Download as pdf or txt
Download as pdf or txt
You are on page 1of 129

Rethink Deep Packet Inspection (DPI) Testing

Rethink Deep Packet Inspection Testing

A Methodology to measure the performance, security, and stability of deep packet inspection (DPI) devices under realistic conditions
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 1

Rethink Deep Packet Inspection (DPI) Testing

Table of Contents
Introduction..................................................................................................................................................................................................................... 3 Maximum Performance .............................................................................................................................................................................................. 5 Maximum Performance Using Jumbo Frames.................................................................................................................................................... 18 Maximum TCP Connection Rate............................................................................................................................................................................... 25 Maximum Concurrent TCP Connections............................................................................................................................................................... 36 Strike Mitigation............................................................................................................................................................................................................. 46 Strikes Blocking with IP Fragmentation................................................................................................................................................................. 54 SYN Flood.......................................................................................................................................................................................................................... 61 Inappropriate Content Filtering. ............................................................................................................................................................................... 70 Spam Email Blocking.................................................................................................................................................................................................... 84 Suspicious Content Detection. .................................................................................................................................................................................. 100 Webmail Phrase Detection......................................................................................................................................................................................... 114 About BreakingPoint.................................................................................................................................................................................................... 129
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 2

Rethink Deep Packet Inspection (DPI) Testing

Deep Packet Inspection (DPI) functionality enables network devices such as content-aware switches and routers, next generation firewalls, intrusion prevention systems (IPS), and application delivery controllers to inspect and take action based on the content and context of packets as they travel across the network. DPI functionality goes well beyond the protocol header into data protocol structures and the actual payload of the message. This allows DPI-capable devices to identify and classify traffic, providing a granular level of packet inspection to help mitigate buffer overflow attacks, Denial of Service (DoS) attacks, intrusions, worms and even spam. DPI technology also enables solutions such as metering to ensure quality of service, lawful intercept of information and data leak prevention. DPI has become a mainstream technology and something that businesses and individuals traversing networks come across, albeit unintentionally, every day. One of the more high profile uses of DPI involves service providers who leverage DPI to ensure quality of service to customers in the face of an explosion of peer-to-peer (P2P) traffic. Using DPI technology, service providers better manage bandwidth in real time, allowing for non essential services such as P2P file sharing applications while giving priority to essential services during peak times. Since DPI plays such an important role in providing increased network security, tiered Internet services and data loss prevention, the ability to test DPI functionality is critical. The following BreakingPoint Deep Pack Inspection Resiliency Methodology demonstrates how to create realistic global network simulations in order to properly verify the DPI capabilities of your device. Performing these series of tests using the BreakingPoint Storm CTM on a DPI device will help determine the devices actual abilities under different circumstances. For example, the DPI device may perform as expected under a light traffic load but when under a higher load perform to a fraction of its stated ability. Performing these tests will help you better understand the impact of different scenarios and the reasons behind the results. Realism is key in network simulation; therefore, we recommend that the test environment emulate the deployment environment as closely as possible. Directly connected devices such as routers, switches and firewalls impact packet loss latency and data integrity. Additionally, the number of advertised host IP and MAC addresses, VLAN Tagging and NAT can also affect the performance of the DPI. If it is not feasible to recreate the deployment environment, we recommend connecting the BreakingPoint Storm CTM directly to the device under test (DUT). Regardless of how your deployment environment is set up, be certain that all DPI devices and builds that are under evaluation use the same test environment to ensure consistent results. Recommended tests included in the methodology: Maximum Performance This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect each packets content. The overall throughput that the DPI device is able to support will be determined. Maximum Performance Using Jumbo Frames This test will validate the throughput performance the DPI device is able to handle when it does not have to inspect the contents of each jumbo frame. The overall throughput that the DPI device is able to support will be determined. Maximum TCP Connection Rate This test will validate DPI device performance by using only good traffic without requiring the DPI device to inspect each packet. Various TCP metrics will be analyzed to determine how a greater number of TCP connections per second affects the time it takes to establish a new TCP connection.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 3

Rethink Deep Packet Inspection (DPI) Testing

Maximum Concurrent TCP Connections This test will validate the DPI device performance by using only good traffic and without requiring the DPI device to inspect each packet. Various TCP metrics will be analyzed to determine how a greater number of TCP connections affects the time it takes to establish a new TCP connection. Strike Mitigation This test validates the ability of the DPI device to remain stable while vulnerabilities, worms and backdoors are transmitted. To perform this test, an Attack Series will be used that includes high-risk vulnerabilities, worms and backdoors. The number of attacks blocked by the DPI device will be determined as well as the number of attacks that were successfully able to pass through. Strike Blocking with IP Fragmentation This test is identical to the Strike Mitigation test, except that IP fragmentation will be utilized as an evasion technique. SYN Flood This test determines how the DPI device performs when subjected to a SYN flood. The device should be able to detect and block the SYN flood. Inappropriate Content Filtering This will test the DPI units ability to recognize and block any session that contains inappropriate material. A major part of DPI functionality is the ability to filter content that is either harmful or not supposed to be on the network. The ability to filter out packets that contain blacklisted words is a major part of DPI. Spam Email Blocking This test will determine the DPI devices ability to recognize and block spam emails. With the growing amount of spam email on todays networks, it is important to limit the number of spam emails that are able to reach an inbox. Another part of DPI is the ability to recognize and block spam emails. Suspicious Content Detection This test will help determine the DPI devices ability to recognize, record and audit any suspicious content seen. Not all content is harmful to the network, but some could be suspicious in its contents. Webmail Phrase Detection This test will determine the DPI devices ability to inspect and record any Webmail emails that have either keywords or a key phrase in the message. With more and more people using Web-based email products, it is important to be able to inspect the contents of the emails being sent because they could contain information that should not be made public.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 4

Rethink Deep Packet Inspection (DPI) Testing

Maximum Performance
RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol RFC 2068 Hypertext Transfer Protocol

Overview: This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic. Objective: Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real application traffic. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 5

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 6

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Control Center Network Neighborhood.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 7

Rethink Deep Packet Inspection (DPI) Testing


Under the Network Neighborhoods heading, click the Create a new network neighborhood button.


