Benchmarking Network Security Device Performance with Open Standards

NetSecOPEN is a non-profit organization with the mission to establish open standards in performance security testing. These efforts have evolved significantly with the ratification of RFC 9411 (Benchmarking Methodology for Network Security Device Performance). The latest version of NetSecOPEN testing includes standard based test cases for RFC 9411 as well as exploits, malware samples, evasion techniques, and multiple industry specific application traffic mixes. These additions are intended to validate performance and app ID across new sets of real-world traffic scenarios, assess vulnerability catch rates with and without traffic obfuscation, and determine device effectiveness in dealing with both non-malicious and malicious traffic. These capabilities will help align test methodologies with the increasingly complex Layer 7 security-centric network application use cases.

As a founding member of NetSecOPEN, Spirent has been an active participant in the NetSecOPEN forum, driving new methodology specifications. As a result, Spirent’s own CyberFlood solution includes up-to-date integrated methodologies to help validate network performance and security efficacy based on RFC 9411.

The solution incorporates “RFC-9411 and NetSecOPEN Test Methodologies” project with tests for Section 7 of RFC 9411. The latest NetSecOPEN open standard assessments for performance and security are readily available as part of that CyberFlood project, including:

1. Mixed traffic tests for healthcare and educational industries

2. Malware test plans with over 3900 samples

3. CVE attack test plans with over 1500 samples

4. A series of attacks using evasion techniques to stress security polices under hacker behavior

5. Latest methodologies for testing security traffic while under load

In this post, we’ll examine CyberFlood tests for NetSecOPEN updated assessments in relation to a Device Under Test (DUT). The diagram below illustrates a next-generation firewall (NGFW) validation test topology.

Mixed traffic validation with NetSecOPEN updated assessments

Updated mixed traffic tests include typical critical applications used in healthcare and educational organizations to help validate typical network security device performance for these industries. Configuration of these mixed traffics in CyberFlood is easy and quick, with detailed reports generated to help proactively test against real-world conditions and attached scenarios as shown in the healthcare example below:

While RFC 9411 tests provide a good baseline, it is important to validate with appropriate mixed traffic and NetSecOPEN has attempted to address this with two industry examples. Organizations can enhance their validation by emulating mixed traffic that reflects their profile for critical applications. In addition, mixed application results can be compared to baseline traffic, such as HTTP, to observe the significance of changes in bandwidth performance or latency through URL measurements and URL Round Trip statistics. This will help verify the impact of mix application traffic and user Quality of Experience (QoE) in the network.

Assessing malware and common vulnerabilities and exposure (CVE) attacks against network security policies

Malicious traffic including malware and attacks are emulated and can be run with dedicated tests to validate the efficacy of security policies against those vulnerabilities.

Validating attacks with evasion techniques

CVE attacks can now be easily emulated with a wide range of evasion techniques to further validate security policy efficacy under hacker-like behavior.

The following table summarizes the results of evasion techniques included in the latest Open-Standard tests, for which Spirent’s security test platform offers comprehensive coverage.

Validating NetSecOPEN HTTP bandwidth for security under load

The objective of this type of testing is to challenge the system under test (SUT) with passing HTTP traffic while detecting and mitigating vulnerabilities.

An entry level firewall was used in this simple test which could pass 1.6 Gbps HTTP traffic with its CPU utilization reaching around 90%. When the security mix was added, 100% of vulnerabilities were detected and blocked. However, the traffic took a small hit, as illustrated in the example below. This may translate into an insignificant impact to Quality of Experience (QoE) but having advanced knowledge of such consequences is essential for capacity planning (right-sizing) and deploying robust and effective security solutions.

The detailed results and actionable analytics generated allow organizations to leverage open standard testing to proactively benchmark and gauge their network security solutions in terms of performance of mixed traffic, security posture for detecting and mitigating malware, attacks, and evasion techniques, along with the ability to assess throughput with security load.

CyberFlood test methodologies offer full coverage for validating with RFC 9411 open security standards as well as the new NetSecOPEN updated assessments. Spirent will continue to participate in NetSecOPEN’s upcoming plans and provide integrated solutions with CyberFlood solution.

Learn how Spirent security testing solutions can help assess the performance and security strength of your organization using open standard testing, including RFC9411. For an update on the latest open security efforts, refer to our related blog post.