteria requirements is met. The network IPS solution is subjected to test cases that combine: vulnerability-focused attack testing; evasion testing; denial-of-service testing; network performance and latency testing; false positives testing; administrative function testing. ICSA Labs understands that ignoring or short-changing one or more of the above areas at best falls short of serving enterprise end users and at worst totally misleads them. Therefore, in addition to comprehensive and relevant testing in the above areas, the capabilities are tested simultaneously, not just in isolation. The test suite mimics the real world conditions in which the network IPS could be deployed. As a result of these considerations, an ICSA Labs Certified Network IPS like the IBM Security Network Intrusion Prevention System GX Family performs its functions well in live networks, not just in the lab. Product Overview When developers build a network IPS they have a very good idea about the kind of end user customer networks for which their product is best suited. End users could benefit from knowing this information as Page 1 of 16

well. There are a number of places in a network where one might deploy a network IPS and there are organizations of all different sizes with all kinds of different needs in terms or protection, latency, etcetera. ICSA Labs believes it is important for the end user to be able to marry their own needs to those of developers attempting to satisfy those needs. The information below is a brief overview of what the product developer says about its product(s). IBM Security Network Intrusion Prevention System solutions are designed to stop Internet threats before they impact your business. Preemptive protection protection that works ahead of the threat is available from IBM through its proprietary combination of line-speed performance, security intelligence and a modular protection engine that enables security convergence. By consolidating network demands for data security and protection for web applications, IBM Security Network Intrusion Prevention System solutions serve as security platforms that can reduce the cost and complexity of deploying and managing point solutions. Scope of Assessment During this test iteration the IBM Security Network Intrusion Prevention System (IPS) GX Family was tested against the complete set of criteria requirements found in version 1.4 of the ICSA Labs Network IPS Enterprise Certification Testing Criteria. All test cases were conducted with the product deployed and configured in a manner similar to that found in enterprise environments. Summary of Findings To attain ICSA Labs Network IPS Certification, IBM overcame five criteria violations. Two were related to logging functions, two related to coverage protection and one related to remote administration. The details of these criteria violations as well as how they were resolved are discussed in the Summary of Findings section of this report. Testing was completed on the IBM Security Network IPS GX Family using firmware version 4.6, XPU 33.050 and SiteProtector version 2.9.0.1 b3. Certification Maintenance Across testing programs at ICSA Labs, products remain deployed throughout their annual testing contract. This continuous deployment of products, a trademark of ICSA Labs, affords ICSA Labs the ability to test certified and not-yet-certified products whenever necessary. Beyond testing products anytime on demand, many ICSA Labs certification testing programs routinely test products more than a single time throughout the year. For example, ICSA Labs tests anti-virus products every month and antispam products every day. The Network IPS Certification Testing Program is no exception. Network IPS solutions are tested annually against the entire set of 50+ criteria requirements. They are also tested to confirm they provide coverage protection each time the test set changes. Additionally, network IPS solutions are tested to confirm that the fixes resulting from testing are incorporated into shipping code. And finally, network IPS solutions are tested when critical security vulnerabilities arise that merit an out-of-band test. Like this testing report which is produced at the completion of a product s initial test iteration, all reports are available from the ICSA Labs Website for all to review free of charge. Given all the testing performed, not all products are able to maintain their certification. Therefore, ICSA Labs recommends frequently checking the following link for any changes to the certification status of any product: http://www.icsalabs.com/products?tid[]=4222 Page 2 of 16