In the Give the new network neighborhood a name box, enter DPI Tests as the name. Click OK.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 8

Rethink Deep Packet Inspection (DPI) Testing


Four interface tabs are available for configuration. Only two are required for the tests. Click the X to delete Interface 1. When prompted about removing the interface, click Yes. The remaining interfaces will be renamed. Repeat this process until only two interfaces remain.


With Interface 1 selected, configure the Network IP Address, Netmask, Gateway IP Address, Router IP Address, Minimum IP Address and Maximum IP Address. Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 9

Rethink Deep Packet Inspection (DPI) Testing


Select the Interface 2 tab. Configure the Network IP Address, Netmask and Gateway IP Address. Using the Type dropdown menu, select Host. Configure the Minimum IP Address and the Maximum IP Address. Click Apply Changes and then click Save Network.

10. Now that the Network Neighborhood has been created, you can configure the test. Select Test New Test.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 10

Rethink Deep Packet Inspection (DPI) Testing

11. Click Select the DUT/Network under the Test Quick Steps menu.

12. In the Choose a device under test and network neighborhood window, under the Device Under Test(s) section, verify that BreakingPoint Default is selected, and that under Network Neighborhood(s), the newly created one is selected. Click Accept.

13. When prompted about switching Network Neighborhoods because the new test setup has fewer interfaces, click Yes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 11

Rethink Deep Packet Inspection (DPI) Testing

14. Select Add a Test Component from the Test Quick Steps menu.

15. Select Application Simulator (L7) from the Select a component type window.

16. The Information tab should already be selected. Enter Max Bandwidth as the name and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 12

Rethink Deep Packet Inspection (DPI) Testing

17. Select the Interfaces tab. Verify that Interface 1 Client and Interface 2 Server are enabled.

18. Select the Presets tab and choose the 1Gbps Max Bandwidth option. Click Apply Changes.

19. Select the Parameters tab. Make any required changes to the parameters to match your devices ability. For example, the Minimum data rate might need to be changed. If any changes are made, make sure to click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 13

Rethink Deep Packet Inspection (DPI) Testing

20. Click Edit Description to edit the test description in the Test Information section.

21. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the required changes.

22. In the Test Quick Steps menu, click Save and Run.

23. When prompted to Save Test As, enter DPI Max Bandwidth as the name and click Save.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 14

Rethink Deep Packet Inspection (DPI) Testing

24. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP, and Ethernet statistics in a tabular form.

25. Select the TCP tab. This tab displays the number of both attempted and successful TCP connections.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 15

Rethink Deep Packet Inspection (DPI) Testing

26. When the test is completed, a window appears stating that the test passed. Click Close.

27. Click the View the report button. This provides more detailed results in your browser.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 16

Rethink Deep Packet Inspection (DPI) Testing

28. Expand the Test Results for Max Bandwidth section. Next, expand the Details folder. Select the Frame Data Rate result view. Using the chart and the graph, determine the maximum bandwidth the DUT is able to handle.

Variations of this test that can be run include: Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached. Use different presets, such as the Service Provider App or a custom application profile. Increase the duration of the test time.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 17

Rethink Deep Packet Inspection (DPI) Testing

Maximum Performance Using Jumbo Frames

RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol RFC 894 A Standard for the Transmission of IP Datagrams over Ethernet RFC 2068 Hypertext Transfer Protocol

Overview: This test will use the Application Simulator test component and make use of a Max Bandwidth preset. The preset uses the BreakingPoint Bandwidth Application Profile that attempts to achieve the maximum transmission rate using both HTTP and P2P traffic. Objective: Test the maximum bandwidth in terms of Mbps (Megabits per second) that the DUT can pass through using real state data and jumbo frames. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 18

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 19

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test Open Recent DPI Max Bandwidth.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 20

Rethink Deep Packet Inspection (DPI) Testing


Click Save Test As.


When prompted to Save Test As, enter DPI Performance Jumbo Frames as the name. Click Save.


Select the Parameters tab. Locate the TCP Configuration Maximum Segment Size parameter and enter a value of 4096. Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 21

Rethink Deep Packet Inspection (DPI) Testing


If desired, edit the test description in the Test Information section.


Verify that the Test Status contains a green checkmark. If it does not, click Test Status and make the required changes.

10. Under the Test Quick Steps menu, click Save and Run.

11. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP, and Ethernet statistics in a tabular form.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 22

Rethink Deep Packet Inspection (DPI) Testing

12. Select the TCP tab. This will display the number of both attempted and successful TCP connections.

13. When the test is completed, a window will appear stating whether the test passed or failed. Click Close.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 23

Rethink Deep Packet Inspection (DPI) Testing

14. Click the View the report button. This will open up more detailed results in your browser.

15. Expand Test Results for Max Bandwidth and then expand the Detail folder. Select the Frame Data Rate result view. Using the chart and the graph, determine the maximum bandwidth the DUT is able to handle.

