It appears that talk about the United State’s plans for beefing up our country’s cyber infrastructure is finally turning into action with new details emerging about government plans to create U.S. Cyber Command. Just this week, Defense Secretary Gates approved the creation of U.S. Cyber Command (or "Cybercom). Jaikumar Vijayan wrote the story for Computerworld and explained:

The proposal to create the new command has been expected for some time and is part of an effort to address growing threats to Defense Department and Pentagon networks from foreign and domestic threats.

Those of you in security research have seen much of this coming. The threats have always been out there, but they are now becoming more sophisticated and more frequent. Security attackers are also becoming more creative. Witness the DDoS attack orchestrated by Iranian protesters via social networks this month.

In the testing world we understand that no matter the initiative or the person heading it up, there are going to be challenges for the government agencies, contractors and research organizations tasked with implementing and ensuring the resiliency of mission-critical networks, as well as the devices and the services they deliver.

"Resiliency" is a word that perfectly describes what people are looking to test when it comes to U.S. cyber infrastructure. Resiliency encapsulates both security and performance of the network and the devices that serve as it's infrastructure. If you want to test the resiliency of a device, you have to do it with real-world network scenarios and network simulations. All of this sounds familar to anyone who has been reading this blog since BreakingPoint excels at testing with realistic app traffic, security strikes, line-rate throughput and more.

This morning we put out news around our capabilities in resiliency testing, "BreakingPoint Provides the Only Realistic Network Simulation for Testing Vulnerability and Resiliency of U.S. Cyber Infrastructure". I wanted to share with you a quote from the news release from Des Wilson, BreakingPoint's CEO, where he defines resiliency testing and its importance:

“Resiliency testing is clearly critical to identifying and eliminating threats to the security and performance of our nation’s cyber infrastructure. And the definition of resiliency testing remains simple; test the network and network devices using blended application traffic mixed with live security strikes at line-rate speeds originating from the same address space. However, until today, the government agencies and organizations tasked to optimize and defend the cyber infrastructure did not have these capabilities. BreakingPoint Elite is the only testing tool architected to simulate the conditions of an actual network, providing the resiliency testing capabilities that help make it the only effective defense against net-centric threats and performance issues.”

How do you define resiliency testing?

Posted by Kyle Flaherty (2009/06/25)

0 comments | Tags: cybersecurity // resiliency testing // BreakingPoint Elite //

This morning we published our latest methodology for realistic testing of server load balancers. Server load balancers are such an integral piece of networking equipment and the adoption of virtualization and cloud computing, as well as the overall increase of network load, have made them an even hotter topic. As with our firewall testing and IPS testing methodologies, the server load balancer testing methodology demonstrates, in great detail including screenshots, how to configure a load balancer and set up the testing tools.

Some highlights from the methodology:

• Testing the number of TCP connections per second the load balancer is able to handle, providing a baseline test of the device’s performance capabilities.
• Emulating blended Layer 4-7 application traffic in order to validate that the load balancer can handle a true network scenario.
• Determining the overall bandwidth the load balancer can support through testing the number of HTTP/HTTPs connections per second the device can handle.
• Simulating dynamic pages and image files to validate HTTP Caching performance and confirm the load balancer is locally caching needed files.
• Confirming the load balancer can handle malformed packets or errors with the packet through application fuzzing.
• Testing RFCs 793, 1945, 2616, 2818, and 3501.

In the news release that went out today the quote from our CTO and co-founder, Dennis Cox summed it up nicely:

“Server load balancers are so important to today’s network infrastructure, helping to provide improved service uptime, redundancy and better application performance. In order to make this happen, server load balancers must have a high level of awareness of application protocols traversing the network, provide local caching and handle a significant amount of simultaneous TCP connections. Now add onto this the influx of virtualization, and today’s server load balancers have become highly complex content-aware devices that help to optimize your network and the applications it is running. Yet traditional testing methodologies, which only call for testing with HTTP traffic, are still being used."

"Simply testing server load balancers with HTTP is unsuitable and irresponsible. True performance and security testing requires realistic and blended application traffic, appropriate throughput and even anomalies such as application fuzzing. The more realistic testing you do today, the better performing and more secure server load balancer you’ll see tomorrow.”

Go check out the Server Load Balancer testing methodology and let us know what you think.

Posted by Kyle Flaherty (2009/06/16)

0 comments | Tags: IPS testing // server load balancer testing // firewall testing // test methodology //

Application fuzzing is a critical element in any test scenario and it is a topic we have brought up here on the blog several times, which has generated great interest throughout the industry. With that in mind, I was excited to read the latest “how-to” guide from BreakingPoint Labs’ Sean Bradly. This in-depth guide details how-to use the application fuzzing and BlockFuzzer functionality within BreakingPoint Elite. As Sean writes in the paper, "...fuzzing has long been a part of any security auditor’s handbook. However, it is also a terrific tool to use during the QA process since application fuzzing, through providing malicious or malformed data packets, can quickly determine performance issues and reveal bugs."

