It managers who must keep ip network equipment up and running even in hostile environments should consider using Mu Securitys Mu-4000 Security Analyzer.
The 2U (3.5-inch) appliance is best suited for organizations that are committed to testing IP equipment but want to reduce the amount of staff time needed to monitor and record test results.
Although the Mu-4000 is called a security analyzer, the tests it runs and the reports it provides apply more broadly to general network performance. Malformed packets are as likely to come from applications and network devices that werent coded to follow published protocols as they are from hackers.
Organizations will have to shell out a fair amount to get this information from the Mu-4000, however: Version 2.2 of the test software and the base appliance starts at $35,000. The platform includes IPv4, TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol) and ARP (Address Resolution Protocol) probes. Additional protocol probes cost between $10,000 and $30,000, based on complexity. Published vulnerabilities associated with each protocol are available on a subscription basis. Version 2.2 of the platform started shipping at the end of November.
eWeek Labs tests of the Mu-4000 show that the protocol probes and the test methodology on which the product is built should provide IT organizations with in-depth results in a relatively timely manner. Many of our tests ran in less than 10 minutes, but tests that combine several protocols will take hours or even days to complete.
We started our Mu-4000 evaluation by subjecting ZyXel Communications ZyWall 1050 firewall (see www.eweek.com/article2/0,1759,2081115,00.asp) to a simple battery of tests. We also tested a Fluke Networks OptiView network analyzer, a device weve used often for troubleshooting in the lab.
Every Mu-4000 IP mutation analysis starts by selecting a protocol provided by Mu Security, a protocol based on a published vulnerability, or a script or piece of malware that is launched from an external source.
We conducted a test to see how the OptiView would handle mutated ICMP ping traffic. After describing the test target and setting up the remote attack generator, we set up a monitor and a restarter.
The Mu-4000 allows active, passive or no monitoring of devices under test. Monitors help ensure that the device is still up and running after being subjected to hostile mutations. The monitor can be as simple as an ICMP ping or as complex as a capture of log data from the device under test. We used an ICMP ping to check the availability of the OptiView during testing.
The restarter is one way that the Mu-4000 advances test productivity without human intervention. The appliance comes with two standard power ports that are controlled by the analysis engine. If the device under test fails a monitor, and still fails to respond after a user-specified period of time, the Mu-4000 can power-cycle the device by turning the power off and on through the internal power socket. We tried this successfully with our Fluke device. The Mu-4000 also can integrate, via SNMP, with American Power Conversion power modules to turn devices off and on.
The restart process can be finely controlled so that analysis mutations will not run against a device until it is fully rebooted. In fact, there are timing parameters that can be set throughout the tests. Each of these timing points make adjustments so that analysis runs are configured to reveal interesting information about how the device under test is performing, rather than falsely showing that a device wasnt working when, in fact, it was either rebooting or changing state while responding to a test.
We generated fault reports from the Mu-4000 that easily could be used to communicate findings to executives and senior managers. The analysis mutations supplied by Mu Security also contain plenty of explanatory material that details the nature of mutations and what the analysis is designed to pinpoint. ´
Technical Director Cameron Sturdevant can be reached at firstname.lastname@example.org.