Variations of this test that can be run include: Step both Maximum Simultaneous Sessions and Maximum Sessions per Second by 10% until 80% has been reached. Use different presets, such as the Service Provider App or a custom application profile. Increase the duration of the test time.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 24

Rethink Deep Packet Inspection (DPI) Testing

Maximum TCP Connection Rate

RFC: RFC 793 Transmission Control Protocol

Overview: This test will utilize an Application Simulator. The Application Simulator will be configured with the Service Provider Apps preset. The Service Provider Apps preset contains HTTP, different Mail protocols, P2P and FTP traffic. This test will determine the maximum TP connections per second using a stepping technique and values that match the DUTs (Device Under Test) ability. Objective: Test the maximum peak rate of new connections that the DUT can handle using real stateful application traffic. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 25

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 26

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test New Test.


Under the Test Quick Steps menu, click Select the DUT/Network.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 27

Rethink Deep Packet Inspection (DPI) Testing


In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.


When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.


Under the Test Quick Steps menu, click Add a Test Component.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 28

Rethink Deep Packet Inspection (DPI) Testing


Select Application Simulator (L7) from the Select a component type window.

10. The Information tab should already be selected. Enter Max TCP Connection Rate as the name and click Apply Changes.

11. Select the Presets tab. Select Service Provider Apps as the component preset and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 29

Rethink Deep Packet Inspection (DPI) Testing

12. Select the Parameters tab. Several different parameters will be changed in this section. Change these parameters to match your DUTs ability. First, change the Minimum data rate to 100% of the DUTs ability. Click Apply.

13. Next, change the Ramp Up Seconds in the Session Ramp Distribution section to 25 and click Apply.

14. In the Ramp Up Profile, several parameters will be changed. You may need to scroll in order to change each one of them. First, use the Ramp Up Profile Type drop-down menu and select Stair Step. For the Minimum Connection Rate, enter a value that is 10% of the DUTs stated maximum connection rate. Enter the DUTs stated maximum connection rate for the Maximum Connection Rate. Again, enter 10% of the DUTs stated maximum connection rate for the Increment N connections per second parameter, and a value of 1 for Every N seconds. Once completed, click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 30

Rethink Deep Packet Inspection (DPI) Testing

15. In the Session Configuration section, enter 7500000 as the Maximum Simultaneous Sessions and the DUTs stated maximum connection rate in the Maximum Sessions Per Second. Click Apply Changes.

16. If desired, edit the test Description in the Test Information section.

17. Verify that the Test Status contains a green checkmark. If it does not, click Test Status and make the required changes.

18. Under the Test Quick Steps menu, click Save and Run.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 31

Rethink Deep Packet Inspection (DPI) Testing

19. When prompted for a name to Save Test As, enter DPI Max TCP Rate and click Save.

20. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP, and Ethernet statistics in a tabular form.

21. Select the TCP tab. This will display the number of both attempted and successful TCP connections.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 32

Rethink Deep Packet Inspection (DPI) Testing

22. When the test is completed, a window will appear stating whether the test passed or failed. Click Close.

23. When the test is completed, click the View the report button.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 33

Rethink Deep Packet Inspection (DPI) Testing

24. Expand Test Results for Maximum TCP Connection Rate folder and select TCP Setup Time. Because shorter TCP setup times allow the DUT to respond quickly and handle incoming connection requests, they are preferable to longer TCP setup times.

25. Next, select TCP Response Time. Because shorter response times allow the DUT to respond quickly to requests and continue normal operation, they are preferable to longer response times.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 34

Rethink Deep Packet Inspection (DPI) Testing

26. Select Frame Latency Summary. Smaller frame latency measurements mean the frames are arriving quickly without much delay through the device.

27. Expand the Detail folder. Select TCP Connection Rate from the list of available results. Using the graph and the table, determine the maximum TCP connection rate the DUT is able to handle.

Other tests can also be performed. The following are some examples that can be run: Vary the TCP Segment size. Change the Distribution type to random. Change the TCP Session Duration (segments). Increase the test time for a longer test.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 35

Rethink Deep Packet Inspection (DPI) Testing

Maximum Concurrent TCP Connections

RFC: RFC 793 Transmission Control Protocol

Overview: This test is very similar to the previous test configuration though a calculated Ramp Up Profile will be used. Also, the results from the Maximum TCP Connection Rate test will be used in the Maximum Sessions Per Second parameter. Objective: Test the maximum number of established TCP connections the DUT could hold using real stateful application traffic. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 36

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 37

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test Open Recent DPI Max TCP Rate.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 38

Rethink Deep Packet Inspection (DPI) Testing


Click Save Test As.


When prompted for a name to save the test as, enter Max Concurrent TCP Connections and click Save.


Under the Information tab, change the name to Max TCP Connections and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 39

Rethink Deep Packet Inspection (DPI) Testing


Select the Parameters tab. Several parameters will be changed in this section. First, using the Ramp Up Profile Type drop-down menu, change the value to Calculated in the Ramp Up Profile section. Click Apply Changes.


Next, in the Session Configuration section, change the Maximum Simultaneous Sessions to the maximum the DUT is expected to be able to reach. Also, change the Maximum Sessions Per Second to the rate determined by the DPI Max TCP Rate test. Click Apply Changes.

