Goal: Providing the National Nuclear Security Administration (NNSA) with reliable metrics to select high-bandwidth network monitoring solutions.
Situation: The NNSA includes multiple classified and unclassified networks with bandwidth ranging from 100 Mbps to 10 Gbps, with 100 Gbps links anticipated in FY2013. OnPoint is tasked with providing effective intrusion analysis services across this heterogeneous environment.
Multiple commercial and open source options exist to monitor network traffic for indications of hostile or malicious activity. It has been noted that solution providers often advertise high bandwidth capabilities without providing specific testing parameters used to validate the capabilities. It was necessary to develop a custom test environment allowing an “apples-to-apples” comparison of proposed monitoring solutions to enable reliable cost-benefit evaluations and accurate forecasting of solution scalability.
Approach: OnPoint utilized a team of Intrusion Detection Specialists, Intrusion Analysts, and Network Engineers to generate a vendor neutral custom test environment that could be replicated for consistent testing across multiple monitoring solutions. Sample network traffic was captured from high bandwidth monitored networks to allow testing of proposed monitoring solutions against real-world scenarios.
A testing replay service was developed allowing the aggregation and retransmission of multiple network traffic captures. This provides the ability to scale the testing of proposed monitoring solutions against various throughput levels. The initial implementation provides throughput bandwidth testing levels of 1 Gbps, 3 Gbps, 6 Gbps, and 10 Gbps.
Finally, baseline malicious activity indicator sets were identified to ensure that all monitoring solutions would be evaluated while monitoring for the same specified activity.
Impact: The custom test environment has been used to evaluate proposed 10 Gbps monitoring solutions. It has been noted that while many vendors claim 10 Gbps monitoring capabilities, when placed under high bandwidth traffic load with baseline malicious activity indicator sets running, the sensors often begin to lose effectiveness at much lower traffic bandwidth of 3 to 6 Gbps. This in turn has enabled OnPoint to make monitoring recommendations for high bandwidth environments based on validated operational performance.
Future: The custom test environment was deliberately designed to be scalable to 40 Gbps and 100 Gbps bandwidth by adding additional parallel replay systems. OnPoint is positioned to begin evaluation and testing of 40 Gbps and 100 Gbps monitoring solutions as deployment within the customer environment will soon require.