Product Overview Hardware IBM provided ICSA Labs with the following hardware: IBM GX4004 - this appliance is equipped with four 10/100/1000BaseT copper interfaces that serve as two pairs of mission segments. There also two 10/100/1000BaseT copper interfaces for management functionality. IBM GX7800 - this appliances is equipped with eight 10 GbE SFP+ interfaces that server as four pairs of mission segments. There also two 10/100/1000BaseT copper interfaces for management functionality. Software IBM provided ICSA Labs with the following software and/or firmware: IBM Security Network IPS GX Family Firmware Base software of the sensor. Testing began with version 4.4 and completed with version 4.6. Intrusion Prevention XPU Signature package of the sensor. Testing began with XPU 32.070 and completed with XPU 33.050 SiteProtector Central management and log server. Testing began with version 2.9.0.0 b225 and completed with version 2.9.0.1 b3 Multiple Network IPS Engine Models Network IPS product developers often build and sell multiple models to attract and accommodate a broad range of customers. Though hardware differences may exist for these models, the software and/or firmware providing the network IPS functionality remains essentially the same. In an effort to be practical while still providing a meaningful level of assurance to end users, ICSA Labs tests two or more from a group of related network IPS models. Prior to testing the developer signs an ICSA Labs attestation form confirming that all the models in the group are indeed the same with respect to meeting the testing criteria requirements. The attestation form coupled with successful testing of at least two models from the group leads to certification for not just the models tested but the entire group. Any remaining models are rotated in-and-out of ICSA Labs such that all models in the group are tested in due time. The following table depicts the entire group of ICSA Labs Network IPS Certified models. The italicized models are the ones that were tested during this and any previous testing iteration. The models listed are subject to change. For the most up-to-date list of certified product models refer to the ICSA Labs Network IPS Certified products on the ICSA Labs Website at http://www.icsalabs.com/products?tid[]=4222. IBM Security Network IPS GX Family Models GX4004-200 GX4004 GX5008 GX5108 GX5208 GX7412-5 GX7412-10 GX7412 GX7800 Table 1 - Group of ICSA Labs Network IPS Certified Models Page 3 of 16

Testing Methodology Highlights Background Developing a comprehensive network IPS test suite that is relevant to enterprise end users is a complex and lengthy undertaking. In fact, ICSA Labs spent more than a year developing its rigorous network IPS test suite. And we are continually revising and improving it. The test suite is comprised of hundreds of individual test cases focused on three main categories: security coverage tests, network performance tests, and administrative tests. This section provides an overview of the key test cases performed by ICSA Labs in each category. Security Coverage Tests There are thousands of known vulnerabilities with more being discovered every day. Since some vulnerabilities are not remotely exploitable and others are only present in obscure software rarely found in enterprise networks, not all vulnerabilities are relevant for meaningful network IPS testing. To determine the set of vulnerabilities that are most relevant for its testing, ICSA Labs performs research on a regular, ongoing basis. Each developer s solution is tested against attacks targeting this evolving set of remotely exploitable, high-severity vulnerabilities found in enterprise software spanning the last several years. 95% have a CVSS score of 7 or greater. The test set is weighted most heavily with vulnerabilities in software developed by Microsoft (nearly 40%) and includes a wide range of other vulnerable software including vulnerable versions of: Oracle, Symantec Backup Exec, CA ARCserve, IBM Tivoli, Citrix Presentation Server, MySQL, etc. To attain and retain ICSA Labs Network IPS Certification, the candidate being tested must repeatedly prevent any and all attacks targeting the vulnerability set, inbound and outbound, while 80% of the product s bandwidth is consumed by real, background network traffic. In the midst of the network traffic, ICSA Labs injects attacks at pseudo-random intervals. If a replayed attack targeting a vulnerability is either not detected or detected but not prevented, then ICSA Labs verifies the findings by running the actual attack through the candidate against a real vulnerable system. ICSA Labs maintains a collection of vulnerable systems comprised of numerous VMware images and physical systems running versions of enterprise software that ICSA Labs installed and confirmed to be vulnerable to attacks targeting vulnerability set elements. In the event that a candidate does not detect and/or prevent an attack targeting a vulnerability set element, ICSA Labs informs the developer that the candidate has a criteria violation that must be resolved. ICSA Labs then provides the CVE ID of the vulnerability for which protection is inadequate. ICSA Labs neither provides the attack nor a packet capture of the attack to the developer. By restricting what is provided to the developer to resolve the violation, ICSA Labs helps the industry move toward true vulnerability protection and away from individual attack protection. With testing that is vulnerability focused, the network IPS industry is encouraged to build network intrusion prevention systems that protect against the exploitation of each vulnerability instead of reactionary protection after each new attack is released. ICSA Labs also verifies that the network IPS is not easily evaded. To attain and retain ICSA Labs Network IPS Certification, the candidate being tested must not be evaded using common evasion techniques such as those found in the Ptacek/Newsham paper. (https://sparrow.ece.cmu.edu/group/731- s08/readings/ptacek-newsham.pdf) Page 4 of 16

