Scenario
Network security is a top concern of every enterprise. Each computer with access to the Internet or offering a service to the Internet must be protected from security threats. By the end of 2011, the average total cost of a data breach for medium to large size enterprises is $8.4M (up 39% from the previous year).
Malware security attacks take many forms: viruses, worms, trojans, rootkits, spyware and malicious adware, and scareware. These attacks often succeed with the cooperation of computer users – through e-mail, web pages, FTP transfers, instant messaging, peer-to-peer file sharing, online games, and careless software installation. Other attacks happen just by virtue of being connected to the Internet: denial of service attacks against company sites, vulnerability attacks against web, email, FTP, and other services and password-login attacks. In addition to user education, enterprises use a variety of network security devices to protect their sites and services. These include:
- Firewalls – the first of the security devices. They serve to filter access to a network based on IP addresses and protocols. Modern advances in DPI now allow firewalls to filter based on internal protocols and contents.
- VPN gateways – used to provide secure access to remote employees and partners. These devices use IPsec encryption to protect traffic from trusted sites.
- Intrusion detection/prevention (IDS/IPS) systems – protection against hacking. These sophisticated devices recognize a wide range of unusual network usage, looking for indications of misuse.
- IDS systems notify administrators of possible breaches, whereas IPS systems block access, often by programming the firewall.
- URL filtering – preventing access to suspect web sites. These devices watch all web, FTP, and other access and prevent access to sites on a vendor-supplied list.
- Anti-malware, anti-spam gateways – prevent malware from entering the enterprise. These similar functions look at the content of e-mail, web, FTP, and other data entering the enterprise. This type of prevention is often also present on individual computer systems.
- Data loss prevention (DLP) gateways – prevent valuable data from leaving the enterprise. This appliance inspects traffic exiting the enterprise, looking for proprietary or improper data sent by deliberate user action or as a result of malware attacks.
Ixia Solutions
Ixia offers a complete network test and assessment product that measures security:
- Effectiveness – the ability to detect and prevent all forms of attacks.
- Accuracy – the ability to accurately perform its function, without significant “false-positive” results.
- Performance – the ability to enforce security mechanisms while maintaining acceptable network performance. Security enforcement mechanisms must continue to pass good” traffic even under the most aggressive attacks
Both IxLoad-Attack and the Ixia BreakingPoint Actionable Threat Intelligence (ATI) service provide comprehensive service and support program for optimizing and hardening the resiliency of IT infrastructures, including product updates, authentic application protocols, real-world security attacks, and responsive support responsive support:
- Known vulnerabilities – 38K+ known security vulnerabilities, organized by type are available. Attacks are updated frequently to stay current with hacker activity.
- Attack evasions – attacks are frequently masked by use of packet fragmentation and other sophisticated techniques. Ixia applies evasions to known vulnerability to increase effectiveness testing.
- Massive DDoS attacks – simulate distributed denial of service (DDoS) and Botnet attacks to measure cyber infrastructure resiliency. Ixia uses Ixia test ports’ customized logic and scale to mount very large-scale DDoS attacks.
- Encryption – IPsec encryption is used in two ways. Encryption with “good” traffic serves to measure VPN gateway throughput. Encryption with “attack” traffic tests security effectiveness and accuracy for attacks delivered over secure connections.
- Multiplay traffic – sends real-world, stateful traffic to measure security appliance performance. This means that the true, realistic performance, including QoE, of security mechanisms can be measured – not just raw
| Feature | Options |
|---|---|
Known vulnerabilities |
|
| DDoS |
|
| Encryption |
|
| Mutliplay Traffic |
|
In conjunction with Ixia's hardware and other test applications, Ixia offers a complete test solution for network devices that provide functions other than security.
Ixia’s IxLoad-IPsec is designed to measure the performance of VPN gateways that are used to connect organizations’ multiple sites and to connect remote users to corporate networks. IPsec is likewise used in 3G and 4G networks to protect communications between handsets and internal wireless gateways.
IxLoad-IPsec tests performance of VPN gateways of all types in several ways:
- Connections – how many site-to-site and user connections can be concurrently supported
- Connection rate – how rapidly can new connections be established
- Throughput – what is the maximum data rate that a gateway can sustain
- Interoperability – can the gateway support the numerous encryption and authentication protocols in use today
Suggested Applications and Platforms
IxLoad-Attack |
Full network security testing with plug-ins for known vulnerability attacks and DDoS. |
IxLoad-IPsec |
IPsec encryption for good and attack traffic. |
IxLoad |
A highly-scalable, integrated test solution for assessing the performance of multiplay networks and devices. IxLoad offers a wide variety of DDoS attacks, used in conjunction with other triple-play tests. |
Ixia BreakingPoint |
Control global threat intelligence at Internet-scale to create massive, high fidelity simulation and testing conditions for battle-testing infrastructures, devices, applications, and people. |