Network Security: A Moving Target Provides An Easier Hit

From pick-pockets to sophisticated electronic scanners, people have always been more vulnerable when on the move, and the same applies in today’s mobile network and BYOD environment. The key difference here is that the ultimate victim of a network attack is probably not the individual user, but the organization.

This has two negative consequences. For a start, the individual feels less directly threatened and is less motivated to follow strict security measures: “This looks like a handy new app. I’ll try it now, and get it cleared by IT if it works”. Secondly, the enormous potential payoff for attacking an organization means that today’s cyber criminal is prepared to spend unlimited time and resources on designing, deploying and concealing ever more sophisticated attacks.

A recent example of such attack escalation, “Operation High Roller” is reputed to have already siphoned around £1.57 billion from bank accounts in Europe, the US and South America, and still be on the move. Although based on familiar Zeus and SpyEye attacks, it takes a quantum leap in sophistication by replacing their manual operation with a level of automation that reduces attack times to seconds, operating around the clock.

The attack, which reveals “an insider level of understanding of banking transaction systems”, includes automated concealment techniques such as falsifying an account that has just been depleted so that the loss will not be immediately reported.

This all adds up to an IT security nightmare: an increasingly permeable network of increasingly individualistic users of increasingly diverse devices being targeted by increasingly smart and sharply targeted attacks. The temptation must be to either give up in despair or else to clutter the system with every new security hardware and software patch – until it becomes so complicated that only dedicated hackers will have the patience to understand it.

There is an alternative – it is to fight fire with fire. This means applying the same level of skill and experience to testing network security as the criminals apply to breaking it. This, in effect, is what the industry leaders are doing, and they are focused on three vital factors when testing the security of today’s corporate networks:

  • Rapid response
  • Accurate modeling
  • Simple, flexible test processes

Rapid response

Operation High Roller exemplifies the threat of faster acting and faster evolving attacks. So many existing attack mechanisms and types of malware are already available and out there that creating a new attack does not require sitting down and writing all the code from scratch. Most new attacks are based on existing code being tweaked to evade existing defenses and reassembled in some new combination. That can happen faster than the old procedures – a) report an attack, b) analyze it and create a patch, c) distribute the patch – can keep up with.

Similarly, testing for vulnerability means that the tester must keep ahead of the game – not only knowing the latest attacks as soon as they appear but also keeping up with all the new apps that are coming on line and which could be introducing unexpected vulnerabilities into the system.

Today’s most advanced Cloud-based test solutions support this need by supplying immediate ready-to-run tests for all consumer and business apps likely to be used, such as: Facebook, Skype, Netflix, Twitter, BitTorrent, VMware and Google Docs.

Note that it is no longer enough simply to say “we have tested the security of Skype on our network”, because in a BYOD environment different users will have different versions, presenting a range of vulnerabilities, over their diverse set of devices. With a Cloud-based solution, however, hundreds of tests can be added every month and updated automatically to keep up with new version, new type of device or operating system.

Accurate modeling

Network traffic is not uniform in structure: thousands of different applications running on hundreds of different traffic protocols all share space at any time on the network, each subject to unexpected surges in demand. BYOD brings ever more applications into the picture – social networking, voice and rich media applications, cloud computing, video, smartphone traffic – and into this mix comes the growth of malicious attack traffic.

How realistically can the test process model the many protocols on the network? You can define a protocol in terms of its packet structure, but does the model realistically reflect the real world timing between packets? For example: an application runs on broadband much faster than on a mobile phone, and in applications such as VoIP the timing pattern is determined as much by typical user speech patterns as the actual protocol structure.

It is likely that more than 80% of your traffic is driven by applications, so test tools that focus purely on protocols – inserting random data in the application payload – are not good enough. Application awareness runs through a BYOD or mobile user network: next generation firewalls, intrusion prevention systems, mobile packet gateways, policy routers and many other systems on the network will not detect an application or react to it in a realistic manner unless the test tool can recreate a realistic application-level state, with regards to cookies, session IDs, NAT translations, ALG-driven modifications, authentication challenges, lengths and checksums.