ICSA Labs evasion testing combines attacks used in security coverage protection testing with evasions at one or multiple layers in the TCP/IP stack. The evasion testing exploits TCP/IPs natural, built-in flexibility in order to disguise attacks. With attacks disguised in one or more ways, those that would otherwise be caught can sometimes evade detection by the candidate network IPS. ICSA Labs network IPS certification testing uses a great deal of this trickery in an attempt to evade the protections provided by the candidate device under test. Finally, ICSA Labs network IPS certification testing verifies that a candidate network IPS can mitigate the effects of denial of service (DoS) attacks. ICSA Labs does not expect a network IPS to completely neutralize all DoS attacks. Instead, ICSA Labs expects any rate-based and/or resource consumptionbased DoS attack to be mitigated to acceptable levels as defined in the Network IPS Enterprise Certification Testing Criteria. In DoS testing, the attacking system is connected on one side of the network IPS candidate, and the target system is connected on the other. ICSA Labs launches a variety of DoS attacks that are publicly known and executable from a single system. The DoS attacks include for example synflood, udpflood, and the whole suite of targa2 DoS attacks. At the same time, real background traffic is filling 80% of the available bandwidth. In order to determine whether or not a candidate can satisfy the DoS attack criteria requirement and successfully mitigate the DoS attack, ICSA Labs measures: the rate of DoS attack traffic that leaves the attacking system, the rate of DoS attack traffic that arrives at the target system, the reduction in capability of the candidate network IPS to pass legitimate background traffic, and the manageability of the candidate network IPS via its primary administrative interface. Network Performance Tests It is important that network IPS devices introduce a minimal amount of latency as they inspect real-world traffic. During testing, ICSA Labs increases the amount real background traffic until one or more of the following occurs: the candidate begins to allow attacks to pass through that it had previously blocked at lower throughput rates, the latency of the candidate increases to such a high level that a further increase in throughput is not possible, administration of the candidate becomes impractical, or the media speed of the mission interfaces becomes the limiting factor. ICSA Labs employs a combination of mechanisms to fill the pipe with real background network traffic. Both traffic generation tools and the open source packet capture replay tool, Tomahawk, are used. In order for Tomahawk to be used, ICSA Labs collected packet captures from the existing enterprise networks so that the background network traffic mix used in testing would be as realistic as possible. Finding a realistic mix of traffic was challenging but necessary to properly test network IPS devices intended for real-world deployments. Before being used in ICSA Labs network IPS testing, the packet captures went through a thorough, cleaning process prior to testing that involved removing among other things all malicious traffic, incomplete sessions, and sessions with incomplete frames. Following cleaning, the primary packet capture used during testing is characterized in Table 1. IP breakdown Packets: Bytes: tcp - 85% tcp - 96% udp - 15% udp - 4% Application breakdown Packets: Bytes: http - 38% http - 51% https - 35% https - 35% dns - 13% smtp - 9% smtp - 7% dns - 4% other - 7% other - 1% Table 1 - Characteristics of Background Traffic Used During Testing Page 5 of 16

