Advanced attacks require advanced defenses. The NX 10000 represents an innovative and effective approach to combating multi-stage malware. Combined with a conventional IPS (or using its own IPS module, available soon), the FireEye appliance should help large enterprises keep malware off their networks.
Network World gratefully acknowledges the assistance of Spirent Communications, which supplied its Spirent Avalanche C100MP traffic appliance. Spirent's Michelle Rhines, Ankur Chadda, Angus Robertson, and Chris Chapman also supported for this project. Thanks, too, to malware-traffic-analysis.net, which provided permission to use its packet captures of recent multi-stage malware attacks.Newman is a member of the Network World Lab Alliance and president of Network Test, an independent test lab and engineering services consultancy. He can be reached at firstname.lastname@example.org.
How We Did It
We assessed FireEye's NX 10000 in terms of features, attack coverage, and performance. Features testing required no separate methodology. Instead, we discovered functions supported by the device in the course of security and performance testing.
For attack coverage, we obtained 60 multi-stage malware packet captures from the website malware-traffic-analysis.net. These captures had been seen in the wild between January and April 2014. Captures included examples of exploit kits, dropper (infected) files, and callbacks to command-and-control servers.
We used the open-source tcpprep and tcprewrite tools to prepare these packet captures for use on our test bed, rewriting MAC and IP addresses. We then used the open-source tcpreplay tool to generate the multi-stage malware attacks. We generated these attacks using a single FreeBSD 10.0 server equipped with a multiport NIC.
For performance testing, we used Spirent Avalanche, a layer 4-7 traffic generation tool to offer Web traffic from up to 40,000 users. In this case, Avalanche ran on Spirent's C100MP appliance equipped with 10G Ethernet interfaces.
For security and performance tests, we constructed a routed test bed with three IP subnets. When tested in inline mode, the FireEye NX 10000 appliance resided in the middle segment, and bridged traffic between two layer-3 switches. When tested in tap mode, the layer-3 switches were directly connected to each other, and the NX 10000 listened to traffic using a mirror port configured on one switch. The Spirent and FreeBSD traffic generators resided in the outer subnets in this test bed, with one interface from each device connected to each outer subnet.
For the coverage tests, we configured tcpreplay to offer all 60 malware samples at the maximum rate possible. We monitored the NX 10000 continuously during and after the test, and verified that it correctly identified each attempted exploit. The success metrics in this case included the ability to identify source and destination IP addresses and name the various exploit kits, droppers, and command-and-control callbacks used by each malware sample.
Sign up for CIO Asia eNewsletters.