Background technology
The high speed development of the Internet in worldwide brings great convenience and the information of magnanimity to people.But thing followed problem is exactly how the privacy and the fail safe of network should ensure, just the problem of network security.
Originally, the thought of network security allows some address Lawful access allocated resources exactly, forbids the unauthorized access of other address.So, packet filter firewall arises at the historic moment, and this fire compartment wall is operated in network layer, carries out attaching filtering by IP (Internet Protocol, Internet protocol) address.Then, along with employed agreement in the network becomes increasingly complex, packet filter firewall can't satisfy the needs of use, so the fire compartment wall based on state occurred.Such fire compartment wall also will be controlled according to protocol type and port numbers except the IP address.Most functions of this class fire compartment wall all concentrate on transport layer.But along with the progress of attack technology, a lot of attack meanses judge it all is legal visit on network layer and transport layer, but can finish attack such as the leak that utilizes some protocol stacks or system by the means of some application layers.At the attack of this application layer, be that packet filter firewall or status firewall all can't be competent at protected working, so IPS (Intrusion Prevention System, intrusion prevention system) product just occurred.
By the intrusion prevention product at attack type, determined that this series products is the network equipment that is operated in application layer.And the service position of this series products normally connects the key position of outer net and Intranet in user's main communications line, so the attack protective capacities of this product has determined security of users.The application layer throughput that also has this product of no less important, it has determined the speed that user's proper network flow is transmitted, and has determined the availability of this network environment to a great extent.
At present identical with the method for test mode firewall product throughput to the general method of testing of IPS product throughput, test topology as shown in Figure 1, on testing equipment, construct TCP (Transmission ControlProtocol, transmission control protocol) communication flows of message, per second establishes x TCP and connects, it is the y byte that each TCP connects the interaction data amount, and test continues 60 seconds usually.If in these 60 seconds, the data volume in all 60x TCP connection is all passed through the IPS product and is transmitted successfully, and the throughput of IPS product is exactly (8xy) bps (bit per second) so.With such method of testing, each test is set up the quantity that TCP connects by increasing per second, and just the numerical value of x increases the data volume that IPS product per second need be handled, connect the data retransmission failure up to TCP having occurred, approach the maximum throughput performance number of IPS product in this way.
The defective of prior art:
1, the test traffic data content is too simple.Above-mentioned IPS product throughput testing approach is identical with the throughput testing approach of firewall product, but in background technology, introduced, firewall product is operated in transport layer basically, so only IP address, agreement and port numbers in the flow are checked and are judged, so the test mode of this pure TCP traffic throughput relatively is suitable for firewall product.But concerning the IPS product, owing to be operated in application layer, need to detect each protocol fields content of application layer and determine whether safety of flow.And the IPS product is when handling this pure TCP flow, because the flow content is fairly simple, so can not produce any pressure substantially to the detection engine of IPS product, cause the throughput of the IPS product that this pure TCP flow rate test goes out and the throughput that this series products can be handled in true environment to differ very big usually, thereby lose reference value.
2, test result can't prove that tested IP S product can also finish its safety guarantee task under such throughput.The most basic function of IPS product detects and blocks attack exactly, on this basis, the assurance normal discharge can be transmitted fast, but in existing testing scheme, because what adopt is pure tcp data flow, tested IPS product, but can't guarantee also under such throughput whether this equipment also has the ability to detect and the blocking-up attack even can normally be transmitted.So the test result of existing testing scheme can't be made assurance on the most basic function of IPS product, also just lost reference value.
Summary of the invention
The technical problem to be solved in the present invention is, a kind of method and apparatus of testing the intrusion prevention properties of product is provided, and its test result can reflect the throughput of IPS product in true environment.
The technical solution used in the present invention is that the method for described test intrusion prevention properties of product comprises:
Step 1, when transmitting pure application layer traffic, the IPS product adds attack message;
Step 2, according to the IPS product to the forwarding situation of pure application layer traffic and to the identification situation of attack message, determine the current effective application layer throughput of IPS product.
Further, described pure application layer traffic is: the theoretical maximum application layer throughput of IPS product.
Further, described adding attack message specifically comprises:
Grasp the attack message that uses Transmission Control Protocol in the actual environment;
The attack message that grabs is reset in the IPS product, and playback time guarantees that the source IP address of each attack message is all different with purpose IP address and other attack message.
Further, described according to the IPS product to the forwarding situation of pure application layer traffic and to the identification situation of attack message, determine the current effective application layer throughput of IPS product, specifically comprise:
Successfully be first condition if the IPS product is all transmitted pure application layer traffic, the IPS product is all discerned attack message and successfully is second condition;
Judge that whether first condition and second condition satisfy simultaneously, if then read the current application laminar flow amount of IPS product accounting, i.e. the current effective application layer throughput of IPS product; Otherwise after cutting down the numerical value of pure application layer traffic, repeated execution of steps one is till first condition and second condition satisfy simultaneously.
Further, this method also comprises:
Step 3, according to the identification situation of IPS product to attack message, determine the attack message verification and measurement ratio of IPS product.
The present invention also provides a kind of device of testing the intrusion prevention properties of product, comprises following part:
Testing equipment is used for being configured in the pure application layer traffic that the IPS product is transmitted;
Reproducing device is used for when the IPS product is transmitted pure application layer traffic, sends attack message to the IPS product;
Test result is determined equipment, is used for according to the IPS product determining the current effective application layer throughput of IPS product to the forwarding situation of pure application layer traffic and to the identification situation of attack message.
Further, described pure application layer traffic is: the theoretical maximum application layer throughput of IPS product.
Further, described reproducing device specifically comprises:
The packet capturing module is used for grasping the attack message that actual environment uses Transmission Control Protocol;
Import module, be used for the attack message that the grabs IPS product of resetting, playback time guarantees that the source IP address of each attack message is all different with purpose IP address and other attack message.
Further, establish the IPS product and pure application layer traffic is all transmitted successfully be first condition, it successfully is second condition that the IPS product is all discerned attack message;
Described test result is determined equipment, specifically comprises:
Judge module is used to judge whether first condition and second condition satisfy simultaneously, if then call read module; Otherwise call adjusting module;
Adjusting module after being used to cut down the numerical value of pure application layer traffic, repeats to call testing equipment and reproducing device, till first condition and second condition satisfy simultaneously, calls read module;
Read module is used to read the current application laminar flow amount of IPS product accounting, i.e. the current effective application layer throughput of IPS product.
Further, described device also comprises:
The verification and measurement ratio computing module is used for determining the attack message verification and measurement ratio of IPS product according to the identification situation of IPS product to attack message.
Adopt technique scheme, the method and apparatus of test intrusion prevention properties of product of the present invention has following advantage:
1, at the intrusion prevention product characteristics, use the detection engine generation bigger pressure of the flow of application layer protocol to the intrusion prevention product, go to verify the true throughput performance of this series products with flow near this series products actual working environment.
2, when applying application layer traffic, also added an amount of attack traffic, whether can also normally detect all attack messages with checking intrusion prevention product under such throughput, to guarantee the normal execution of its security functions.Such normal use flow is pressed close to the flow composition of intrusion prevention product in actual working environment more in conjunction with the situation of attack traffic, can verify out the throughput performance value of the true application layer that the intrusion prevention product is showed on the basis that guarantees its security functions.
3, on the basis of certain application layer traffic, test out the ability of intrusion prevention product blocking-up attack.
Embodiment
Reach technological means and the effect that predetermined purpose is taked for further setting forth the present invention, below in conjunction with accompanying drawing and preferred embodiment, to technical scheme of the present invention describe in detail as after.
First embodiment of the invention, as shown in Figure 2, a kind of method of testing the intrusion prevention properties of product comprises following concrete steps:
Step S101 in test period, adds attack message when the IPS product is transmitted pure application layer traffic.Preferably, pure application layer traffic is: the theoretical maximum application layer throughput of IPS product.
Concrete, among the step S101, add the process of attack message, comprising:
A1 grasps attack message in the attack process of once complete use Transmission Control Protocol from actual environment;
A2 resets the attack message that grabs in the IPS product, and playback time guarantees that the source IP address of each attack message is all different with other attack message with purpose IP address.
Step S102 establishes the IPS product and pure application layer traffic is all transmitted successfully is first condition, and it is second condition successfully that the IPS product all discern attack message, judges whether first condition and second condition be satisfied simultaneously, if, execution in step S104 then; Otherwise execution in step S103;
Step S103, cut down the numerical value of pure application layer traffic after, repeated execution of steps S101 begins follow-up test period, till first condition and second condition satisfy simultaneously, execution in step S104; If the numerical value of pure application layer traffic was cut to before 0, first condition and second condition still can not satisfy simultaneously, illustrate that then the IPS product breaks down unusually, and be unavailable.
Step S104 reads the current application laminar flow amount of IPS product accounting, i.e. the current effective application layer throughput of IPS product.
Step S105, according to the identification situation of IPS product to attack message, determine the attack message verification and measurement ratio of IPS product.Concrete, on the basis of certain application layer traffic, the detected attack message quantity of IP available S product draws the verification and measurement ratio of IPS product to attack message divided by the attack message quantity of resetting among the step S101.
Second embodiment of the invention, as shown in Figure 3, a kind of device of testing the intrusion prevention properties of product comprises following part:
Testing equipment 10 was used in test period, was configured in the pure application layer traffic of transmitting in the IPS product.Preferably, pure application layer traffic is: the theoretical maximum application layer throughput of IPS product.
Reproducing device 20 is used for when the IPS product is transmitted pure application layer traffic, sends attack message to the IPS product.Reproducing device 20 specifically comprises:
Packet capturing module 21 is used for grasping attack message from the attack process of the once complete use Transmission Control Protocol of actual environment;
Import module 22, be used for the attack message that the grabs IPS product of resetting, playback time guarantees that the source IP address of each attack message is all different with purpose IP address and other attack message.
Test result is determined equipment 30, is used for according to the IPS product to the forwarding situation of pure application layer traffic and to the identification situation of attack message, determines the current effective application layer throughput of IPS product and to the verification and measurement ratio of attack message.
Concrete, establishing that the IPS product all transmits pure application layer traffic successfully is first condition, and it successfully is second condition that the IPS product is all discerned attack message.Test result is determined equipment 30, specifically comprises:
Judge module 31 is used to judge whether first condition and second condition satisfy simultaneously, if then call read module 33; Otherwise call adjusting module 32;
Adjusting module 32 after being used to cut down the numerical value of pure application layer traffic, repeats to call the follow-up test period of importing module 22 beginning in testing equipment 10 and the reproducing device 20, till first condition and second condition satisfy simultaneously, calls read module 33; If the numerical value of pure application layer traffic was cut to before 0, first condition and second condition still can not satisfy simultaneously, illustrate that then the IPS product breaks down unusually, and be unavailable.
Read module 33 is used to read the current application laminar flow amount of IPS product accounting, i.e. the current effective application layer throughput of IPS product.
Verification and measurement ratio computing module 34 is used for determining the attack message verification and measurement ratio of IPS product according to the identification situation of IPS product to attack message.Concrete, when judge module 31 judges whether first condition and second condition satisfy simultaneously, promptly, on the basis of certain application layer traffic, the detected attack message quantity of verification and measurement ratio computing module 34 usefulness IPS products draws the verification and measurement ratio of IPS product to attack message divided by importing the attack message quantity that module 22 is reset.
Third embodiment of the invention, the example of on the basis of first and second embodiment, introducing a test I PS product application layer throughput and blocking attacking ability.
The network topology situation as shown in Figure 4, required hardware device: one or more is used to send testing equipment, a playback PC who is used for the Replay Attack message (Personal Computer) of application layer traffic.If testing equipment is selected the BPS test instrumentation for use, then simultaneously can have the function of Replay Attack message, need not adopt special reproducing device; If testing equipment is selected the AVALANCHE test instrumentation for use, then only have the function that sends application layer traffic, can adopt this moment two network interface card playback PC as reproducing device, the flow of Replay Attack message is provided.The message playback software is installed on reproducing device, as the tcpreplay software under the LINUX system or other playback software etc., two network interface cards are mutual for simulated strike both sides in the message playback procedure, a network interface card sends the message of " assailant → victim ", and another network interface card sends the message of " victim → assailant ".In the test process, at the testing equipment structure and when sending application layer traffic, beginning Replay Attack message on reproducing device, and each playback software all can be revised source IP address and purpose IP address in the message, and is all inequality with the source IP address and the purpose IP address that guarantee the use of each attack process of resetting and other attack process.And, the speed that the control message is reset on reproducing device, the how many times attack message process that guarantees to reset each second, and the general offensive message playback number of times of control whole test process.
Test topology is described: a pair of test interface of use test equipment, as many testing equipment co-manufactured of needs application layer traffic, so then need the interface of all simulant-clients on these testing equipments is connected on the switch 1, to gather the flow that is used for simulant-client that all send from these interfaces, the interface of these flows by switch 1 is connected on the interface of IPS product.Simultaneously, the interface of all emulating server ends of these testing equipments is connected on the switch 2, to gather the flow that is used for the emulating server end that all send from these interfaces, the interface of these flows by switch 2 is connected on another interface of IPS product.Because the position that the IPS product is worked between user's Intranet and outer net, so most transparent communication mode that adopts inserts, in this test, also uses transparent mode to test as communication pattern usually.
The configuration of IPS product: the configuration of IPS product needed load default, this default configuration should be the basic configuration that IPS product manufacturer's recommended is given the user, comprises the attack detecting rule of the recommendation that has loaded, and promptly need not change configuration, the IPS product can begin test.
As shown in Figure 5, testing equipment and reproducing device are as follows to the test process of IPS product application layer throughput:
Step S1, testing equipment uses pure HTTP (Hyper Text Transfer Protocol, HTML (Hypertext Markup Language)) flow rate test to go out the theoretical maximum application layer throughput of IPS product.The purpose of this step test is, with the theoretical maximum application layer throughput that the tests out initial value X as follow-up test.