While the candidate is configured to block relevant attacks, one-way latency is measured following guidance provided in RFC 2544. Seven different datagram sizes are used during testing. At each size, 1200 UDP datagrams are sent at a rate of 10 datagrams per second. The reported latency is calculated as the average value measured with the network IPS device inline minus the average value that was separately measured with just a crossover cable in place. The test is conducted first with no background traffic present and subsequently with realistic background traffic filling 80% of the product s available bandwidth. ICSA Labs verifies that the measured average one-way latency is lower than the value permitted by the criteria. Administrative Tests Lastly, but importantly, ICSA Labs Network IPS certification testing includes thorough coverage of pertinent administrative functions provided by the candidate network IPS. Among other items, there are stringent logging and reporting requirements. ICSA Labs generates events that must be logged -- including attack attempts, policy modifications, and network link status changes -- and verifies that accurate information required in the certification testing criteria document is captured by the candidate network IPS. Another important administrative function that is tested is the capability of the network IPS to automatically acquire and apply the latest set of coverage protection updates. ICSA Labs connects the candidate such that it can access its update server. ICSA Labs then configures the appropriate settings to enable the candidate to automatically update its protection, and verifies that the protection updates are properly received and applied. This important capability helps ensure enterprise end-users remain protected long after the initial deployment of the network IPS. Summary of Findings There is no such thing as a partial pass in ICSA Labs network IPS certification testing. In order to attain ICSA Labs network IPS certification, the candidate network IPS must meet in its entirety the latest version of the ICSA Labs Network IPS Enterprise Certification Testing Criteria. The table below documents all the criteria requirements that were tested and satisfied. It begins by identifying the criteria and version as well as any optional criteria modules against which the candidate network IPS was measured. Endnotes indicate that there was initially a criteria violation and explain what was corrected. Criteria Network IPS Enterprise Certification Testing Criteria Version 1.4 Security Testing Requirement ID Requirement Summary Result ST1 Mission Interfaces Ignore Non-Administrative Traffic PASS ST2 Cannot Obtain Unauthorized Access to Administrative Functions PASS ST3 Engine Itself is Invulnerable to Attacks Via Mission Interfaces PASS ST4 Prevents Attacks Targeting Many of the Most Relevant Vulnerabilities Note: Though a security bulletin from a 3 rd party (e.g., Microsoft) may suggest that a vulnerability has a critical severity, such a vulnerability may or may not be in the PASS(V01,V02) Page 6 of 16

vulnerability set. If it is in the set, products tested by ICSA Labs must provide protection but are not required to have protection enabled by default. ST4.3 Prevents Attacks While Under Considerable Load PASS ST4.5 Prevents Attacks That Use Evasion Techniques to Escape Detection PASS ST5 Mitigates All DoS Attacks Regardless of Origin PASS ST6 Repeatedly Provides Protection for ST4 and ST5 Related Attacks PASS ST7 Administration After Tuning, Does Not Detect Attacks in Clean Traffic (i.e., No False Positives) PASS Requirement ID Requirement Summary Result AD1 Perform Remote Administration of Engine PASS(V03) IA1 Enforce Identification & Authentication PASS IA2 Set Strong Passwords PASS Traffic Flow Requirement ID Requirement Summary Result TF1 Passes Clean Traffic While Enforcing Policy PASS Logging Requirement ID Requirement Summary Result LO1.1.a.i Logs Attacks Targeting Vulnerability Set in Detect & Prevent Mode PASS(V04) LO1.1.a.ii Logs Attacks Targeting Vulnerability Set in Detect & Permit Mode PASS(V04) LO1.2.a Logs Powering Down Engine PASS LO1.2.b Logs Change to Policy Being Enforced PASS LO1.2.c Logs Changes to Authentication Data PASS LO1.2.d Logs Attempts to Authenticate for Remote Administration PASS LO1.3.a Logs Engine Power On PASS LO1.3.b Logs Mission Interface Link Status Changes PASS Page 7 of 16

LO2.1.a All Required Log Data Includes Timestamp PASS LO2.1.b All Required Log Data Properly Describes the Event PASS LO2.2.a Events Under LO1.1 Indicate Action Taken PASS LO2.2.b Events Under LO1.1 Indicate Protocol PASS LO2.2.c Events Under LO1.1 Indicate Source & Destination IPs PASS LO2.2.d Events Under LO1.1 that are TCP or UDP Indicate Ports PASS(V05) LO2.2.e Events Under LO1.1.a Include Unique Identifier of Engine PASS LO2.3.a Events Under LO1.2.d Indicate Username PASS LO2.3.b Events Under LO1.2.d Indicate Success or Failure PASS LO2.4.a Events Under LO1.3.b Indicate Link Status PASS LO3 Log Data Available for Review and Human Readable PASS LO4 Correlation Exists Between Split Log Records For Any Single Event PASS Reporting Requirement ID Requirement Summary Result RE1 Reports Top 10 Violations Over Several Periods PASS RE2 Reports Top 10 Sources of Violations Over Several Periods PASS Administration Requirement ID Requirement Summary Result AF1 Place into Transparent or Routing Mode (Transparent was chosen) PASS AF2.1 Access Through Remote Administrative Interface PASS AF2.2 Configure & Apply Policies PASS AF2.3 Configure & Change or Acquire Date & Time PASS AF2.4 Display Required Log Data PASS AF2.5 Generate & Display Required Report Data PASS AF2.6 Configure & Change Authentication Data PASS Page 8 of 16

AF2.7 Configure & Change Remote Administration Settings PASS AF2.8 Enable & Disable Network Acquisition of Protection Updates PASS Functional Testing Requirement ID Requirement Summary Result FT1 Administrative Functions (Named Above) Work Properly PASS FT2 Introduces Acceptable Average One-Way Latency PASS Documentation Requirement ID Requirement Summary Result DO1 Provides Enough Accurate Guidance to Set Up Candidate PASS DO2 Provides Enough Accurate Guidance to Perform Admin Functions PASS Table 2 Criteria Requirements Tested and Satisfied Violation 1 (V01) - Coverage of Attacks against Relevant Vulnerabilities (ST4) The IBM Security Network IPS GX Family provided 72.00% coverage protection while in detect and prevent mode during inspection of the Contemporary Vulnerability Set. ICSA s Network IPS Certification Criteria Version 1.4 requires that devices provide 100% coverage protection of contemporary vulnerabilities. Resolution - This violation was resolved by updating to XPU 33.050 and implementing policy changes at IBM s instruction. Violation 2 (V02) - Coverage of Attacks against Relevant Vulnerabilities (ST4) The IBM Security Network IPS GX Family provided 72.00% coverage protection while in detect and permit mode during inspection of the Contemporary Vulnerability Set. ICSA s Network IPS Certification Criteria Version 1.4 requires that devices provide 100% coverage protection of contemporary vulnerabilities. Resolution - This violation was resolved by updating to XPU 33.050 and implementing policy changes at IBM s instruction. CVE ID Vulnerability Description 2010-2568(*) Microsoft Windows.lnk File Processing Arbitrary Code Execution Vulnerability 2010-3552 Multiple Vendor Java Products Browser Plug-in docbase Parameter Arbitrary Code Execution Vulnerability 2010-3654(*) Adobe Acrobat, Reader, and Flash Player Arbitrary Code Execution Vulnerability 2011-0266 HP OpenView Network Node Manager nameparams Parameter Handling Arbitrary Code Execution Vulnerability Page 9 of 16

2011-0267 HP OpenView Network Node Manager nnmrptconfig.exe Remote Arbitrary Code Execution Vulnerability 2011-0609 Adobe Flash Player Flash Content Rendering Code Execution Vulnerability 2011-1267 Microsoft Windows Server Service Crafted SMB Request Parsing Remote DoS 2011-1567(*) 7-Technologies IGSS IGSSdataServer.exe Multiple Command Overflow 2011-1865(*) HP OpenView Storage Data Protector inet Crafted Parameter Multiple Remote Overflows Violation 3 (V03) Remote Administration (AD1) When logging in to the SiteProtector from a separate management station using the SiteProtector Console version 2.9.0.0 b225, some information in the network traffic was visible in plain text. This information included filenames and paths of resources on the SiteProtector server. This revealed some details about the architecture of the system including application names and version numbers. Resolution - This violation was resolved by installing a SiteProtector update. TCP port 3999 provides encrypted administrative communications. Violation 4 (V04) Required Log Events (LO1.1) When the IBM Security Network IPS GX Family encountered the same vulnerability multiple times in a short time period, the security events were combined into a single event. This occurred when the attack is executed from different attack hosts and different target hosts. Each of these attacks is considered a separate event and must be logged as such. Resolution - This violation was resolved by adding and enabling the np.coalescer Tuning Parameter using the SiteProtector at IBM s instruction. Violation 5 (V05) - Required Log Data (LO2.2.d) The IBM Security Network IPS GX Family was configured to be controlled by a SiteProtector server (version 2.9.0.0 b225) and all security event data was sent to the SiteProtector for analysis. Security events reported by the GX4004 and displayed by the SiteProtector server did not include the destination (or target) port. Resolution - This violation was resolved by creating a custom data view in the SiteProtector. Analyst Notes Included below are factual observations, general notes, specific comments, and/or opinions collected during testing by ICSA Labs. This information may or may not directly relate to satisfying a criteria element. Either way, the information is presented as it may be useful to enterprise end users. Violations 1, 2 and 4 were partially or completely resolved by creating and applying a Tuning Parameter policy using the SiteProtector. A Tuning Parameter is a key/value pair that modifies a specific behavior of the IBM Security Network Intrusion Prevention System (IPS) GX Family. During the course of testing, several Tuning Parameters were created and applied to the GX4004 and GX7800 at IBM s recommendation: Name np.coalescer Value true Page 10 of 16

pam.ca.smb.enabled pam.cisco.sccp.synchronize true false pam.smb.macbufferbo.threshold 12288 pam.pdf.trust.length pam.pdf.concealed.flash.paranoid true true pam.lnk.mswin_code_exec.local.enable 1 pam.tcp.synflood.protection.duplicatesyn.size 4194304 pam.flood.udpfrag.limit 50 pam.flood.udpfrag.interval 1 pam.flood.udpfrag.size 1 pam.flood.icmpfrag.limit 100 pam.flood.icmpfrag.interval 1 pam.flood.icmpfrag.size 1 pam.tcp.synflood.protection.duplicatesyn.timeout 4 np.drop.invalid.checksum np.drop.invalid.protocol false false pam.look.flow.tcp.risk.octetcount 51200 These Tuning Parameters addressed several areas of testing such as logging, denial of service protection and latency testing. The ICSA Labs Network Security Team selected the GX4004 and GX7800 as representative samples from the IBM Security Network IPS GX Family. These appliances were configured and administered in parallel using the SiteProtector. The GX4004 and GX7800 performed in a manner consistent with the requirements to be considered in the same product family. One notable exception was the way the appliances handled certain exploit variants that used evasion techniques. Some variants had an IP header length of less than 20 bytes, which is not considered valid by RFC 791. When the GX7800 encountered frames whose IP header length was less than 20 bytes the traffic stream would be terminated silently. However, when the GX4004 encountered the same frame it allowed the invalid frame to pass through. The malicious payload was not allowed to pass through so the GX4004 and GX7800 both effectively blocked the exploit variant, albeit for different reasons. From Patched to Generally Available ICSA Labs requires developers to migrate any and all fixes that result from our testing into the main trunk of their network IPS code base, making it generally available to their customers in subsequent releases. Due to developer release schedules and the need for developers to perform quality assurance testing on Page 11 of 16

code fixed as a result of ICSA Labs network IPS testing, the release of generally available code incorporating the fixes may not be possible immediately upon the completion of testing. IBM has made all firmware, software and XPU updates generally available through the Security License Key and Download Center website at https://ibmss.flexnetoperations.com Conclusion The IBM Security Network IPS GX Family, including all necessary component parts, meets the requirements set forth in version 1.4 of the Network IPS Enterprise Certification Testing Criteria. Therefore, the IBM Security Network IPS GX Family has successfully attained ICSA Labs Network IPS Certification. The IBM Security Network IPS GX Family will remain continuously deployed in the ICSA Labs network IPS testing laboratory. This affords ICSA Labs the ability to test the network IPS device whenever relevant vulnerabilities, attacks, and evasions emerge. Like this report, the criteria document is freely available on the ICSA Labs website at: http://www.icsalabs.com/technology-program/network-ips/testing-requirements. Page 12 of 16

Appendix 1: Tools Vendor Partners A multitude of tools are used during ICSA Labs Network IPS Certification Testing. Many are open source and freely available. Of those that are open source, some were greatly modified and improved to suit our purposes (e.g., Tomahawk). Still other tools that were used are commercially available. The following set of commercial tools is invaluable in ICSA Labs Network IPS Certification Testing. Therefore, ICSA Labs highly recommends them for use. And ICSA Labs both acknowledges and gratefully appreciates the developers of these tools permitting their use free of charge. Note that none of the tools used commercial or otherwise are limited in scope to Network IPS testing. Check out the links associated with each tool to learn more about the myriad of capabilities that each possesses. CORE IMPACT, Core Security Technologies Core Security s description of CORE IMPACT: CORE IMPACT( ) is the first automated, comprehensive penetration testing product for assessing specific information security threats to an organization. With CORE IMPACT, any network administrator can now safely and efficiently determine exactly how an attacker can get control of their valuable information assets. You no longer have to be an expert, or even a security specialist to perform this critical type of assessment which tests the security of your network, identifies what resources are exposed, and determines if your current security investments are actually detecting and preventing attacks. Using this powerful and easy-to-use tool, ICSA Labs aims relevant CORE IMPACT attacks often combined with its evasion techniques against vulnerable systems on our Death Row network. Death Row contains a multitude of unpatched machines, VMware, and Qemu images all with varying operating systems and other software that are vulnerable to a host of different, relevant vulnerabilities. Using CORE IMPACT, ICSA Labs attacks these vulnerable machines, generating exploit packet captures. These exploit packet captures are later replayed through the candidate Network IPS to ensure the attacks are detected and prevented. In addition to replaying exploit packet captures, ICSA Labs also launches live exploits from CORE IMPACT through the candidate Network IPS to confirm when a exploit packet capture is missed by the candidate Network IPS. Note that other attack tools and individual attacks from other sources are used when possible in addition to CORE IMPACT. The same basic steps are followed to test the candidate Network IPS regardless of the source of the exploit. For more information on CORE IMPACT refer to the following web page: http://www.coresecurity.com/core-impact-pro IXIA XM2 Portable Chassis with IxNetwork and IxLoad applications Ixia s description of the XM2 Portable chassis: "Ixia test systems deliver the industry s most comprehensive solutions for the performance, functional, and conformance testing of networks and networked applications. The 2-slot XM2 portable chassis provides a high-density, highly-flexible platform on which an Ixia test system can be built. Operating in Page 13 of 16