So testing application-aware systems requires a tool that accurately recreates application traffic and maintains application state – and this must happen fast, for all versions of the application. To model the true behavior of the network, you need a new generation test solution that is also designed to behave exactly as real clients would in the face of congestion and flow control situations.

It must also be designed to deliver consistent, repeatable results to allow comparison between test runs to determine whether changes are effective. In addition, test solution should be able to recreate custom and proprietary application traffic for cases where in-house purpose built applications are used.

Simple, flexible test procedures

Accurate modeling of the actual traffic on a BYOD, largely mobile network is what makes realistic security testing possible, as networks become increasingly application-aware. The right test tool can recreate an application-level state that takes account of multiple factors – cookies, session IDs, NAT translations, ALG-driven modifications, authentication challenges, lengths, checksums etc.

The most advanced network test solutions do indeed model traffic in such detail and, when combined with a constantly updated Cloud database, they can not only test in depth but also keep up with advances in technology, user behavior and new types of threats. Response times will be cut from days to hours or less but, unless the resulting tests are quick and simple to customize and run, the advantage will be lost in a typical busy IT department.

This takes us back to one of the oldest problems in security: the need to balance absolute safety against simple, user-friendly deployment. If safety procedures become too cumbersome, people will begin to take shortcuts and that leads to gaps in the defenses. So also with security testing: no matter how good the test procedure, if it proves too elaborate and time consuming it will be postponed or curtailed.

The Cloud-based library of up-to-date tests saves much time and effort, but off-the-peg tests can only go so far. The most advanced test solutions also have the flexibility to allow precisely targeted adjustments to tests – for example by modifying port numbers, embedding IP addresses, session IDs, or URLs etc, to better understand the system’s limits.

Even now, many test tools only allow adjustments to a few pre-defined fields, whereas more sophisticated solutions should allow this across all layers. Once the protocol field at the application layer has been parameterized, you should then be able to insert custom values, using a list, spreadsheet, range, or random values. For example, you could test URL filtering by modifying the URL field of the payload with the click of a button to see what happens when thousands of alternate values are supplied.

A further refinement is testing for unexpected divergences from the norm. For example, a date field DD/MM/YYYY: if a user keys in a two digit year instead of four, or uses letters for the month, could that crash the system? Exploring reactions to such errors is known as “fuzz testing” and very few test tools support this.

Those that do too often rely on random “bit flipping” and flooding of malformed packets – a rudimentary form of fuzzing, that does not help build intelligent fuzz test cases for all the field types at the application layer in the way that an advanced test solution should do with just simple button clicks.

It is the “clicks of a button” that are so important here. When choosing a security test solution, don’t just research what it can do but also how easily it can do it. Automated, repeatable tests that can be set up via a simple graphical interface without needing specialist scripting skills not only save time and reduce staff overheads but also make sure the tests are actually carried out properly, and on time.


Networks for mobile users, bringing their own devices and apps into the organization, need to be intelligent and application aware to handle such complex traffic patterns. Testing the security of such a complex and apparently open system presents a near impossible task in terms of old style network test procedures.

Today’s most advanced test solutions, however, are ahead of the game. They incorporate a Cloud based service that proactively keeps all test procedures up to date with new developments in application, versions, devices and user behavior. They have a simple interface allowing tests to be set up, fine-tuned and programmed to run automatically, with a minimum amount of expertise and time required. In a world where cybercrime is evolving so fast, it is the test system’s sheer flexibility and simplicity that helps you to move even faster and keep ahead of the cyber-crime game.

As EMEA Business Development Manager for Layer 4-7 Application and Security testing, Marc Meulensteen is responsible for new business for Spirent L4-7 Test Solution in the European and Middle East and African Markets. Marc joined Spirent in 2001 as System Engineer for the BeNeLux market. In this role Marc was responsible for technical Sales support with large accounts like Alcatel-Lucent, Juniper and Cisco in Belgium and the Netherlands. In this time Marc gained his expertise in testing and more specific in the newer technologies. In 2006 he changed to the current role of Business Development Manager. Marc is involved of introduction of new testing methodologies and new testing areas like video streaming and video quality testing and more recently in deploying there test technologies in the DataCenter and Cloud.