ICSA Labs White Papers

ICSA Labs Network IPS Testing - An Introduction

This paper introduces the ICSA Labs network IPS testing program. Beginning with the testing program’s origins, the paper moves on to discuss and highlight the primary aspects of ICSA Labs network IPS testing. Addressed in this paper are the criteria used in testing, the dynamic nature of the testing, how the testing is relevant to enterprise end users, and the challenge the testing represents for network IPS vendors. Along the way, the paper mentions some of the key differentiators that set ICSA Labs network IPS testing apart.

Things Your Mother Should Have Told You About Replaying Packet Captures Using Tomahawk

Tomahawk is a free and open source tool that ICSA Labs uses during Network IPS certification testing.1 It provides the capability to replay packets onto a test network from a file (called a packet capture or “pcap”) in the libpcap format. Through its use, the Network IPS team at ICSA Labs is able to both generate realistic background traffic that fills the bandwidth and test vulnerability coverage protection for Network IPS testing candidates. Realistic background traffic must be present during Network IPS certification testing to faithfully reproduce the realworld conditions under which a Network IPS will be deployed. Robust testing of a Network IPS’ ability to block attacks is also required, since the primary function of the device is to protect vulnerable systems from network-borne attacks. This paper provides guidance for how to use Tomahawk for these purposes.

Cleaning Packet Captures for Network IPS Testing

Replaying packet captures (or traces) taken from corporate networks with Tomahawk version 1.1 is an excellent way to generate background traffic for Network IPS testing. The traffic is not synthetic, not contrived, and is unlimited in terms of the potential protocol mixes. However, until after having undergone a “cleaning” process, packet captures are not fit for use in Network IPS testing. This whitepaper describes the rationale for why packet capture traces need to be cleaned and many of the steps performed to clean them.

Background Traffic and Network IPS Testing

ICSA Labs believes that it is essential for Network IPS testing to be conducted with background traffic. This whitepaper explains the reasons why background traffic in Network IPS testing is so important. And the paper explains why the background traffic cannot be comprised of just any mix or limited to just one or a handful of protocols. Also explained is why the Network IPS team at ICSA Labs believes that using packet captures taken from real corporate networks is the most realistic and cost-effective source of background traffic for Network IPS testing.

Determining Essential Coverage Protection for Network IPS Testing

Rather than using a completely arbitrary sample set of attacks, ICSA Labs built its certification testing program around a core set of vulnerabilities. The vulnerability set is comprised of vulnerabilities that are relevant to enterprise end users. In order to attain ICSA Labs Network IPS Certification, candidates have to be able to block all attacks targeting vulnerabilities in the vulnerability set. This whitepaper describes the methodical approach taken by ICSA Labs in determining the composition of the vulnerability set.

Leveraging ICSA Labs While Selecting Security Products for PCI Merchant Environments

This white paper explores the topic of selecting security products for deployment in and protection of a Merchant Environment.

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Web-based applications and services have changed the landscape of information delivery and exchange in today’s corporate, government, and educational arenas. Ease of access, increased availability of information, and the richness of web services have universally increased productivity and operational efficiencies. These increases have led to heavier reliance on web-based services and greater integration of internal information systems and data repositories with web-facing applications.