 |
|
ISS Proventia A201 Test Results
|
Test 1.1 – Attack Recognition |
Attacks |
Default ARR |
Custom ARR |
|
Test 1.1.1 - Backdoors |
5 |
5 |
5 |
|
Test 1.1.2 - DNS |
2 |
2 |
2 |
|
Test 1.1.3 - DOS |
11 |
9 |
11 |
|
Test 1.1.4 - False negatives (modified exploits) |
7 |
7 |
7 |
|
Test 1.1.5 - Finger |
4 |
4 |
4 |
|
Test 1.1.6 - FTP |
4 |
3 |
4 |
|
Test 1.1.7 - HTTP |
35 |
29 |
35 |
|
Test 1.1.8 - ICMP |
2 |
2 |
2 |
|
Test 1.1.9 - Reconnaissance |
10 |
10 |
10 |
|
Test 1.1.10 - RPC |
2 |
1 |
2 |
|
Total |
82 |
72 / 82 |
82 / 82 |
|
Test 1.2 – Resistance to False Positives |
Pass/Fail |
|
Test 1.2.1 - Audiogalaxy FTP traffic |
PASS |
|
Test 1.2.2 - Normal directory traversal (below Web root) |
PASS |
|
Test 1.2.3 - MDAC heap overflow using GET instead of POST |
PASS |
|
Test 1.2.4 - Retrieval of Web page containing “suspicious” URLs |
PASS |
|
Test 1.2.5 - MSTREAM communications using invalid commands |
PASS |
|
Test 1.2.6 - Normal NetBIOS copy of “suspicious” files |
PASS |
|
Test 1.2.7 - Normal NetBIOS traffic |
PASS |
|
Test 1.2.8 - POP3 e-mail containing “suspicious” URLs |
PASS |
|
Test 1.2.9 - POP3 e-mail with “suspicious” DLL attachment |
PASS |
|
Test 1.2.10 - POP3 e-mail with “suspicious” Web page attachment |
PASS |
|
Test 1.2.11 - SMTP e-mail transfer containing “suspicious” URLs |
PASS |
|
Test 1.2.12 - SMTP e-mail transfer with “suspicious” DLL attachment |
PASS |
|
Test 1.2.13 - SMTP e-mail transfer with “suspicious” Web page attachment |
PASS |
|
Test 1.2.14 - SNMP V3 packet with invalid request ID |
PASS |
|
Total Passed |
14 / 14 |
Section 2 - NIDS Performance Under Load
|
Test 2.1 – UDP traffic to random valid ports |
25Mbps |
50Mbps |
75Mbps |
100Mbps |
Max |
|
Test 2.1.1 - 64 byte packet test - max 148,000pps |
100% |
100% |
100% |
99% |
95Mbps |
|
Test 2.1.2 - 440 byte packet test - max 26,000pps |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.1.3 - 1514 byte packet test - max 8172pps |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.2 – HTTP “maximum stress” traffic with no transaction delays |
25Mbps |
50Mbps |
75Mbps |
100Mbps |
Max |
|
Test 2.2.1 - Max 250 connections per second - ave packet size 1200 bytes - max 10,000 packets per second |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.2.2 - Max 500 connections per second - ave packet size 540 bytes - max 23,000 packets per second |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.2.3 - Max 1000 connections per second - ave packet size 440 bytes - max 28,000 packets per second |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.2.4 - Max 2000 connections per second - ave packet size 350 bytes - max 36,000 packets per second |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.3 – HTTP “maximum stress” traffic with transaction delays |
25Mbps |
50Mbps |
75Mbps |
100Mbps |
Max |
|
Test 2.3.1 - Max 500 connections per second - ave packet size 540 bytes - max 23,000 packets per second - 10 sec delay - max 5,000 open connections |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.3.2 - Max 1000 connections per second - ave packet size 440 bytes - max 10,000 packets per second - 10 sec delay - max 5,000 open connections |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.4 – Protocol mix |
250Mbps |
500Mbps |
750Mbps |
1Gbps |
Max |
|
Test 2.4.1 - 72% HTTP (540 byte packets) + 20% FTP + 4% UDP (256 byte packets). Max 38 connections per second - ave packet size 555 bytes - max 2,200 packets per second - max 14 open connections |
100% |
100% |
100% |
100% |
100Mbps |
|
Test 2.5 – Real World traffic |
250Mbps |
500Mbps |
750Mbps |
1Gbps |
Max |
|
Test 2.5.1 - Pure HTTP (simulated browsing session on NSS Web site). Max 10 connections per second - 3 new users per second - ave packet size 1000 bytes - max 11,000 packets per second |
100% |
100% |
100% |
100% |
100Mbps |
Section 3 - Network IDS Evasion
|
Test 3.1 – Evasion Baselines |
Detected? |
| Test 3.1.1 - NSS Back Orifice ping |
YES |
| Test 3.1.2 - Back Orifice connection |
YES |
| Test 3.1.3 - FTP CWD root |
YES |
| Test 3.1.4 - Fragroute baseline (test-cgi probe using HEAD) |
YES |
| Test 3.1.5 - ISAPI printer overflow |
YES |
| Test 3.1.6 - Showmount export lists |
YES |
| Test 3.1.7 - Test CGI probe (/cgi-bin/test-cgi) |
YES |
| Test 3.1.8 - PHF remote command execution |
YES |
| Test 3.1.9 - Whisker baseline (test-cgi probe using HEAD) |
YES |
|
Total |
9 / 9 |
|
Test 3.2 – Packet Fragmentation/Stream Segmentation |
Detected? |
Decoded? |
|
Test 3.2.1 - IP fragmentation - ordered 8 byte fragments
|
YES |
YES |
|
Test 3.2.2 - IP fragmentation - ordered 24 byte fragments
|
YES |
YES |
|
Test 3.2.3 - IP fragmentation - out of order 8 byte fragments
|
YES |
YES |
|
Test 3.2.4 - IP fragmentation - ordered 8 byte fragments, duplicate last packet
|
YES |
YES |
|
Test 3.2.5 - IP fragmentation - out of order 8 byte fragments, duplicate last packet |
YES |
YES |
|
Test 3.2.6 - IP fragmentation - ordered 8 byte fragments, reorder fragments in reverse |
YES |
YES |
|
Test 3.2.7 - IP fragmentation - ordered 16 byte fragments, fragment overlap (favour new) |
YES |
YES |
|
Test 3.2.8 - IP fragmentation - ordered 16 byte fragments, fragment overlap (favour old) |
YES |
YES |
|
Test 3.2.9 - TCP segmentation - ordered 1 byte segments, interleaved duplicate segments with invalid TCP checksums |
YES |
YES |
|
Test 3.2.10 - TCP segmentation - ordered 1 byte segments, interleaved duplicate segments with null TCP control flags |
YES |
YES |
|
Test 3.2.11 - TCP segmentation - ordered 1 byte segments, interleaved duplicate segments with requests to resync sequence numbers mid-stream |