Sean’s tech brief is one of several we are developing that go into more depth around different testing functionality within BreakingPoint Elite. As you remember, Dustin D. Trammell and Todd Manning had a deep dive into simulating Distributed Denial of Service (DDoS) attacks a few weeks back and next week we will be publishing several additional security and application protocol briefs.

Head on over to download Sean’s paper and start fuzzing.

Posted by Kyle Flaherty (2009/06/11)

1 comments | Tags: security // BreakingPoint Elite // fuzzing //

“America’s failure to protect cyberspace is one of the most urgent national security problems facing the new administration.”

--Center for Strategic and International Studies

It's not just U.S. military and DoD networks that are at risk. Every day Federal, State and local government networks are hit with tens of thousands of malicious attacks. The FAA, stock exchanges, even power grids are susceptible to legions of hackers around the world. While readers of this blog already understand the network security dangers that exist, others are just now beginning to understand the risks. Terms like "cyber security", "cyber warfare" and "cyber infrastructure" are terms recognized by millions of Americans with the Obama administration's recent focus on the topic. Over the next few weeks I'm going to be diving deeper into a variety of cyber infrastructure issues, and today we start with the news of last week and what we should start looking for out of the new cyber czar.

President Obama has laid out his administration's plan to shore up U.S. cyber security, including a new appointment to the role of "cyber security czar" (or coordinator), a position formerly part of the Department of Homeland Security. In a 60-page report, titled "Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure," (PDF) the administration shared the following urgent priorities:

• Increase Federal investment to improve security in information and communications infrastructures
  
• Create a public/private partnership to coordinate responses to cyber attacks
  
• Seek International cooperation to mitigate security risks
  
• Raise the public's awareness about the state of infrastructure security

Overall it is clear that the Obama administration believes by bringing the position closer to the White House and granting more power (and money) to the cyber security topic they can achieve these objectives. Critics believe, however, that the role is not being given enough latitude, funds, power, etc. Others believe that the role should be primarily a private one. But it's just not that simple. Starting with the fact that there are already Government funded cyber security initiatives underway.

The Federal government has consistently been introducing programs for cyber security, perhaps not out of a central department, but it has been rapidly progressing. Recently, the Pentagon ramped up efforts in attracting the newest network security talent with a  military funded program tapping students. Called "Cyber Challenge" (sick of the word cyber yet...), it will center around three national competitions for high school and college students. The goal, of course, is to find the best and the brightest students and give them an opportunity to help shore up the U.S. cyber infrastruture, now and in the immediate future. Although I'm sure critics have issues with the military establishment getting involved with schools, let's face the facts that this is a difficult challenge and we must have our nation's brightest working on the problems.

The U.S. Army obviously understands cyber warfare and cadets are already being trained to battle this threat. The New York Times had an interesting look into training exercises for cadets at West Point, who were taking part in cyberwar games as a final exam. Although this training is geared towards using cyber security tactics for a military advantage, whereas the President's report only looked at internal defense, it is important to understand that the wheels are already in motion. And, then there's the private sector where companies are rapidly innovating a new generation of security products and services. Our nation's new cyber czar must head into the position knowing that there are already so many initiatives in motion both in the government and corporate world and effectively bridge those two worlds to protect our increasingly vulnerable yet mission-critical infrastructure.  

This will involve taking on a CEO-type role, looking at where activities are already effective, where the holes remain and how to dedicate the necessary resources to plug these holes. And, just like our counter-terrorism initiatives, our cyber security warriors must learn to think like the enemy in order to defend our critical internet infrastructure.  

With this in mind, I asked folks on Twitter what one question they would ask an applicant interviewing for the cyber czar role, some of the initial answers are below and this will be the focus of our next post on cyber security. What would be your question?

Posted by Kyle Flaherty (2009/06/08 05:20:00 GMT+0)

0 comments | Tags: cybersecurity // security // cyber czar //

Cloud computing continues to make news and it certainly was no different during Interop as you read in my posts from last week. In most cases, however, there is still an absence of discussion around what it takes to test the cloud infrastructure. Pam O'Neal started this discussion with the four considerations for testing the cloud computing infrastructure and Dennis Cox subsequently talked with us about the important testing procedures one should think about when testing the cloud infrastructure.

A follow up conversation with Dennis ensued where we talked in-depth about what people can do today to test the cloud infrastructure and the unique features of BreakingPoint Elite that allow this to happen. The conversation includes the following:

• The inability for load testing tools to scale to proper performance levels when testing a cloud environment.
• Bit-blasting testing tools are not ideal for testing the cloud because they don't use real application traffic.
• The ability to do client emulation at 7.5M concurrent connections and blended stateful application traffic (among other things) does make BreakingPoint a good fit for testing the cloud.
  
• The BreakingPoint architecture (network processor, FPGAs, and more) is a key for allowing high-performance with realistic traffic.
• The most important applications to test with off the bat include database protocols, web-based protocols and more.

Posted by Kyle Flaherty (2009/05/29 07:33:45.992 GMT-5)

0 comments | Tags: