Mu Dynamics MU-4000 Service Analyzer

As every business, service provider and consumer product or service embraces IP-based technology from multiple vendors, previously isolated software bugs expand to become network-accessible vulnerabilities or robustness issues that undermine reliability, availability or security. The Mu analyzer identifies and documents remediation details for user-defined fault conditions or robustness issues found within the product or service under test by interacting with a service the way a real client would, mapping and documenting the software weaknesses that cause service degradations or downtime in any IP-based product or service.

Mu Dynamics (www.mudynamics.com) created the proactive service assurance market and has been shipping its Mu analyzer since 2005. Service analyzers are now deployed in over 100 locations worldwide.


Figure 1 - Mu Dynamics: Mu-4000 Service Analyzer

Shipped as a dedicated 2U rack-mount appliance, the Mu-4000 provides two pairs of copper Gigabit ports to provide both in-line or endpoint analysis of two devices, two serial ports to control two external attack generators or monitor two target devices for failure during testing, two power receptacles to provide the ability to power cycle two devices under test following failure, management ports providing access to the Web-based management interface, and a three-line LCD display and menu button cluster for basic configuration tasks via the front panel. The Mu analyzer is controlled via a web-based user interface. Additionally, REST and WSDL APIs are available as standard features, as well as integration with HP Quality Center for easy tracking of output (i.e., reports and analysis archives).

The Mu analyzer is suitable for use by end-users such as network operators or industrial control systems asset owners, or vendors of security or networking products or services, and of course test facilities such as NSS Labs. The goal is to provide a completely automated proactive service assurance workbench or platform which is capable of analyzing both in-line and endpoint solutions, by transmitting either service-level traffic variations or denial-of-service simulations, correlating the effects on the service in order to detect reliability, availability or security weaknesses in the service offered by the device under test (DUT).

As necessary, the Mu analyzer can power-cycle the affected device, providing a fully automated, lights-out analysis solution. Any issues are logged as they are isolated. The Mu analyzer produces reports and remediation data (e.g., executive summary reports, packet captures and Linux executables that enable the recipient to recreate the fault) are stored on the internal database on the analyzer’s dual-drive RAID subsystem.

The Mu Analyzer Software Platform

The Mu analyzer leverages a common set of framework components across four interdependent “software blades.” These software blades are: Denial-of-Service Simulation, Service-Level Traffic Variations, Published Vulnerability Analysis and External Analysis.

The methodology behind the Mu analyzer, regardless of which blade is involved, is to use valid or invalid traffic to probe target applications and devices for both known and unknown software weaknesses using service-level traffic while correlating the effects on the target with the precise traffic that undermine reliability, availability or security resulting in service degradation or downtime.


Figure 2 - Mu Security: Mu-4000 Architecture

 The automation capabilities common to all analysis types deliver many key correlation processes including recognising a fault (monitoring the target; isolating fault conditions), generating remediation tools (to be given to the target product’s developer), and regression (verifying that a fix is effective).

Service-Level Traffic Variations

The first “software blade” shipped within the Mu analyzer thoroughly searches any protocol (service interface) for implementation flaws and provides actionable documentation necessary to expedite a fix by the developer. To Mu Dynamics, a “protocol” includes any structured data exchanged between two or more computers. For example, the JPEG and MS-Word file formats are equally legitimate protocols alongside networking protocols like HTTP, SIP or SMTP. Over 50 protocols are supported at the time of writing.


Figure 3 - Mu Dynamics: Service-Level Traffic Variations (Mutations)

A robust protocol implementation is one that is able to avoid service degradation or downtime no matter what bizarre traffic the real world network devices throw at it. In short, robust implementations are ones that expect the unexpected. The Mu analyzer is a source of a wide variety of unexpected traffic, delivered in very precise doses. The analyzer also collects service-level response-time data associated with its valid interactions with the service (periodic health checks) so that the full effect of invalid traffic on the service is exposed (service degradation), not just the isolated events where a fault occurred (downtime).

The Adaptive Analysis capability allows the tester to tailor the same core set of service-level traffic variations to their choice of transport and authentication methods supported by the target (not all targets will support all possible transports, but to the extent that a target supports multiple transports, the test results should be comparable across different transports). For example, HTTP was defined over TCP but now it is commonly used over UDP in certain applications, such as SOAP and UPnP, so Adaptive Analysis allows the Mu analyzer to seamlessly extend HTTP test cases over any valid transport. Finally, most higher-layer protocols are able to run over IPv4 or IPv6 at the user’s discretion.