10. The next parameter to be changed is the Ramp Up Seconds in the Session Ramp Distribution section. This is a calculated value. Take the Maximum Simultaneous Sessions/Maximum Sessions Per Second (always round to the higher second). Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 40

Rethink Deep Packet Inspection (DPI) Testing

11. If desired, edit the test description in the Test Information section.

12. Verify that the Test Status has a green checkmark. If it does not, click Test Status and make the required changes.

13. Under the Test Quick Steps menu, click Save and Run.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 41

Rethink Deep Packet Inspection (DPI) Testing

14. The Summary tab initially will be displayed once the test starts. The Summary tab displays multiple application, TCP and Ethernet statistics in a tabular form.

15. Select the TCP tab. This will display the number of both attempted and successful TCP connections.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 42

Rethink Deep Packet Inspection (DPI) Testing

16. When the test is completed, a window will appear stating whether the test passed or failed. Click Close.

17. When the test is completed, click the View the report button.

18. Expand Test Results for Max TCP Connections folder and select TCP Setup Time. Because short TCP setup times allow the DUT to quickly react and handle the incoming connection requests better than longer TCP setup times, they are preferred.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 43

Rethink Deep Packet Inspection (DPI) Testing

19. Next, select TCP Response Time. Shorter response times allow the DUT to respond quickly to requests and continue normal operation.

20. Select Frame Latency Summary. Short frame latency measurements indicate that the frames are arriving quickly without much delay through the device.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 44

Rethink Deep Packet Inspection (DPI) Testing

21. Expand the Detail folder. Select TCP Concurrent Connections from the list. Using the table and the graph, determine the maximum number of concurrent TCP connections that the DUT is able to handle.

Other tests can also be performed. The following are some examples that can be run: Vary the TCP Segment size. Change the Distribution type to random. Change the TCP Session Duration (segments). Increase the test time for a longer test.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 45

Rethink Deep Packet Inspection (DPI) Testing

Strike Mitigation
RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol

Overview: It is important to evaluate how malicious traffic will affect the performance of the DUT. A Security test component will be used in this test. Five default attack series are available to use, but during this test only Security Level 1 will be used. Security Level 1 includes high-risk vulnerabilities in services often exposed to the Internet. Objective: Test the DUTs ability to recognize and block malicious traffic. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 46

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 47

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test New Test.


Under the Test Quick Steps menu, click Select the DUT/Network.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 48

Rethink Deep Packet Inspection (DPI) Testing


In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.


When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.


Next, under the Test Quick Steps menu, click Add a Test Component.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 49

Rethink Deep Packet Inspection (DPI) Testing


Select the Security component from the Select a component type window.

10. Under the Information tab, enter Strike Detection as the name and click Apply Changes.

11. Select the Presets tab and then select Security Level 1. Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 50

Rethink Deep Packet Inspection (DPI) Testing

12. If desired, edit the test description under the Test Information section.

13. Verify that the Test Status has a green checkmark next it. If it does not, click on Test Status and make the required changes.

14. Under the Test Quick Steps menu, click Save and Run.

15. When prompted, enter DPI Strike Detection as a name and click Save.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 51

Rethink Deep Packet Inspection (DPI) Testing

16. Once the test starts to run, select the Attacks tab. This will display information about how many attacks could be blocked and how many were actually able to pass through the DUT.

17. When the test is completed, a window will appear stating that the test failed because malicious traffic was able to pass through the DUT. Click Close.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 52

Rethink Deep Packet Inspection (DPI) Testing

18. Click the View the report button to view detailed results in a browser window.

19. Expand Test Results for Strike Detection and select Strike Results. Determine the number of strikes that were successfully blocked and the number that could be transmitted through the DUT.

Variations of this test that can be run include: Increase the test length for a longer Malicious Traffic Attack. Change the Security Level. Use a different random seed.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 53

Rethink Deep Packet Inspection (DPI) Testing

Strikes Blocking with IP Fragmentation

RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol

Overview: This closely resembles the Strike Blocking test except the IP packets will be fragmented to determine how the DUT handles malicious traffic that is arriving in fragmented packets. Objective: Test the DUTs ability to recognize and block malicious traffic with fragmentation on IP packets. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 54

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 55

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test Open Recent Tests DPI Strike Detection.


Click Save Test As.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 56

Rethink Deep Packet Inspection (DPI) Testing


Enter DPI Strike Detection Fragmentation as the name and click Save.


Select the Overrides tab. In the IP section, locate MaxFragSize and enter a value less than 46. Click Apply Changes.


If desired, edit the test Description under the Test Information section.


Verify that the Test Status contains a green checkmark. If it does not, click Test Status and make the required changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 57

Rethink Deep Packet Inspection (DPI) Testing

10. Under the Test Quick Steps menu, click Save and Run.

11. Once the test starts to run, select the Attacks tab. This will display the number of attacks that were successfully blocked and the number of attacks that were able to successfully pass through the DUT.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 58

Rethink Deep Packet Inspection (DPI) Testing

12. Once the test is completed, a window will appear stating that the test failed because malicious traffic was able to pass through the DUT. Click Close.

13. Click the View the report button. A window with detailed results will open.

14. Expand Test Results for Strike Detection and select Strike Results. Determine the number of strikes that were locked and the number of strikes that were able to pass through the DUT. Using the results from the previous test, determine if fragmentation made any difference.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 59

Rethink Deep Packet Inspection (DPI) Testing

Variations of this test that can be run include: Increase the test length for a longer Malicious Traffic Attack. Change the Security Level. Use a different random seed.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 60

Rethink Deep Packet Inspection (DPI) Testing

SYN Flood
RFC: RFC 793 Transmission Control Protocol RFC 4987 TCP SYN Flooding Attacks and Common Mitigations

Overview: A SYN Flood is when a client starts a TCP connection but never sends an ACK and keeps trying to initiate a TCP connection. This can be harmful to a DPI device, as it has to provide resources to the TCP connection requests. The DPI device likely has the ability to detect and mitigate the SYN Flood. A Session Sender test component will be used to create a SYN Flood. Objective: Test the ability of the DUT to recognize and block SYN Flood attacks. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 61

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 62

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Test New Test.


Under the Test Quick Steps section, click Select the DUT/Network.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 63

Rethink Deep Packet Inspection (DPI) Testing


In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.


When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.


Under the Test Quick Steps section, click Add a Test Component.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 64

Rethink Deep Packet Inspection (DPI) Testing


Select Session Sender (L4) from the Select a component type window.

10. Under the Information tab, change the name to SYN Flood and click Apply Changes.

11. Select the Presets tab and locate the 1Gbps SYN Flood. Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 65

Rethink Deep Packet Inspection (DPI) Testing

12. Select the Parameters tab. Several changes will be made in this section. The first one, if needed, is to change the Minimum data rate to what is supported by the DUT. Click Apply Changes once completed.

13. Next, two parameters in the Session Configuration section need to be changed. The first one is the Maximum Simultaneous Sessions. This needs to be set to the connection rate supported by the DUT (this is the result from the Maximum Concurrent TCP Connections test). The second parameter that needs to be changed is Maximum Sessions Per Second (this is the result from the Maximum TCP Connection Rate test). Click Apply Changes.

14. If desired, edit the test description under the Test Information section.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 66

Rethink Deep Packet Inspection (DPI) Testing

15. Verify that the Test Status has a green checkmark next to it. If it does not, click Test Status and make the required changes.

16. Under the Test Quick Steps menu, click Save and Run.

17. When prompted for a name to save the test as, enter DPI SYN Flood Detection and click Save.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 67

Rethink Deep Packet Inspection (DPI) Testing

18. The Summary tab will automatically be displayed when the test starts. This tab displays a great deal of information about TCP. As can be seen in the TCP Connection Rate section, the SYN flood is trying to establish a connection but the connection is not actually created.

19. Select the TCP tab. This will display information about the number of TCP Connections per Second. Again, clients are attempting to connect but are not actually successful.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 68

Rethink Deep Packet Inspection (DPI) Testing

20. Once the test is completed, a window will appear stating that the test passed. Click Close.

21. Click the View the report button. This will open a new browser window with detailed results.

22. Expand Test Results for SYN Flood and select TCP Summary. Verify that there are no Client established or Server established values.

Other test variations can be run. One variation is to increase the test length for a longer SYN Attack.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 69

Rethink Deep Packet Inspection (DPI) Testing

Inappropriate Content Filtering

RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol

Overview: It is important to determine and evaluate how the DUT is able to handle inappropriate content. Also, it is important to determine how the DUTs performance is affected while having to perform content filtering. A new Super Flow will be created that will contain some type of inappropriate content. This Super Flow will then be added to an Application Profile. The BreakingPoint Application Simulator test component will be used to transmit the newly created application profile. Objective: Test the ability of the DUT to recognize and block sessions containing inappropriate material. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 70

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 71

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Managers Application Manager.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 72

Rethink Deep Packet Inspection (DPI) Testing


Select the Super Flows tab and locate the BreakingPoint HTTP Text from the list. Click Save As.


When prompted for a name, enter HTTP Inappropriate and click Ok.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 73

Rethink Deep Packet Inspection (DPI) Testing


In the Define Actions section, locate the Server: Response 200 (OK) action. Click the Edit the selected action parameter button.


Enable the String for response data section and enter the inappropriate terms or phrases in the String for response data field.


Select Save Super Flow.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 74

Rethink Deep Packet Inspection (DPI) Testing

10. Select the App Profiles tab and click the Create a new application profile button.

11. When prompted for a name, enter DPI HTTP Inappropriate and click OK.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 75

Rethink Deep Packet Inspection (DPI) Testing

12. Locate the newly created Super Flow in the list of Available Super Flows. Click the Add the super flow to the profile button.

13. Locate the BreakingPoint HTTP Text Super Flow and click the Add the Super Flow to the profile button.

14. Verify that both Super Flows have a weight of 100 and click Save App Profile.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 76

Rethink Deep Packet Inspection (DPI) Testing

15. Select Test New Test.

16. Under the Test Quick Steps section, click Select the DUT/Network.

17. In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 77

Rethink Deep Packet Inspection (DPI) Testing

18. When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.

19. Under the Test Quick Steps menu, click Add a Test Component.

20. Select Application Simulator (L7) from the Select a component type window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 78

Rethink Deep Packet Inspection (DPI) Testing

21. The Information tab should already be selected. Enter Inappropriate Content for the name and click Apply Changes.

22. Select the Parameters tab. Several parameters in this section will need to be changed. First verify that the Minimum data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.

23. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI HTTP Inappropriate application profile and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 79

Rethink Deep Packet Inspection (DPI) Testing

24. If desired, in the Test Information section, edit the test description.

25. Verify that the Test Status has a green checkmark next to it. If it does not, click on Test Status and make the needed changes.

26. Under the Test Quick Steps menu, click Save and Run.

27. Enter DPI Inappropriate Content when prompted for a name. Click Save.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 80

Rethink Deep Packet Inspection (DPI) Testing

28. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows and application transactions.

