Network security is a top concern of every enterprise. Each computer with access to the Internet or offering a service to the Internet must be protected from security threats. In 2010, hackers created over one third of all viruses that exist. The average total cost of a data breach for medium to large size enterprises is $7.2M.
Malware security attacks take many forms: viruses, worms, trojans, rootkits, spyware and malicious adware, and scareware. These attacks often succeed with the cooperation of computer users – through e-mail, web pages, FTP transfers, instant messaging, peer-to-peer file sharing, online games, and careless software installation. Other attacks happen just by virtue of being connected to the Internet: denial of service attacks against company sites, vulnerability attacks against web, email, FTP, and other services and password-login attacks.
- Firewalls – the first of the security devices. They serve to filter access to a network based on IP addresses
- VPN gateways – used to provide secure access to remote employees and partners. These devices use IPsec encryption to protect traffic from trusted sites.
- Intrusion detection/prevention (IDS/IPS) systems – protection against hacking. These sophisticated devices recognize a wide range of unusual network usage, looking for indications of misuse. IDS systems notify administrators of possible breaches, whereas IPS systems block access, often by programming the firewall.
- URL filtering – preventing access to suspect web sites. These devices watch all web, FTP, and other access and prevent access to sites on a vendor-supplied list.
- Anti-malware, anti-spam gateways – prevent malware from entering the enterprise. These similar functions look at the content of e-mail, web, FTP, and other data entering the enterprise. This type of prevention is often also present on individual computer systems.
- Data loss prevention (DLP) gateways – prevent valuable data from leaving the enterprise. This appliance inspects traffic exiting the enterprise, looking for proprietary or improper data sent by deliberate user action or as a result of malware attacks.
Many of these functions are now combined into a single appliance, called a unified threat management (UTM) system, on a next-generation firewall.
Ixia offers a complete network testing product that measures security:
- Effectiveness – the ability to detect and prevent all forms of attacks
- Accuracy – the ability to accurately perform its function, without significant “false-positive” results.
- Performance – the ability to enforce security mechanisms while maintaining acceptable network performance. Security enforcement mechanisms must continue to pass “good” traffic even under the most aggressive attacks.
Both IxLoad-Attack and the Ixia BreakingPoint Actionable Threat Intelligence (ATI) service provide solutions to battle-test network security devices for all three aspects.
- Known vulnerabilities – thousands of known vulnerabilities, organized by type are available. Attacks are updated frequently to stay current with hacker activity
- Attack evasions – attacks are frequently masked by use of packet fragmentation and other sophisticated techniques. Ixia applies evasions to known vulnerability to increase effectiveness testing
- Massive DDoS attacks – flood targets in an attempt to take down sites. Ixia uses Ixia test ports’ customized logic and scale to mount very large-scale DDoS attacks
- Encryption – IPsec encryption is used in two ways. Encryption with “good” traffic serves to measure VPN gateway throughput. Encryption with “attack” traffic tests security effectiveness and accuracy for attacks delivered over secure connections
- Multiplay traffic – sends real-world, stateful traffic to measure security appliance performance. This means that the true, realistic performance, including QoE, of security mechanisms can be measured – not just raw throughput
In conjunction with Ixia’s hardware and other test applications, Ixia offers a complete test solution for network devices that provide functions other than security.
Ixia’s IxLoad-IPsec is designed to measure the performance of VPN gateways that are used to connect organizations’ multiple sites and to connect remote users to corporate networks. IPsec is likewise used in 3G and 4G networks to protect communications between handsets and internal wireless gateways.
IxLoad-IPsec tests performance of VPN gateways of all types in several ways:
- Connections – how many site-to-site and user connections can be concurrently supported
- Connection rate – how rapidly can new connections be established
- Throughput – what is the maximum data rate that a gateway can sustain
- Interoperability – can the gateway support the numerous encryption and authentication protocols in use today