The service-level traffic variations module allows interactions with a target in two modes: Client (or Endpoint) mode, where traffic is sent directly at a target, or Client&Server (or Passthrough) mode, where the test cases are sent through a target, returning to the analyzer itself. In this mode, the Mu analyzer acts as both the client and the server, maintaining both ends of a protocol conversation so the intermediate device — modelled as either a transparent layer-2 (transparent bridge) or layer-3 (router) device — is able to track valid protocol state during the transmission of the traffic variations. The Mu analyzer even supports passthrough targets that have NAT enabled.

Denial-of-Service (DoS) Simulation

The Denial of Service (DoS) software “blade” allows characterization of the effects on a service when stateless traffic is sent at specific rates. Experience has shown that devices experience considerable service degradation at far less than “wire speed” when presented with unusual traffic patterns. Whereas service-level traffic variations are about exercising individual service interfaces using a wide range of stateful variations in protocols, DoS analysis probes service transaction limits in processing large amounts of stateless traffic.

The DoS module is comprised of the stateless packet structure, the traffic pattern and a service monitor used to characterize the effect on the service. Stateless packets from layer-2 through layer-7 can be easily modeled using the intuitive editor. Various parts of each stateless packet can also be randomized to generate arbitrary variations of this packet. Over 40 templates are shipped with the analyzer able to recreate well-known attacks (e.g., SYN flood, SIP INVITE flood, Slammer Worm, Ping of Death, etc.).

DoS traffic is transmitted statelessly against a service and uses any instrumentation to assess the effects on the ongoing health of that service. In order to create custom packets for arbitrary protocols, the DoS module also has the ability to import packet captures that then subsequently be used to model the stateless packet.

Published Vulnerability Analysis

The Published Vulnerability Analysis (PVA) software “blade” within the Mu analyzer platform offers a continuously growing list of established vulnerabilities (more than 1100 at the time of writing, increasing on average by five per week). PVA users are able to determine whether a signature is actually effective at blocking an attack, and to be aware of the existence of any attacks that are not blocked by the DUT. The Mu analyzer performs automated audits on a device to validate that known bad traffic is blocked.


Figure 3 - Mu Dynamics: Published Vulnerability Analysis (PVA)

The PVA subscription mirrors the latest real-world attacks found in the wild on the Internet, and is augmented on an approximately monthly basis. PVA operates in passthrough mode, so it is especially suited to verify the proper operation singatures within any in-line signature-based security enforcement devices such as Intrusion Prevention Systems (IPS), advanced firewalls, Unified Threat Management (UTM) systems, and so on.

External Analysis

In the External Analysis “blade” the source of third-party attacks is under control of the analyzer, but is outside the analyzer in an external host known as the Generator.

Connected both to the Generator and target host (which may be the DUT itself, or a host protected by the DUT), the Mu analyzer automates the creation of the attacks by executing commands or scripts at the source, submitting one command at a time while using a different command (on a second port) to verify that the target host is still functional. The analyzer can issue attacks by number, read them from a list, or load them from a file.

In External Analysis, the Mu analyzer inserts itself between the attack tool (Generator) and the target host, with the Mu analyzer acting as a transparent bridge between them. The Generator is the source of traffic and the target is the receiver, and the Mu analyzer drives the Generator (running a custom attack tool, or one of many open source tools such as nmap, nessus, ISIC, protos, etc.) in a methodical lock-step manner. The attack generation operates identically to service-level traffic variations to facilitate fault inspection and fault isolation by monitoring the target’s responses to the attacks and to the success or failure of instrumentation (i.e., health check tests, in this case commands that the Mu analyzer runs on the Generator that cause some interaction between the Generator and the Target, the output of which establishes the continued health (or not) of the target).

Conclusion

Service Analyzers are in active use at dozens of network equipment manufacturers and at a similar number of end-users such as network operators and large enterprises throughout the respective product development and deployment life cycles. These organizations proactively establish service readiness before products are shipped or deployed. Service Analyzers form the foundation of the proactive service assurance process, providing actionable reporting and documentation throughout the development and deployment life cycles.
 
Home  |  Product Database  |  Certification Services  |  Resources  |  Company  |  Contact
Copyright ©2008 by NSS Labs All Rights Reserved. Privacy Policy