Measuring the performance and security of your network equipment has never been more important than it is today. While there will always be tradeoffs between maximum throughput and maximum security, I want to emphasize the “and” in “performance and security.” Your devices must perform while remaining secure, and you can’t afford to be lax about either part of that formula.
The big hurdle: today’s network equipment no longer looks at packets blindly. Instead it makes decisions based not on only the transport layer (TCP/UDP) but also on what’s happening at the application layer. This evolution of network equipment keeps network engineers up at night, on weekends, and on major holidays. It’s no easy task to identify weaknesses in software, so now imagine doing it in hardware. To help overcome this challenge I want to share five things you can do before buying that next piece of network gear. To make the lesson more pointed, let’s take the prime example of buying a new firewall, since the stakes for that are so high in terms of both performance and security.
1. POWER OFF | POWER ON
This is very simple but can show you some amazing results. Power off your network device and power it back on, and then see how it handles stress. When you have an outage, it is typically during peak usage, and most devices have a slow restart. Your device might want to restart slowly, but your users aren’t going to wait for the device to warm itself up, even if they realize that something has gone wrong. (And if the “users” in question are bad guys, they’ll be happy to take advantage of your compromised network in the meantime.) Make sure you measure how your device handles a power on/power off scenario under high-load stress and that it doesn’t simply continue to crash. You’ll be surprised how much you learn from this technique, and you’ll also have information that helps you prepare for real-life scenarios.
Hint: You’re going to find out that your failover doesn’t work — and that you need buffer devices for quite a few pieces of gear. You may also find that some devices fail completely or partially open. Some turn off expensive rules — by default.
2. MEASURE YOUR AXES
There are two critical axes for measuring whether a device will fit in your network. The first is bandwidth, or how many packets can you send through the device. The second is sessions, which is how many different streams of application data can be in use.
It’s amazing to me how many devices are still marketed in a completely lopsided fashion. For example, a one-gigabit firewall (good bandwidth) that supports only 5,000 sessions (huh?). As I type this I have more than 40 sessions running on my laptop. And no, I’m not streaming a movie or talking on the phone. The average number of sessions varies from enterprise to enterprise. But when you consider that the average web page has 10 or more requests and that half your users are on Facebook, you’re knee-deep in sessions.
If you have 1,000 employees and they use a CRM application every day, chances are good you are north of 20,000 sessions per second. Knowing how much data is in each session allows you to know where those two axes intersect.
3. KNOW YOUR DEVICE
Traditional networking devices operated lower in the stack, but most devices today deal in application-layer data. For that reason, it is critical to conduct “application protocol fuzzing” to ensure the performance and security of your device — and especially to ensure that a particular application is compatible with a particular piece of gear. Fuzzing is the process of sending data that contains injected errors into your network device. The goal is to measure how your device handles this malformed data, which, in the real world, might be transmitted with malicious intent or might simply be faulty traffic. Using protocol fuzzing during the assessment of IT elements will unveil never-before-seen weaknesses and vulnerabilities in that device. Application fuzzing has long been part of the security auditor’s toolkit, but today, network administrators need to use protocol fuzzing as a standard part of their device assessment process. Many open source tools are available but no matter which tool you choose, make sure you are fuzzing early and often.
4. BE CAREFUL OF YOUR LOGGING
When things go bad, the first place you look is your logs. So do yourself a favor and make sure that things go bad during your evaluation of network gear so that you can see how much logging occurs. Does the device spit out good logs and helpful information? Or is it killing your management server, effectively creating a denial of service through a bunch of useless messages? Make sure you have set up rate limiters and/or filters on logging traffic that you don’t really need.
5. DO NOT BELIEVE YOUR VENDOR
The most important piece of advice I can give: Question your equipment vendor throughout the process. The vendor’s job is to sell you something; therefore, it would be foolish for you to take their performance and security claims at face value — especially when that implies the risk of exposing your network to exploitation. Your network environment is unique, from your architecture to the traffic you handle. Take control of your own devices and stress your own equipment with your actual network traffic. The only way to truly ensure that your equipment will work when faced with your unique traffic is to take control and validate the device yourself.
We are constantly putting network devices through their paces, and these five tips are often the first we follow. Following them gives you an immediate benchmark on the potential of a device, whether it’s a firewall or something else. These five will help you better validate the performance and security of network equipment before you sign the purchase order.
Dennis Cox is the CTO and Founder of BreakingPoint.