Step S2, in this test period, with initial value X is that throughput basic value structure HTTP flow is transmitted on the IPS product, add the attack message that reproducing device grasps simultaneously from true attack process, the process of this adding attack message also can be called as playback, and general offensive message playback number of times is recorded as A.
Preferred playback speed is per second 150~200 times, should not select too smallly, like this what pressure the IPS product can not made; Also should not select excessively,, be chosen in this scope, relatively press close to the frequency that attack message takes place in the true environment because in the usually normal network environment, do not have too many attack each second and take place.General offensive message playback number of times A equals the time that per second playback number of times multiply by test period.The time span of test period is preferably 60 seconds.
Step S3 after the test of this test period is finished, judges with initial value X to be whether the HTTP flow that index is squeezed into is all normally transmitted by the IPS product, in this way, and execution in step S4 then, otherwise execution in step S6.
Concrete, can make judgement according to the statistical information on the testing equipment, because being based on the TCP of foundation, the HTTP flow of application layer connects transmission, if connecting, all normally open all TCP, after the transmission HTTP data, can both normally close, think with initial value X to be that the HTTP flow that index is squeezed into is all successfully transmitted so; Connect if on testing equipment, see the TCP that has failure in the statistical information, think with initial value X to be that the HTTP flow that index is squeezed into is not all successfully transmitted so.
Step S4 judges whether whole A attack messages of resetting are all detected by the IPS product, if, then prove at equipment under test and successfully transmit on the basis of whole HTTP flows, identified whole attack messages, execution in step S8, otherwise execution in step S5.
Concrete, on the IPS product, watch the number of times of the detected same attack message of IPS product in this test period, be recorded as A1 time.Judge that whether general offensive message playback number of times A and the detected attack message number of times of IPS product A1 equate,, prove that then the IPS product on the basis of successfully transmitting whole HTTP flows, discerned whole attack messages if equate; If unequal, prove that then the IPS product on current HTTP flow basis, can't discern whole attack messages, the phenomenon of omission attack message has appearred.
Step S5, divided by general offensive message playback number of times A, obtaining transmitting the HTTP flow is under the situation of X with the detected attack message number of times of IPS product A1, the IPS product is to the attack message verification and measurement ratio.
Whether step S6 judges in current test period the actual HTTP flow Y that transmits greater than 10% of initial value X, if, execution in step S7 then, otherwise the EOT end of test.
Because whole testing scheme is the true throughput that adopts near mode of step to approach tested equipment, when equipment under test can't be transmitted whole HTTP flows and maybe can't detect whole attacks and cause test crash, all need the HTTP flow of test is reduced, so need to judge, if Y greater than 10% of X, then can begin to test next time; If Y is not more than 10% of X, after explanation adds attack traffic so, the true application layer throughput of IPS product is less than 10% of initial value X, can think this moment, there are serious problems in this IPS product, and is unavailable substantially, writes down this tested intrusion prevention product and has serious problems, can't finish test, the EOT end of test.
Stepping 10% among the present invention can be selected flexibly according to the projected throughput of IPS product, such as, be the IPS product of gigabit for projected throughput, stepping can elect 10%~20% as, is preferably 10%; For projected throughput is 100,000,000 IPS product, and stepping can elect 5%~10% as, is preferably 5%.
Step S7, the 10% resulting value that initial value X is deducted initial value X re-executes step S2 and begins the follow-up test cycle as new initial value X.
Step S8 directly writes down the initial value X that uses in this test period and is the real application layer throughput performance of IPS product value result.
The method and apparatus of test intrusion prevention properties of product of the present invention has following advantage:
1, at the intrusion prevention product characteristics, use the detection engine generation bigger pressure of the flow of application layer protocol to the intrusion prevention product, go to verify the true throughput performance of this series products with flow near this series products actual working environment.
2, when applying application layer traffic, also added an amount of attack traffic, whether can also normally detect all attack messages with checking intrusion prevention product under such throughput, to guarantee the normal execution of its security functions.Such normal use flow is pressed close to the flow composition of intrusion prevention product in actual working environment more in conjunction with the situation of attack traffic, can verify out the throughput performance value of the true application layer that the intrusion prevention product is showed on the basis that guarantees its security functions.
3, on the basis of certain application layer traffic, test out the ability of intrusion prevention product blocking-up attack.
By the explanation of embodiment, should be to reach technological means and the effect that predetermined purpose takes to be able to more deeply and concrete understanding to the present invention, yet appended diagram only provide with reference to the usefulness of explanation, be not to be used for the present invention is limited.