MU-4000s Plan of Attack

eWEEK Labs' tests of the ZyWall 1050 Internet security appliance was also a test of Mu Security's Mu-4000 Security Analyzer.

eWEEK Labs tests of Zyxel Communications ZyWall 1050 Internet security appliance was also a test of Mu Securitys Mu-4000 Security Analyzer.

The Mu-4000 is a 2U (3.5-inch) appliance that performs IP security analysis using a repeatable process. The appliance logs results to gauge the vulnerability of IP-based applications and network devices.

The Mu-4000, which we tapped for the first time during our evaluation of the ZyWall 1050, uses protocols to create the tests that put applications and devices through their paces. It supports almost 30 protocols, including SSH (Secure Shell), TCP and UDP (User Datagram Protocol).

The protocol mutations used to attack systems are based on Mu Security-supplied guidelines for how security products are designed to work, as well as on hacker methodologies and secure programming techniques. The Mu-4000 also can use custom-developed attack scripts.

Mu-4000 pricing starts at about $35,000. Protocols are licensed individually, with significant discounts based on the number of components purchased. This pricing makes the Mu-4000 appropriate for device makers and large enterprises. QA (quality assurance) engineers and senior IT implementation managers will get plenty of useful information about a variety of IP devices used (or slated to be used) in the network.

During tests, we updated our Mu-4000 system from Mu Securitys Web site to get attacks designed to reveal machines and software that are susceptible to newly published vulnerabilities.

We used a modest test set, putting the ZyWall 1050 up against SSH Diffie-Hellman Group Exchange Key Requests, SSH banners and SSH messages.

We were able to start running rudimentary tests based on examples from tutorials included with the Mu-4000. However, it will take several months to fully master the platform because of the large number of tests available and the amount of in-depth knowledge required to correctly configure the tests.

The anatomy of our simple tests was as follows: First, we cabled the ZyWall 1050 onto the test ports of the Mu-4000. We also powered the ZyWall 1050 from a power outlet in the Mu-4000 so that the Mu-4000 could power-cycle the ZyWall 1050 if it became unresponsive as a result of attack traffic.

We then configured the testbed by specifying that the endpoint was directly connected while also supplying the IP address of the ZyWall 1050.

We configured the Mu-4000 to passively monitor the syslog data coming from the ZyWall 1050 to determine if the device was responsive while under attack. Configuring monitor settings requires a fair amount of knowledge about the device under test—we spent a significant amount of time determining the exception patterns that would be logged by the ZyWall 1050 to indicate that it was no longer working correctly.