29. Select the Application tab. This will display real-time information about the application flows that are being transmitted.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 81

Rethink Deep Packet Inspection (DPI) Testing

30. When the test is completed, a window will appear stating that the test failed. Click Close.

31. Select the View the report button. This will open a more detailed result view in a browser window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 82

Rethink Deep Packet Inspection (DPI) Testing

32. Expand Test Results for Inappropriate Content and select App Summary. This will provide a great deal of information about all of the applications from bytes transmitted to bytes received to details about failures. Since half of the content should be blocked because it is inappropriate, the Application attempted value should be about twice the value of the Application successes.

33. Login to the DUT, and view the different counters to determine if the DUT was successfully blocking the inappropriate content. Variations of this test that can be run include: Increase the test length for a longer run time. Try different inappropriate key words. Try a larger number of inappropriate key words.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 83

Rethink Deep Packet Inspection (DPI) Testing

Spam Email Blocking

RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol

Overview: It is important to determine and evaluate how the DUT is able to handle spam email. Also, it is important to determine how the DUTs performance is affected while having to block spam email. A new Super Flow will be created that will contain a spam email. This Super Flow will then be added to an application profile. The Application Simulator test component will be used to transmit the newly created application profile to test the DUTs ability to block spam email. Objective: Test the ability of the DUT to recognize and block sessions containing spam email. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 84

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 85

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Managers Application Manager.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 86

Rethink Deep Packet Inspection (DPI) Testing


Select the Super Flows tab and locate the BreakingPoint SMTP Email from the list. Click Save As.


When prompted, enter DPI SMTP Spam as the name and click Ok.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 87

Rethink Deep Packet Inspection (DPI) Testing


In the Step 3 Define Actions section, locate Client: Send Email. Click the Edit the selected action parameter button.


Enter an email address in the Protocol FROM Username field. Enter a different email address in the Protocol RCPT Username field. Next, scroll down and locate the Subject field. Enter Receive 15% off Gold Watches as the Subject. Finally, enable the Attachment Data field and click Import Attachment Data. You can upload the content into the Web browser that launches.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 88

Rethink Deep Packet Inspection (DPI) Testing


Click the Choose File button to browse your file system to locate spam email text.

10. Once the spam email has been located in your file system, click Upload.

11. Wait until the file is uploaded successfully, then close the browser window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 89

Rethink Deep Packet Inspection (DPI) Testing

12. Using the Attachment Data drop-down menu, select the newly uploaded file and click Apply Changes.

13. Click Save Super Flow.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 90

Rethink Deep Packet Inspection (DPI) Testing

14. Select the App Profiles tab and click the Create a new application profile button.

15. When prompted, enter DPI Spam Email Content as a name and click Ok.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 91

Rethink Deep Packet Inspection (DPI) Testing

16. From the Available Super Flows list, locate the newly created Super Flow and click the Add the Super Flow to the profile button.

17. Again, from the Available Super Flows list, locate the BreakingPoint SMTP Email Super Flow and click the Add the Super Flow to the profile button.

18. Verify that each Super Flow has a weight of 100 and click Save App Profile.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 92

Rethink Deep Packet Inspection (DPI) Testing

19. Select Test New Test.

20. Under the Test Quick Steps menu, click Select the DUT/Network.

21. In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 93

Rethink Deep Packet Inspection (DPI) Testing

22. When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.

23. Under the Test Quick Steps menu, click Add a Test Component.

24. Select Application Simulator (L7) from the Select a component type window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 94

Rethink Deep Packet Inspection (DPI) Testing

25. The Information tab should already be selected. Enter Spam Email Content for the name and click Apply Changes.

26. Select the Parameters tab. Several parameters in this section will need to be changed. First verify that the Minimum data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.

27. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI Spam Email Content application profile and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 95

Rethink Deep Packet Inspection (DPI) Testing

28. If desired, in the Test Information section, edit the test description.

29. Verify that the Test Status has a green checkmark next to it. If it does not, click on Test Status and make the needed changes.

30. Under the Test Quick Steps section, click Save and Run.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 96

Rethink Deep Packet Inspection (DPI) Testing

31. Enter DPI Spam Email when prompted for a name. Click Save.

32. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows and application transactions.

33. Select the Application tab. This will display real-time information about the application flows that are being transmitted.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 97

Rethink Deep Packet Inspection (DPI) Testing

34. When the test is completed, a window will appear stating that the test failed. Click Close.

35. Select the View the report button. This will open a more detailed result view in a browser window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 98

Rethink Deep Packet Inspection (DPI) Testing

36. Expand Test Results for Spam Email Content and select App Summary. This will provide a great deal of information about all of the applications including bytes transmitted, bytes received and details about failures. Since half of the content should be blocked because it is inappropriate, the Application attempted value should be about twice the value of the Application successes.

34. Login to the DUT and view the different counters to determine if the DUT was successfully blocking the SPAM email. Variations of this test that can be run include: Increase the test length for a longer run time. Try different spam emails. Try a larger number of spam emails to determine if all are blocked.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 99

Rethink Deep Packet Inspection (DPI) Testing

Suspicious Content Detection

RFC: RFC 768 User Datagram Protocol RFC 791 Internet Protocol RFC 793 Transmission Control Protocol

Overview: It is important to determine and evaluate how the DUT is able to handle the detection of suspicious content. Also, it is important to determine how the DUTs performance is affected while having to handle suspicious content detection. A new Super Flow will be created that will use a database protocol to simulate a credit card request by querying the database. This Super Flow will then be added to an application profile. The Application Simulator test component will be used to transmit the newly created application profile to test the DUTs ability to detect suspicious content. Objective: Test the ability of the DUT to record and audit suspicious content. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 100

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 101

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Managers Application Manager.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 102

Rethink Deep Packet Inspection (DPI) Testing


Select the Super Flows tab and locate BreakingPoint DB2 Database from the list. Click Save As.


