1

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Validating Malware Signature Installations on Ixia BreakingPoint Hardware

2

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Introduction Ixia BreakingPoint products ship with the capability to generate large numbers of live malware binaries, which can then be sent in two-arm fashion through a network topology of your choosing. This is very useful in determining whether firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and related equipment can correctly detect (and block!) these binaries via policies such as routine malware signature analysis. Using Ixia BreakingPoint equipment in two-arm fashion for this testing ensures that nothing else in the network will be compromised. Solutions are configured in two-armed mode to be both the originating element and the terminating element, using IPv4 addresses, IPv6 addresses, or both. However, this feature cannot be used unless users log in to Ixia’s secure StrikeCenter support site with the appropriate customer credentials and download and install the binary malware strikepacks. Until then, if you attempt to select and configure one or more of our malware strikes, the output Reports will show “Errored – Malware package 0000000X missing” where the X will vary based on the package number in question. There are currently seven malware strikepacks (numbered 0-6) available from our StrikeCenter portal, and each package is roughly 1GB in size. Once you’ve downloaded and installed the appropriate packages, you won’t see a change in the total number of your security strikes. It will be exactly the same as before because all that’s happened with the malware strikepack updates is that malware binary images have been attached to the previous templatized placeholders for each. Although you won’t see a change in the total number of strikes after installing the malware strikepacks, there is still a simple way to validate that they have been installed correctly. Just pick one piece of malware from each of the seven packages, saving the results to a strike list, and run them through a security component across a piece of cable connecting two ports of your Ixia BreakingPoint unit. When the test is completed, you can analyze the report data and verify that strikes were allowed through the cable, or in the case that the packages have not been installed, that strikes were reported as “Errored.” Let’s walk through the entire process of creating and running this simple validation test.

3

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Methodology First, choose Managers > Strike Lists from the home screen:

In the Search box, enter “malware 00000000 package 00000001.” You’ll see precisely two results which cover the first two packages. Right-click on the results and choose “Add All Results”:

4

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

You’ll notice that the total number of strikes included is now displayed as 2 in the top right. Next, we change our search term to be “malware 00000002 package 00000003.” You’ll see precisely two more strikes. Right-click on the results and choose “Add All Results.” Your total count will now be four. Do this again using a search term of “malware package 00000004 package 00000005.” You’ll see precisely two more strikes. Right-click on the results and choose “Add All Results.” Your total count will now be six. You now have just one more to do, from package 6, so use the search term “malware 00000001 package 00000006.” You’ll see two search results here, but you only need the one from package 6, so left-click that one so that it turns yellow, and then right-click and choose “Add Strike.”

5

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

When that’s done, you’ll notice you now have seven strikes, precisely one from each of the seven packages. Save this seven-count strike list by selecting Strike List > Save As:

A dialog will prompt you for a name; let’s call it “Malware Package Validation.” Once you’ve done that, click on the “eye” icon in the top right to double-check that you’ve included one strike from each package:

Looks like we did a good job! We have one piece of malware from each of the seven packages (indexed 0-6), just like we wanted.

6

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Now we will reserve the two ports that we’ve externally connected with a piece of cable. To select the ports you’ve connected, click the green chassis icon on the top of the home screen, click on the two ports that you connected your cable to, and then close the chassis window:

Now we will create our test configuration. From the home screen select Test > New Test:

7

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Since we are just running across a piece of cable, the network addressing doesn’t really matter much, so we will leave the default setting of “BreakingPoint Switching” which will work just fine. In the Test Components section, click the “Add New” button and select a Security component, and the click Select:

A dialog will prompt you to enter the component name, which we’ll call “Malware Validation.” Once you’ve done that, click on the component name on the left to be able to configure it:

8

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

The basic security configuration screen is quite simple. In the upper left, you can change the name or add a description. In the Component Tags section, you can map the addressing from the default BreakingPoint Switching network neighborhood, and since we’re just on a loopback cable, leave the defaults as-is. On the right you can select the various security parameters. In this case we’ll use all of the default values, except that we want to use our created “Malware Package Validation” strike list. Click Browse and select it while entering a package search keyword to make it easier to find:

9

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Once you’ve selected the “Malware Package Validation” strike list, your test configuration shows it as selected:

10

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

Once you’ve clicked on the “Return to Test Workspace” button in the bottom of that screen, you simply have to save and run the test by clicking the “Save and Run” button in the bottom right. A dialog will ask for the name of the test, which we’ll call “Malware Package Validation,” then click “Save”:

Once the save operation finishes, the test will begin to initialize, which only takes a few seconds, after which it will immediately start to run. It will run very quickly, as it doesn’t take long for the malware binaries to propagate from the origination to the termination point across the loopback cable.

11

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

While the test is running, you can investigate the Attacks tab in the real time statistics to monitor progress:

In this case, all seven strikes were Errored! That means that this Ixia BreakingPoint box does not have any of the malware packages installed. You can also see a more detailed message as to the problem in the detailed report for the test:

12

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

If, on the other hand, the Ixia BreakingPoint unit had one or more of the malware packages installed, then at run-time you would actually get a warning that you must click Yes on to proceed. You might think that this is sufficient to ensure that the packages were correctly installed, but it is not. If any one of the packages had been correctly installed, this warning will be displayed, but it doesn’t tell you if all of them were correctly installed:

Once you click yes, the test will finish initializing and run. It runs very fast, so you’ll probably see the test completion dialog before you have a chance to go to the Attacks tab. That’s okay; you’ll note that the Test Criteria failed, because the default criteria expects that these security malware strikes would have been blocked by network security equipment in the path. That did not happen since we are running in a looped back environment – all of the attacks got right through. So once you click close on that window and choose the Attacks tab, you’ll see your results. In order to truly validate the results, you’ll need to investigate the full output report. Here, in this example, we determine that malware package 1 was successfully installed (as we report that the strike was allowed through the network under test which was just a simple piece of CAT6 cable between two ports):

13

26601 Agoura Road Calabasas, CA 91302 Tel + 1-818-871-1800 Fax + 1-818-871-1805 www.ixiacom.com P/N: 915-6577-01 Rev. A July 2013

After investigation of the remaining strikes, all are reported as Errored. For simplicity, we show only the last one, for package 6:

And so you now know that only one of the seven malware packages was installed, and that you’ll need to install the other six. After doing that, this test can be re-run to verify that all seven strikes lists are “Allowed” in the Strike Result field in the output report.