Nov 23, 2010

Getting the Most Out of Customized Network Neighborhoods in the BreakingPoint Storm CTM

by Jin Qian

By Yong Zhou & Jin Qian

In this post, we’ll talk about how to get the most out of the BreakingPoint Storm CTM™ by customizing the settings under the Network Neighborhood configuration feature. Our experience working directly with customers tells us that effective Network Neighborhood settings make our machine even more powerful for diagnosing and improving the performance, stability, and security of your network infrastructure. Whether your setup is simple or complex, taking the right Network Neighborhood approach will make your life easier—so read on to find out how!

Escaping the Limitations of Legacy Testing Tools

We understand that many of our customers have been using legacy network/security testing equipment for quite a while. On most of those devices, you can only take a “one-liner” approach, setting up the protocol data and IP addresses all in one shot. It seems simple enough, especially when the device emulates only one or two application protocols—which is typical for those devices.

By contrast, the BreakingPoint Storm CTM is a much more sophisticated piece of equipment that addresses performance, stability, and security across Layers 2 through 7. Hence it needs to represent a more sophisticated networking setup. Think, for example, about a test scenario where there are multiple IP ranges of clients and servers that exchange background traffic while security strikes target some of those IP ranges.

With legacy testing equipment, simulating that environment might be impossible. But using the concept of the Network Neighborhood, it's easy for a BreakingPoint Storm CTM user to set up the machine to target those different IP ranges. Even better, Network Neighborhood settings are reusable; they can be referenced by different testers for different test cases. This saves you a ton of work in comparison to setting up everything from scratch each time.

Setting Up a Simple Network Neighborhood

It is quite straightforward to set up a simple Network Neighborhood via the user interface on the BreakingPoint Storm CTM.

network neighborhood interface

Figure 1 — Network Neighborhood Configuration Window: just click the circled button to add a new one.

Network Neighborhood name

Figure 2 — Give a name to the new Network Neighborhood.

edit Network Neighborhood

Figure 3 — The system will generate a default network; you can click the circled button to edit it.

modify network parameters

Figure 4 — The window for modifying network parameters

It’s just that easy!

Setting Up a Complex Network Neighborhood

So far, so good. But what if you need to set up a Network Neighborhood for a complex network infrastructure? As friendly as our UI is, some Network Neighborhood configurations could take a while to set up, simply because there are so many details to enter. One example of this would be if you needed to set up a network with hundreds of VLANs and subnets or various security zones with rules of communication between zones. In complex cases like that, there’s an even easier way to do Network Neighborhood setup using a TCL script.

Here is an example illustrating a customer’s network infrastructure requirements:

  1. This is a test bed for security testing, which includes four security zones: Untrusted clients, DMZ clients, DMZ servers, and Trusted servers;
  2. Each security zone consists of several subnets and their corresponding host ranges behind the network gateway;
  3. For the Untrusted clients zone, the subnets are all untagged;
  4. For other security zones, their subnets are all VLAN-based with unique VLAN IDs;
  5. For the DMZ clients zone, it is preferable to categorize the subnets into two sub-groups;
  6. Explicit rules of communication should be enforced on a per-subnet basis between security zones.

The figure below illustrates the schematic setup for a complex customer network with security zones, numerous subnets, and rules of communication:

complex network setup

Figure 5 — Complex Customer Network

In order to set up a proper Network Neighborhood on the BreakingPoint Storm CTM to meet these requirements, first, we have to figure out a plan of mapping this complex customer network onto the elements of the Network Neighborhood, like this:

  • Each security zone is mapped to an interface on the BreakingPoint Storm CTM;
  • Under each security zone,
    • if the subnet is untagged, each subnet is mapped to a domain under the corresponding interface;
    • if the subnet is uniquely VLAN tagged, all the subnets are mapped to a single domain under the corresponding interface;
    • if there is a need to further categorize the subnets into different sub-groups, each sub-group is mapped to a unique domain;
  • For each subnet setup, virtual router mode is selected so that the Storm CTM acts as the next-hop router, meaning that there is only one ARP entry for the entire network. This helps eliminate ARP cache overflows and ARP flooding;
  • A test path will be used for enforcing the rules of communication between subnet pairs of different security zones.

In our experience, most network operators maintain their complex network addressing in spreadsheet form, so we decided to create this Network Neighborhood using a TCL script by reading the addressing data from the customer network spreadsheet,as shown below:

network addressing spreadsheet

Figure 6 — Customer Network Addressing Spreadsheet

We added the interface and domain columns to reflect the necessary mapping for the Network Neighborhood setup. Furthermore, we listed both client and server side in one row to reflect the rules of communication for proper test path setup.