When prompted for a name, enter DPI DB Credit and click OK.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 103

Rethink Deep Packet Inspection (DPI) Testing


Make sure the second item is selected under the Define Flows section and also select the Client: SQL Query in the Define Actions section. Click the Edit the select actions parameters button.


In the SQL Query field, enter a specific query that will be tracked by the DUT. The query content should be defined according to the DUTs policy and detection model. A good example to use is: SELECT* from credit_card_table. Click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 104

Rethink Deep Packet Inspection (DPI) Testing


Click Save Super Flow.

10. Select the App Profiles tab and click the Create a new application profile button.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 105

Rethink Deep Packet Inspection (DPI) Testing

11. When prompted, enter DPI Suspicious as the name and click OK.

12. Locate the newly created Super Flow in the Available Super Flows list and click the Add the Super Flow to the profile button.

13. Next, locate the BreakingPoint DB2 Database Super Flow in the Available Super Flows list and click the Add the Super Flow to the profile button.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 106

Rethink Deep Packet Inspection (DPI) Testing

14. Verify that both Super Flows have a weight of 100 and click Save App Profile.

15. Select Test New Test.

16. Under the Test Quick Steps section, click Select the DUT/Network.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 107

Rethink Deep Packet Inspection (DPI) Testing

17. In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.

18. When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.

19. Under the Test Quick Steps menu, click Add a Test Component.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 108

Rethink Deep Packet Inspection (DPI) Testing

20. Select Application Simulator (L7) from the Select a component type window.

21. The Information tab should already be selected. Enter Suspicious Content for the name and click Apply Changes.

22. Select the Parameters tab. Some parameters in this section will need to be changed. First, verify that the Minimum data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 109

Rethink Deep Packet Inspection (DPI) Testing

23. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI Suspicious application profile and click Apply Changes.

24. If desired, in the Test Information section, edit the test description.

25. Verify that the Test Status has a green checkmark next to it. If it does not, click on Test Status and make the needed changes.

26. Under the Test Quick Steps menu, click Save and Run.

2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners.

Rethink Deep Packet Inspection (DPI) Testing

27. Enter DPI Suspicious Content when prompted for a name. Click Save.

28. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows and application transactions.

29. Select the Application tab. This will display real-time information about the application flows that are being transmitted.


2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners.

Rethink Deep Packet Inspection (DPI) Testing

30. When the tests finishes, a window will appear stating that the test failed. Click Close.

31. Select the View the report button. This will open a more detailed result view in a browser window.

32. Expand Test Results for Suspicious Content and select App Summary. This will provide a great deal of information about all the applications from bytes transmitted to bytes received to details about failures. Since half of the content should be blocked because it is inappropriate, the Application attempted value should be about twice the value of the Application successes.

33. Log in to the DUT and view the different counters to determine if the DUT was successfully blocking the suspicious content.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 112

Rethink Deep Packet Inspection (DPI) Testing

Variations of this test that can be run include: Increase the test length for a longer run time. Try different suspicious elements (i.e., different protocols). Try a larger number of suspicious elements.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 113

Rethink Deep Packet Inspection (DPI) Testing

Webmail Phrase Detection

RFC: RFC 793 Transmission Control Protocol RFC 2616 Hypertext Transfer Protocol

Overview: It is important to determine if the DUT is able to record and audit keywords or key phrases. This is important because Webmail is becoming more popular and company information that is not public could possibly be transmitted via Webmail. A new Super Flow will be created that is a Webmail service. The Super Flows length will be configured and several words will be added to the body of the email. This newly created Super Flow will be added to an application profile. The Application Simulator test component will be used to transmit the newly created application profile to test the DUTs ability. Objective: Test the ability of the DUT to record and audit keywords or word phrases. Setup:
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 114

Rethink Deep Packet Inspection (DPI) Testing


Launch a Web browser and connect to the BreakingPoint Storm CTM. Click Start BreakingPoint Systems Control Center.


In the new window that appears, enter your Login ID and Password. Click Login.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 115

Rethink Deep Packet Inspection (DPI) Testing


Reserve the required ports to run the test.


Select Managers Application Manager.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 116

Rethink Deep Packet Inspection (DPI) Testing


Select the Super Flows tab and then locate BreakingPoint Webmail. Click Save As.


When prompted, enter DPI Webmail as a name and click Ok.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 117

Rethink Deep Packet Inspection (DPI) Testing


As we wish only to use a single Webmail server, click Manage Hosts.


Select one of the servers, and click the Delete the selected host button.


When prompted about being sure you want to delete the selected host, click Yes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 118

Rethink Deep Packet Inspection (DPI) Testing

10. Repeat the previous two steps with another one of the Webmail servers. Once completed, only one Webmail server should remain. Click Close.

11. Under Step 3 Define Actions, select Client: Send Message and click the Edit the selected action parameters button.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 119

Rethink Deep Packet Inspection (DPI) Testing

12. In the Send Message window, several parameters will need to be changed. If desired, it is possible to change the language by enabling the Language checkbox and using the drop-down menu to select a different language. Next, enable Message Wordcount Min and set a value of 100. Also, enable Message Wordcount Max and set this to a value of 1000. The message will contain a random message between 100 and 1000 words. Several items are already in the Keyword List field. Change these values to match keywords configured on the DUT. Finally, enable Random Attachment? and set the value to False. Click Apply Changes.

