Testing Times - Here's One Sure Route To Optimal Security At Minimum Cost By Martin Vickery, Marketing Communications Manager, Spirent Communications

Air travel has become a familiar experience, so consider something a little more adventurous: let's say you have booked a flight on Richard Branson's proposed commercial flight into space. As the take-off grows near you begin to feel a little apprehensive about your safety. What would bring most reassurance:

• A listing of the plane designers' academic qualifications?
• Knowledge of the industry awards received by the manufacturers?
• A detailed design blueprint with full specifications of all materials used in the plane's construction?
• Or the knowledge that the plane had already made several thousand flights under all conditions without one single mishap?

Surely most people would choose the last? Any amount of top-down reassurance about the excellence of the thinking, design and manufacture of this critical piece of machinery is as nothing compared to the comfort of knowing it has been thoroughly tried and tested from the bottom up.

The problem here is one of complexity. Life is complex and it has, we are told, developed over millions of years without any top-down design and purely on the basis of bottom-up testing against all possible conditions.

And life works - ”but you cannot run a business that way. Although open source and evolutionary computing developments mimic Darwinian selection, there is still plenty of initial design effort. A business cannot sell its solution under the slogan "it seems to work - ”try it".

In the case of data and networking security solutions we look for everything: the quality of the thinking, the reliability of the products, the reputation of the manufacturer and as much as we can find out about testing and successful operation in the field. And yet, when all these security systems are installed there is still the nagging worry about their sheer complexity. The complexity of converged networks, of converged applications, of increasingly sophisticated security threats and the build up of so many security systems to meet those risks.

How much risk can any organisation afford?
Launching any new service involves risk. The variables behind vendor selection, system design and effective network implementation all carry inherent risks. Can you afford these risks?

There are the obvious risks in being successfully attacked - from loss or corruption of data, through loss of reputation and business to financial loss. You can build a citadel against all of these, and be left with a system too slow and unwieldy to be practical. You can also find just the right balance between everyday practicality and security, but in a system that fails under extreme conditions. You can install the best defenses and still be wondering:

• Will our deep-packet inspection, intrusion detection systems and intrusion protection systems defend the network against new threats as they emerge? Or will we be endlessly patching?
• Can we handle denial of service (DoS) attacks? And, during any attack, will our security infrastructure still provide acceptable performance for vital user traffic?
• Do these "best-of-breed" devices work well together? Are their policies synergistic or conflicting?
• Can our spam filters and security systems handle extreme loads? If not, do they fail "open," letting all traffic through unchecked, or "closed," where no traffic gets through?

Finally:

• Can we be confident that, even under extreme operating conditions and attacks, our business will still meet its service level agreements and compliance mandates?

In all but the simplest cases, these questions become too difficult for top-down analysis. The only answer lies in realistic testing to save time, help allocate resources wisely, and ensure peace of mind.

Example benefits
A major US bank has created strict standards for all IT applications and infrastructure elements in its production environment. These standards, as well as manufacturer specifications, are subject to a certification test performed on all IT products being considered for purchase. A new load balancer was being considered, but the bank's in-house test capabilities could not simulate the quite exceptional traffic volumes needed for a comprehensive test, so they employed professional test consultants. Among the tests were: stress and performance testing under different types of traffic loads; assessing the load balancing and security features; validating the traffic handling for various bank applications and verifying the system management capabilities.

The tests verified that the load balancing systems successfully passed their feature tests, but they failed to deliver the maximum performance levels specified by the vendor. However, thanks to the detailed performance level data provided by the tests, the bank was still able to certify the product for the production network.

Another US bank also found that vendors' specifications cannot always be relied on. Their need was to validate performance and locate potential bottlenecks in their new e-commerce infrastructure - a complex, multi-layered system, using new products for load balancing, SSL termination, firewall, and security. The goal behind these tests was to answer the core question: 'What will be the user experience if even ten or twenty thousand users show up?'. Testing provided some surprising insights into potential bottlenecks - the problem was not with the load balancers but the way the SSL terminators allocated TCP connections. More disconcerting was the discovery that the SSL units were performing at only 10% of the vendor's claim. Their test procedures were far beyond the vendor's levels, so they were able to present the data and were given new devices that did meet the requirements at no further cost.

For vendors racing to get a toehold in the highly competitive VoIP market, the key issue is delivering the quality of service (QoS) and reliability that customers expect while providing interoperability with existing systems. A company's reputation - and survival - rests on the quality it delivers. As one New Jersey based company put it: "Our customers are building their businesses based on our products". However, their existing testing capabilities lacked the capacity to fully test their offering, so they invested in a unit that could generate and switch more than 20 million calls per hour as well as automating the entire testing process by offering pre-configured test environments with realistic call patterns, and the flexibility to set up desired call loads and distribution patterns. In addition, its multiprotocol support allows them to verify interoperability and performance as markets expand around the globe. The new device "lets us replicate a variety of customer environments in our lab with a single test system, instead of several" - considerably shortening the QA and testing cycles.

The start of a new academic year is always a period of peak demand on a college's internal networks, systems, and applications. As September approached, the IT staff at one Canadian college of technology & advanced learning were preparing a new version of their Web-based portal, giving students, faculty, and staff easy access to important college information and applications. The previous year they had experienced several outages under load, typically lasting 15 to 20 minutes, which meant the staff couldn't work productively or deliver the quality of service expected by their students. Isolating the root cause was difficult without the ability to reproduce realistic high traffic loads. "A few years ago, we tried stress testing by sending staff out with 1,000 laptops to concurrently access our portal from our two main campuses. There was a significant cost associated with that testing and it was a one-of-a-kind effort. The service demand has grown considerably since then and trying to carry out similar exercises on a larger scale isn't feasible. We also need to be able to run load stress tests on demand, based on dynamic business needs." The college invested in a recommended test product and were able to tune their system prior to launch. September came and there were no outages, and a better level of service all round. A further saving was that the college's help desk received fewer calls thanks to the new portal's reliability. With the new test facility in-house, they were further able to test other systems such as the e-mail infrastructure, directory services and other mission-critical applications - as well as enabling load and stress testing when evaluating potential new equipment. This helps reduce costly mistakes by gaining a more complete picture of a product's suitability.

Another financial example is of a credit card company that used similar test equipment to increase its testing capability ten-fold using fewer staff and less specialist skills for creating tests. As well as simplifying ongoing performance testing, they too can now generate comprehensive test data to support purchasing decisions. A European service provider preparing for significant growth in online traffic were able to upgrade their network to meet SLA requirements cost-effectively as well as controlling maintenance costs. Not only could emerging high bandwidth and latency sensitive applications be reliably incorporated into the upgraded network, the company enjoyed an immediate payback - an estimated 1.3x ROI based on hardware cost savings alone.

The route to optimal security
When planning a new project or major upgrade, don't wait until your project has already begun, or worse, delay the decision to put it to the test until you are already behind schedule. Whether you decide to do all your tests in-house, or to call in the expertise of a professional test consultant, you should plan your strategy well in advance.

To summarise the steps to optimal security at minimal cost, just remember these five Ds:

• Discover: Gather data on compliance, SLA performance and other requirements, and conduct a gap analysis
• Define: Create your Statement of Work; present the roadmap, detail your resources and estimate the likely ROI
• Develop: Develop test cases, write test scripts and develop the necessary code
• Deliver: Deploy test engineers, manage the test projects, run tests and report results

Debrief: Refine the service optimization in the light of results so far, check against rel customer needs, and make sure expectations are being met.

Spirent Communications plc is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk