Chuck
Principal Security Engineer
Blog

Hackers are advancing their attacks, why shouldn't you?

January 10, 2018 by Chuck McAuley

We've introduced a change to the BreakingPoint platform in our new December 8.40 release, which is now available for download on the Ixia support site. It's a small change that impacts a large part of our established user base, so we wanted to point it out as soon as we announced the release.

In the past, we've always used the same default Strikelist for new tests, called Strike Level 1. These are 183 high-profile network attacks, well designed for testing intrusion prevention technology. However, there's a problem with them. The list is static, so as time has moved on and we've added new strikes for testing with our biweekly updates, the default list has gotten older and staler. Many of our customers are already familiar with this design, and by habit know to go and adjust the test to use either our yearly collections, vendor targeted ones, or simply build their own. Regardless, we felt a change was needed to encourage users to start their testing with something relevant, new, and challenging in their test methodologies.

1

Old Strikes - "Strike Level 1"

Out with the old, in with the new

A few years ago, we added two new Strikelists. One was labeled "New Strikes," the other "Modified Strikes." "New Strikes" contains only all-new strikes released with a Strikepack. It's a shorter, more relevant list compared to "Strike Level 1." If you are testing with this Strikelist and update your chassis, your test will run with a different new set of Strikes, which makes it convenient for testing the latest added content without making a new test. "Modified Strikes" is, as the name suggests, a collection of Strikes that have been altered in some way from the previous release. Typically, "Modified Strikes" contains updated metadata and, on occasion, bug fixes.

As I've said, we've had these two Strikelists in our biweekly releases for a few years now, but only as a selectable option, not the built-in default when creating a new test. A large number of support issues we have received from the field are related to the age of our default Strikelist "Strike Level 1", and so with this release, we've changed the default to "New Strikes" for any new test. However, by making this change, as a user you'll need to be aware of a few things.

2

The default strike in the Strike List field is now "New Strikes"

First, if you don't change the default settings for a Security Component and import the test into another chassis with a different Strikepack installed, or if you install a new Strikepack, your test will change which strikes are used. That's because every Strikepack has its own unique "New Strike” list. This can be easily remedied by saving the current "New Strikes" Strikelist with a new name and changing your test to use that list before exporting it. Your test results will also report which Strikepack was used and list all strikes that were included in that test.

Second, expect to see a lot more tests to "fail." By "fail", I mean that the device under test (DUT) has allowed strikes through the network instead of blocking them. If the DUT has not had IPS signatures updated or vetted appropriately, strikes will not be blocked. This is a positive since you'll be aware of how well your devices provide protection against current attacks, and not accidentally trip up testing old attacks that are no longer used in the wild.

As always, it's best to create a Strikelist that is relevant to your concerns and testing criteria. For example, there is little relevance in testing an IPS' coverage of Linux-based attacks when you are a Windows-only company, or malware protection transmitted over FTP if you disallow FTP at the perimeter. Everyone's network and security coverage is unique, and you should test for the environment you are protecting.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.