13. Once completed with editing the Send Message action, click Save Super Flow.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 120

Rethink Deep Packet Inspection (DPI) Testing

14. Next, select the App Profiles tab and click the Create a new application profile button.

15. When prompted for an app profile name, enter DPI Webmail and click OK.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 121

Rethink Deep Packet Inspection (DPI) Testing

16. In the Available Super Flows list, locate the newly create DPI Webmail Super Flow and click the Add Super Flow to the profile button.

17. Next, locate the BreakingPoint Webmail Super Flow and click the Add Super Flow to the profile button again.

18. Verify that both have a Weight of 100 and click Save App Profile.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 122

Rethink Deep Packet Inspection (DPI) Testing

19. Select Test New Test.

20. Under the Test Quick Steps menu, click Select the DUT/Network.

21. In the Choose a device under test and network neighborhood window, select BreakingPoint Default as the Device Under Test(s) and DPI Tests as the Network Neighborhood(s). Click Accept.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 123

Rethink Deep Packet Inspection (DPI) Testing

22. When prompted that the current test setup contains more interfaces than the newly selected one, click Yes.

23. Under the Test Quick Steps menu, click Add a Test Component.

24. Select Application Simulator (L7) from the Select a component type window.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 124

Rethink Deep Packet Inspection (DPI) Testing

25. The Information tab should already be selected. Enter Webmail for the name and click Apply Changes.

26. Select the Parameters tab. Some parameters in this section will need to be changed. First verify that the Minimum data rate is set to 80% of the total available bandwidth. Make sure to click Apply Changes if any value is updated.

27. Next, change the Application Profile parameter. Using the drop-down menu, select the DPI Webmail application profile and click Apply Changes.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 125

Rethink Deep Packet Inspection (DPI) Testing

28. If desired, in the Test Information section, edit the test description.

29. Verify that the Test Status has a green checkmark next to it. If it does not, click Test Status and make the needed changes.

30. Under the Test Quick Steps menu, click Save and Run.

31. Enter DPI Webmail when prompted for a name to save the test. Click Save.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 126

Rethink Deep Packet Inspection (DPI) Testing

32. Once the test starts, the Summary tab will be displayed. It contains a great deal of information about application flows and application transactions.

33. Select the Application tab. This will display real-time information about the application flows that are being transmitted.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 127

Rethink Deep Packet Inspection (DPI) Testing

34. When the test finishes, a window will appear stating that the test passed. Click Close.

35. Select the View the report button. This will open a more detailed result view in a browser window.

36. Expand Test Results for Webmail and select Application Summary. This will provide a great deal of information about all the applications from bytes transmitted to bytes received to details about failures.

37. Log in to the DUT and view the different counters to determine if the DUT was successfully auditing the keywords and/ or phrases. Variations of this test that can be run include: Increase the test length for a longer run time. Try different Webmail clients/servers.
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 128

Rethink Deep Packet Inspection (DPI) Testing

About BreakingPoint
BreakingPoint pioneered the first and only Cyber Tomography Machine (CTM) to expose previously impossible-to-detect stress fractures within cyber infrastructure components before they are exploited to compromise customer data, corporate assets, brand reputation and even national security. BreakingPoint products are the standard by which the worlds governments, enterprises, and service providers optimize the resiliency of their cyber infrastructures. For more information, visit BreakingPoint Storm CTM BreakingPoint has pioneered Cyber Tomography with the introduction of the BreakingPoint Storm CTM, enabling users to see for the first time the virtual stress fractures lurking within their cyber infrastructure through the simulation of crippling attacks, high-stress traffic load and millions of users. BreakingPoint Storm CTM is a three-slot chassis that provides the equivalent performance and simulation of racks and racks of servers, including: 40 Gigabits per second of blended stateful application traffic 30 million concurrent TCP sessions 1.5 million TCP sessions per second 600,000+ complete TCP sessions per second 80,000+ SSL sessions per second 100+ stateful applications 4,500+ live security strikes Contact BreakingPoint Learn more about BreakingPoint products and services by contacting a representative in your area. 1.866.352.6691 U.S. Toll Free BreakingPoint Global Headquarters 3900 North Capital of Texas Highway Austin, TX 78746 email: tel: 512.821.6000 toll-free: 866.352.6691 BreakingPoint EMEA Sales Office Paris, France email: tel: + 33 6 08 40 43 93 BreakingPoint APAC Sales Office Suite 2901, Building #5, Wanda Plaza No. 93 Jianguo Road Chaoyang District, Beijing, 100022, China email: tel: + 86 10 5960 3162

BreakingPoint Resources Hardening cyber infrastructure is not easy work, but nothing that is this important has ever been easy. Enterprises, service providers, government agencies and equipment vendors are under pressure to establish a cyber infrastructure that can not only repel attack but is resilient to application sprawl and maximum load. BreakingPoints Cyber Tomography Machine (CTM) provides the technology and solutions that allow these organizations to create a hardened and resilient cyber infrastructure. BreakingPoint also provides the very latest industry resources to make this process that much easier, including Resiliency Methodologies, How-to Guides, white papers, webcasts, and a newsletter. To learn more, visit BreakingPoint Labs Community Join discussions on the latest developments in hardening cyber infrastructure. BreakingPoint Labs brings together a diverse community of people leveraging the most current insight to harden cyber infrastructure to withstand crippling attack and high-stress application load. Visit
2005 - 2010. BreakingPoint Systems, Inc. All rights reserved. The BreakingPoint logo is a trademark of BreakingPoint Systems, Inc. All other trademarks are the property of their respective owners. 129

You might also like