| Mu Security MU-4000 Security Analyser |
|
|
|
|
As every business, service provider and consumer product or service gains complexity and connectivity, previously isolated software bugs expand to become network-accessible vulnerabilities or robustness issues. These issues occur in implementations of the many protocols that run over IP (IPv4 or IPv6). By mapping and documenting the attack vectors and robustness shortcomings of an IP-based product or service, a Security Analyser identifies and documents remediation details for user-defined fault conditions or robustness issues found within the product or service under test. Mu Security (www.musecurity.com) created the new security analyser market and has been shipping its Mu-4000 Security Analyser since 2005.  Figure 10 - Mu Security: Mu-4000 Security Analyser Shipped as a dedicated 2U rack-mount appliance, the Mu-4000 provides two pairs of copper Gigabit ports to provide both in-line or endpoint analysis of two devices, two serial ports to control two external attack generators or monitor two target devices for failure during testing, two power receptacles to provide the ability to power cycle two devices under test following failure, management ports providing access to the Web-based management interface, and a three-line LCD display and menu button cluster for basic configuration tasks via the front panel. The goal is to provide a completely automated security analysis device which is capable of analysing both in-line and endpoint solutions, controlling external attack generating tools, detecting vulnerabilities or robustness issues in the device under test (DUT), isolating those issues and documenting them, power-cycling the DUT or other target devices automatically during testing should the analysis cause failure of either – in short, providing a fully automated, end-to-end security analysis tool suitable for use by vendors of security or networking products or services, end-users, and test facilities such as NSS. The Mu-4000 platform offers three interdependent “software blades” leveraging a common set of framework components. These three security analysis software blade options are: Mutation Analysis, Published Vulnerability Analysis, and External Analysis. The methodology behind the Mu-4000, regardless of which blade is involved, is to probe target applications and devices for both known and unknown vulnerabilities. Targets are monitored using flexible user-defined fault criteria in a highly automated fashion allowing the Mu-4000 to identify and document security or robustness issues, and characterise the relative security of a product.  Figure 11 - Mu Security: Mu-4000 Architecture The automation capabilities common to all three analysis types deliver many key security analysis processes including recognising a fault (monitoring the target; isolating fault conditions), generating remediation tools (to be given to the target product’s developer), and regression (verifying a fix is effective). Each type of analysis also offers the user one or more attack modes - for example, endpoint mode and passthrough mode. Mutation Analysis The first “blade” to ship within the Security Analyser - Mutation Analysis - thoroughly searches for any protocol implementation flaws and provides actionable documentation necessary to expedite a fix by the developer. An implementation that can tolerate receiving these comprehensive “attacks” would also be able to survive receiving packets from other implementations that do not follow the relevant specifications by virtue of poor design or badly implemented code. To Mu Security, a “protocol” includes any structured data exchanged between two or more computers. For example, the JPEG and MS-Word file formats are equally legitimate protocols alongside networking protocols like HTTP, SIP or SMTP. Over 50 protocols are supported at the time of writing. The Adaptive Analysis capability allows the tester to tailor dynamically the same core set of protocol mutations to their choice of transport and authentication methods supported by the target. All protocols offer different degrees of “adaptability” depending on the specifications and on common industry practices. For example, HTTP was defined over TCP but now it is commonly used over UDP in certain applications, such as SOAP and UPnP, and Adaptive Analysis allows the Mu-4000 to seamlessly extend HTTP mutations over any valid transport. Mu Security offers a comprehensive suite of non-functional test cases (i.e. traffic which is non-compliant with the relevant protocol RFCs) for each protocol, along with intelligent automation for hands-off testing. Typical test cases would include:
Mutation Analysis is equally useful against a target (Endpoint mode) or through a target (Passthrough mode). The latter capability involves the Mu-4000 maintaining both ends of a protocol conversation so the intermediate device (modelled as either a transparent layer-2 (bridge) or layer-3 (router) device) is able to track valid protocol state during the transmission of the mutations. Published Vulnerability Analysis The Published Vulnerability Analysis (PVA) software “blade” within the Mu-4000 platform offers a continuously growing list of established vulnerabilities (more than 550 at the time of writing, increasing on average by eight per week). The PVA subscription mirrors the latest real-world attacks found in the wild on the Internet, and is augmented on an approximately bi-weekly basis. Mu-4000 users with PVA are able to analyse whether a signature is actually effective at blocking an attack, and to be aware of the existence of any attacks that are not blocked by the DUT. The Mu-4000 performs automated audits on a device to validate that known bad traffic is blocked. PVA operates in passthrough mode, so it is especially suited to verify the proper operation of any in-line network security enforcement devices such as Intrusion Prevention Systems (IPS), content-aware security gateways, deep-inspection firewalls, Unified Threat Management (UTM) systems, and so on. External Analysis In the Mu-4000’s External Analysis “blade” the source of third-party attacks is under control of the Mu-4000, but is outside the Mu-4000 in an external host known as the Generator.  Figure 12 - Mu Security: Mu-4000 External Analysis Connected both to the Generator and target host (which may be the DUT itself, or a host protected by the DUT), the Mu-4000 automates the creation of the attacks by executing commands or scripts at the source, submitting one command at a time while using a different command (on a second port) to verify that the target host is still functional. The Mu-4000 can issue attacks by number, read them from a list, or load them from a file. In External Analysis, the Mu-4000 inserts itself between the attack tool (Generator) and the target host as a bridge. The Generator becomes the source of attacks and the target is the receiver, and the Mu-4000 drives the Generator in a methodical lock-step manner (the Generator can be running a custom attack tool, or one of many open source tools such as nmap, nessus, ISIC, protos, etc.). The attack generation is controlled to facilitate fault inspection and fault isolation by monitoring the target’s responses to the attacks and to the success or failure of instrumentation (tests which run on the Generator, and which are used to determine the continued health of the target). By adopting Security Analysers throughout product development or deployment life cycles, vendors and end-users proactively can explore successive new attack vectors before they are exploited maliciously. Moving beyond Penetration Testers or VA Scanners for finding known vulnerabilities or unpatched systems, Security Analysers can form the foundation of the process of security and robustness testing, providing actionable reporting and documentation that can expedite a developer’s remediation efforts. |
