Mu-4000 Puts IP Equipment to the Test

Review: Mu Security appliance provides in-depth results in a relatively short amount of time.

IT managers who must keep IP network equipment up and running even in hostile environments should consider using Mu Securitys Mu-4000 Security Analyzer.

The 2U (3.5-inch) appliance is best suited for organizations that are committed to testing IP equipment but want to reduce the amount of staff time needed to monitor and record test results.

Although the Mu-4000 is called a security analyzer, the tests it runs and the reports it provides apply more broadly to general network performance. Malformed packets are as likely to come from applications and network devices that werent coded to follow published protocols as they are from hackers.

Knowing how a router, switch or firewall will handle bad traffic is essential to making a sound buying decision, and its the kind of information vendors dont publish in their spec sheets.

Organizations will have to shell out a fair amount to get this information from the Mu-4000, however: Version 2.2 of the test software and the base appliance starts at $35,000. The platform includes IPv4, TCP, UDP (User Datagram Protocol), ICMP and ARP ck protocol probes. Additional protocol probes cost between $10,000 and $30,000, based on complexity. Published vulnerabilities associated with each protocol are available on a subscription basis.

Version 2.2 of the platform started shipping at the end of November.

eWEEK font Labs tests of the Mu-4000 show that the protocol probes and the test methodology on which the product is built should provide IT organizations with in-depth results in a relatively timely manner. Many of our tests ran in less than 10 minutes, but tests that combine several protocols will take hours or even days to complete.

IT managers must have an intimate knowledge of the device under test as well as a solid grasp of network protocols to get meaningful results from the Mu-4000. For this reason, organizations should expect to devote the time of one or more senior network engineers to planning tests to be run by the Mu-4000. These same engineers will be needed to interpret results coming after the analysis.

We started our Mu-4000 evaluation by subjecting ZyXel Communications ZyWall 1050 firewall to a simple battery of tests. We also tested a Fluke OptiView network analyzer, a device weve used often for troubleshooting in the lab.

Every Mu-4000 IP mutation analysis starts by selecting a protocol provided by Mu Security, a protocol based on a published vulnerability, or a script or piece of malware that is launched from an external source.

Firewalls, for example, should be subjected to HTTP mutations to see how they handle mutated Web traffic. We conducted a test to see how the OptiView would handle mutated ICMP ping traffic. After describing the test target and setting up the remote attack generator, we set up a monitor and a restarter.

The Mu-4000 allows active, passive or no monitoring of devices under test. Monitors help ensure that the device is still up and running after being subjected to hostile mutations. The monitor can be as simple as an ICMP ping or as complex as a capture of log data from the device under test. We used an ICMP ping to check the availability of the OptiView during testing.

The restarter is one way that the Mu-4000 advances test productivity without human intervention. The appliance comes with two standard power ports that are controlled by the analysis engine. If the device under test fails a monitor, and still fails to respond after a user-specified period of time, the Mu-4000 can power-cycle the device by turning the power off and on through the internal power socket. We tried this successfully with our Fluke device. The Mu-4000 also can integrate, via SNMP, with American Power Conversion power modules to turn devices off and on.

/zimages/4/28571.gifLive from RSA: Core puts Vista to security test. Click here to read more.

The restart process can be finely controlled so that analysis mutations will not run against the device until it is fully rebooted. In fact, there are timing parameters that can be set throughout the tests. Each of these timing points make adjustments so that analysis runs are configured to reveal interesting information about how the device under test is performing, rather than falsely showing that a device wasnt working when in fact it was either rebooting or changing state while responding to a test.

Inside each protocol probe are suites of variants. For example, within ICMP, we chose the IPv4 Message suite, which included nine variants. To keep our first test runs short, we selected only the IPv4 invalid-header-length variant. More complex tests that we ran subsequently included tens and even hundreds of variants. After running the analysis, we found one fault result from the OptiView.

The interesting thing about using the OptiView as a test target is that the OptiView itself is a protocol analysis device, which is one of the reasons we selected it. The OptiView capture files showed that the ICMP header length was malformed and was 28 bytes long, 8 bytes longer than allowed by the standard.

We generated fault reports from the Mu-4000 that could easily be used to communicate findings to executives and senior managers.

The analysis mutations supplied by Mu Security also contain plenty of explanatory material that details the nature of mutations and what the analysis is designed to pinpoint.

Technical Director Cameron Sturdevant can be reached at

/zimages/4/28571.gifCheck out eWEEK.coms for the latest news, views and analysis on servers, switches and networking protocols for the enterprise and small businesses.