For the coverage tests, we replayed a collection of 60 multi-stage malware samples seen in the wild between January and April 2014. These samples, used with permission of malware-traffic-analysis.net, represent many aspects of multi-stage malware. They involve different kinds of exploit kits; zero-day exploits; dropper executable files; and callbacks to command-and-control networks. We did not tell FireEye which samples we'd use in testing.
In all 60 cases, the FireEye appliance correctly identified the individual components of each malware sample, both in inline and tap modes.
The FireEye device updates its library of multi-stage malware examples at least once every 24 hours. It's possible the system would not detect a brand-new exploit, but we did not see that in testing. Indeed, the most recent of our samples was first posted on malware less than 24 hours before we used it in testing, and the updated FireEye device correctly identified it.
FireEye says its customers typically see one attempted malware exploit every three minutes; our tests were far more stressful than that. We replayed all malware samples consecutively at rates approaching 10G Ethernet wire speed. In contrast, each malware sample originally took seconds or even minutes to run from start to finish. Also, there was no gap between the end of one malware sample and the start of another.
The FireEye appliance also met its stated limits in performance tests. FireEye claims the NX 10000 can forward traffic at around 4Gbps in inline mode and at nearly 10Gbps in tap mode.
We evaluated these claims using Spirent Avalanche, a Layer 4-7 traffic generator analyzer. We configured Avalanche HTTP traffic from up to 40,000 clients, as in a large enterprise network. We measured performance in both inline and tap modes, and we also measured performance while the system was under attack.
With only benign web traffic, the FireEye device forwarded traffic at 4.224G and 9.259Gbps in inline and tap modes, respectively. Both results are in line with FireEye's performance claims.
We then repeated these tests while concurrently offering the multi-stage malware samples (again, we offered these consecutively, at the maximum possible rate). This time, the NX 10000 forwarded traffic at 4.207G and 9.298Gbps in inline and tap modes, respectively. Those numbers are virtually identical to the tests with benign traffic only, with the minor differences most likely explained by bandwidth contention among many TCP flows.
The FireEye appliance again identified all components of all 60 malware samples offered in the inline tests. Some malware samples were not identified in the tap-mode tests, but we believe this was due to an overloaded CPU in the switch mirroring traffic to the FireEye device. The switch reported CPU utilization of 100 percent and became unresponsive during multiple iterations of the tap-mode tests. While the missed reports should not be "charged" to the FireEye device, this does point up the importance of using tap infrastructure capable of forwarding all traffic at 10G Ethernet wire speed.
Sign up for CIO Asia eNewsletters.