R: [ml] Testare un NIDS

Per avere il massimo realismo dovresti replicare il traffico reale della
rete specifica dove inserirai il NIDS. Questo approccio pero' non ti
garantisce la ripetibilita' dei risultati quando esegui del benchmarking
su differenti vendors, in tempi diversi.

I moduli Avalanche e Reflector forniscono comunque dei modelli anche
complessi di traffico, modificabili in fase di Test Planning per
esigenze particolari, che permettono di riprodurre un traffico davvero
realistico.
Ti riporto ad esempio un estratto del manuale dell'Avalanche, con alcune
delle caratteristiche piu' interessanti (scusate la lunghezza del post)

Avalanche is described by Spirent as a capacity assessment product that
challenges any computing infrastructure or network device to stand up to
the real-world load and complexity of the Internet or intranets. The
system generates simulated network traffic that features real-world
characteristics such as connection speed, packet loss, browser
emulation, user think-time and aborted transactions. This helps provide
invaluable information about a site's architectural effectiveness,
points of failure, modes of performance degradation, robustness under
critical load, and potential performance bottlenecks. 

Using Avalanche to generate Internet user traffic and Reflector to
emulate large clusters of data servers, it is possible to simulate the
largest customer environments. Each one sports up to four copper or
fibre Gigabit Ethernet ports which are load-balanced equally between
dual Intel processors when generating traffic to achieve in excess of
2Gbps traffic per Avalanche / Reflector pair. 

Between them they can set up, transfer data over, and tear down
connections at rates of more than 45,000 requests per second (HTTP 1.0
with no persistence) and over 60,000 requests per second (HTTP 1.1 with
persistence). They can sustain over 4,000 HTTPS requests per second with
no SSL session ID re-use, generate more than 30,000 streaming requests,
and simulate more than 2 million simultaneously connected users with
unique IP addresses. 

All this while handling cookies, IP masquerading for large numbers of
addresses, traversing tens of thousands of URLs and operating under a
realistic mix of traffic. 

This allows realistic and accurate capacity assessment of routers,
firewalls, in-line security appliances (IDS/IPS/UTM), load-balancing
switches, and Web, application, and database servers. It helps identify
potential bottlenecks from the router connection all the way to the
database, or can simply be used to generate a background test load of
realistic traffic. Load can be specified in a number of ways, using user
sessions, user sessions per second, transactions, transactions per
second, connections or connections per second. 

Protocols supported include HTTP/1.0, HTTP/1.1 and HTTPS (including
persistence and simultaneous connection settings); RTSP/RTP (QuickTime
and Real Networks); Microsoft Media Streaming; FTP; SMTP (including
attachments) and POP3; DNS; and Telnet traffic. It also supports SSL
versions V2, V3 and TLS V1, and SSL protocol parameters (version
selection, cipher suites and session ID re-use), as well as allowing
generation of a range of simulated Distributed Denial of Service (DDoS)
attacks.  

The system also allows modelling of user behaviour, supporting such
actions as use of proxies and proxy caches, use of multiple browser
types, multi-level HTTP redirects, user think times, click streams, and
HTTP aborts ("click-aways"). Support is provided for dynamic content
sites, cookies, session IDs, HTML forms, HTTP posts, and HTTP basic and
proxy authentication, and the tester can specify a list of URLs and data
object parameters that can be changed on a per-transaction basis. 

Avalanche includes a high-accuracy delay factor that mimics latencies in
users' connections by simulating the long-lived connections that tie up
networking resources. Long-lived, slow links can have a completely
different effect on performance than a large number of short-lived
connections, so this approach provides the ability to finely tune the
test scenario for more realistic results.  


-----Messaggio originale-----
Da: ml-bounces@xxxxxxxxxxxxx [mailto:ml-bounces@xxxxxxxxxxxxx] Per conto
di Stefano Zanero
Inviato: domenica 26 novembre 2006 21.00
A: ml@xxxxxxxxxxxxx
Oggetto: Re: [ml] Testare un NIDS

Mailing List Manager wrote:

>> Correggimi se sbaglio: quell'oggetto genera traffico di attacchi, 
>> giusto, non quello di background, o sto leggendo male ?
> 
> Non sbagli Stefano, infatti per il traffico di background noi 
> utilizziamo di solito alcune schede Terametrics all'interno di uno 
> Smartbit.

Correggimi se sbaglio pure qui :) pero' quel tipo di generatori in
generale si concentra sul volume di traffico generato e non sulla sua
variabilita' e/o realismo, cioe' e' fatto per i test di carico. O mi
sono perso qualche modulo opzionale che consente di riprodurre il
comportamento di utenti realistici ?

--------------------------------------------------------------------

CONFIDENTIALITY NOTICE

This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to webmaster@xxxxxxxxxxxxxxxxx

        Thank you

                                        www.telecomitalia.it

--------------------------------------------------------------------