conjunction with the Ixia family of test applications, the XM2 provides the foundation for a complete portable, flexible test environment. "A wide array of interface modules is available for the XM2. The chassis supports up to 32 Gigabit Ethernet ports, 16-10 Gigabit Ethernet ports, 1-40 Gigabit Ethernet port, 1-100 Gigabit Ethernet port, 1 dual-speed 40/100 Gigabit Ethernet port, four packet over SONET (POS) ports, or 4 asynchronous transfer mode (ATM) ports. These modules provide the network interfaces and distributed processing resources needed for executing a broad range of data, signaling, voice, video, and application testing for layers 2-7." Ixia s description of the IxNetwork application: "IxNetwork is designed to test network infrastructure, capacity, scalability, and convergence using its scaled protocol emulation and ViperCore technology. IxNetwork provides rapid isolation of network issues, service modeling at Internet scale, carrier-class scaling, and accurate convergence measurement with TrueView. "IxNetwork works with Ixia's test platforms to exchange control-plane and data-plane traffic with the device under test. Ixia's chassis are populated with hot-swappable load modules that implement a wide variety of interface types. Each test port is equipped with an independent processor and substantial memory in addition to specialized traffic stream generation and capture hardware providing the speed and intelligence needed for large-scale protocol emulation." Ixia s description of the IxLoad application: "IxLoad is the industry's most scalable solution for testing converged multiplay services and application delivery platforms. IxLoad emulates data, voice, and video subscribers and their associated protocols for ultra-high performance testing. Unique and advanced subscriber modeling capabilities create realistic scenarios to validate subscriber quality of experience (QoE). IxLoad supports such video, voice, and data protocols as: Internet: HTTP, P2P, FTP, SMTP, POP3, DNS, and CIFS Video: IGMP, RTSP, Adobe Flash Player, Microsoft Silverlight, Apple HLS, Adobe HDS, MPEG2, and H.264/AVC Voice: SIP, MGCP, H.323, H.248, Cisco Skinny, FAX over IP, video conferencing, and PSTN Storage: SMB1, SMB2, NFSv3, NFSv4, and iscsi Security: Published vulnerabilities, malware, and high-performance DDoS VPN: IPsec VPN (IKEv1, IKEv2, ESP, AH) and SSL Anyconnect VPN Wireless: 3GPP packet core protocols used by GGSNs Infrastructure: DNS, DHCP, LDAP, and AAA Encapsulation/Security: DHCP, IPsec, PPP/L2TP with integrated 802.1x and NAC authentication ICSA Labs used the IXIA XM2 and the IxNetwork and IxLoad applications to measure latency according to the methodology described in RFC 2544. For more information on the IXIA XM2 refer to the following web page: http://www.ixiacom.com/products/network_test/chassis/display?skey=ch_optixia_xm2 Page 14 of 16

Appendix 2 Coverage protection was eventually provided for each of the vulnerabilities listed below. CVE ID 2001-0500 2005-2715 2007-2293 2002-0649 2005-3116 2007-2446 2003-0109 2005-3390 2007-2881 2003-0352 2005-3644 2007-3039 2003-0533 2005-4797 2007-3614 2003-0605 2006-0027 2007-3999 2003-0715 2006-0150 2007-4880 2003-0717 2006-0476 2007-5243 2003-0812 2006-0717 2007-5244 2003-0818 2006-0900 2008-0067 2004-0206 2006-0992 2008-0127 2004-0396 2006-1314 2008-0621 2004-0397 2006-2369 2008-0639 2004-0541 2006-2370 2008-1697 2004-0567 2006-2444 2008-1809 2004-0600 2006-2630 2008-1910 2004-0798 2006-3439 2008-2240 2004-0826 2006-3854 2008-2468 2004-1050 2006-3942 2008-2499 2004-1080 2006-4305 2008-2559 2004-1172 2006-4379 2008-2639 2005-0048 2006-4688 2008-3175 2005-0059 2006-4691 2008-3257 2005-0260 2006-5156 2008-3704 2005-0560 2006-5478 2008-4250 2005-0684 2006-5583 2008-4322 2005-0771 2006-5779 2009-0098 2005-0773 2006-6296 2009-0410 2005-1018 2006-6723 2009-1429 2005-1206 2007-0168 2009-1628 2005-1219 2007-0774 2009-1636 2005-1921 2007-1675 2009-3023 2005-1935 2007-1748 2009-3103 2005-1983 2007-2139 2009-3676 2005-1984 2007-2171 2005-2551 2007-2216 NIPS-IBMCORPORA-2013-1218-01 Page 15 of 16 Copyright 2013 ICSA Labst. All Rights Reserved

Testing Information This report is issued by the authority of the Managing Director, ICSA Labs. Tests are done under normal operating conditions. Lab Report Date December 18, 2013 Please visit www.icsalabs.com for the most current information about this and other products. Test Location ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 Product Developer s Headquarters IBM Corporation 1 New Orchard Road Armonk, New York 10504-1722 USA The certification test methods used to produce this report are accredited and meet the requirements of ISO/IEC 17025 as verified by the ANSI-ASQ National Accreditation Board/ACLASS. Refer to certificate and scope of accreditation number AT 1423. Copyright 2013 ICSA Labs. All Rights Reserved. Testing reports shall not be reproduced except in full, without prior written approval of ICSA Labs. Page 16 of 16