With the easy-to-use TCL API that comes with the BreakingPoint Storm CTM, we created a TCL script that translates the network configuration information from the spreadsheet into the Network Neighborhood setting. (We’ve included the script at the end of this post for your reference.) With a single click, a complex Network Neighborhood is automatically created. And it can be shared endlessly with other tests that have similar network settings. Easy!

We at BreakingPoint systems are always looking for new, simpler ways for you to execute your complicated tasks. We hope this post helps you with your test setup. If you have questions or would like to share your experiences using the Network Neighborhood feature, please let us know in the comments.

~ ~ ~

TCL Script

set bps [bps::connect 10.10.XX.XXX login password]

proc convertNum2Ip { num } {
	set ret ""
	for { set i 0 } { $i < 4 } { incr i } {
		if { $ret != "" } { append ret "." }
		append ret [format "%d" [expr ($num & (0xff << (8 * (3 - $i )))) >> (8 * (3-$i)) ]]
	}
	return $ret
}

#input is 66.5.157.0/26, output is minIP and maxIP
proc generateRange { ipRange gateway} {
	if { ![regexp {/} $ipRange ] } { set ipRange "$ipRange/24"}
	foreach {baseIp mask} [split $ipRange "/"] { break }
	set withAsterisk 0
	if { [regexp {(\d+)\*} $mask unused mask] } { set withAsterisk 1}
	#puts "$baseIp $mask $withAsterisk" 
	set min 0; foreach e [split $baseIp "."] { set min [expr $min * 256 + $e] }
	incr min
	if { $withAsterisk == 0 } {
		set max [expr $min | [expr (1 << (32-$mask)) -1]]
	} else {
		set max 0; foreach e [split $gateway "."] { set max [expr $max * 256 + $e] }
	}
	incr max -1
	#puts [format "%08x %08x" $min $max]
	set type router 
	if { $withAsterisk == 1 } { set type hosts} 
	return [list $type [convertNum2Ip $min] [convertNum2Ip $max] ]
}

proc createSubnet { info1 info2  } {
	set ret {behind_snapt false ip_v 4} 
	set fields {innervlan netaddr netmask gateway router_ip}
	foreach {type min max } $info2 { break}
	if { $type == "router" } {
		for { set i 0 } { $i <= 4 } { incr i } { 
			lappend ret [lindex $fields $i]  [lindex $info1 $i]
		}
		lappend ret type router ranges [list $min $max]
	} else {
		for { set i 0 } { $i <= 3 } { incr i } { 
			lappend ret [lindex $fields $i] [lindex $info1 $i]
		}
		lappend ret type hosts ranges [list $min $max]
	}
	return $ret
}

proc createNN { fileName nnName} {
	global bps
	set header "VRF"; #skip this line
	set nn [$bps createNeighborhood] 
	puts "nn=$nn"
	set domains {} 
	$nn addDomain external default
	$nn addSubnet external default {ip_v 4 behind_snapt false ranges {10.0.0.1 10.0.0.254} innervlan {} outervlan {}}
	set fd [open $fileName r]
	while { ![eof $fd] } {
		set line [gets $fd]
		if { [regexp {^\s} $line ] } { continue}
		if { [regexp "^$header" $line] } { continue}
		set f [split $line "\t"]
		if { [llength $f ] < 12 } { continue}
		set domainName [lindex $f 15]
		if {$domainName == "" } { set domainName default}
		foreach intf { 1 2 } { 
			if { [lsearch $domains "$intf,$domainName"] == -1 } {
				#puts "adding domain $intf $domainName "
				$nn addDomain $intf $domainName 
				lappend domains "$intf,$domainName"
			}
		}
		
		#puts "debug [lindex $f 8]"

		set sn1 [createSubnet [lrange $f 3 7] [generateRange [lindex $f 8] [lindex $f 6] ]]
		lappend sn1 l2 02:1a:c5:01:00:00
		puts "sn1=$sn1"
		if { [catch {$nn addSubnet 1 $domainName $sn1 } err ] } {
			puts "got err adding subnet: $err"
			continue
		}
		
		set sn2 [createSubnet [lrange $f 9 13] [generateRange [lindex $f 14] [lindex $f 12] ]]
		lappend sn2 l2 02:1a:c5:02:00:00
		puts "sn2=$sn2"
		if { [catch {$nn addSubnet 2 $domainName $sn2} err ] } {
			puts "got err adding subnet: $err"
			continue
		}
		
		$nn addPath 1 $domainName [lindex $f 3] 2 $domainName [lindex $f 9]
	}
	close $fd
	$nn save -name $nnName -force
	itcl::delete object $nn
}

Tags:
blog comments powered by Disqus