Mu Security Analyzer

Mu-4000 fuzzer shines with wizard-driven test configuration, intelligent workflow, excellent vulnerability profiling, and auto-generated zero-day exploits

I first came across the Mu Security Analyzer when a co-worker on a multi-company government project raved about how the appliance found a zero-day vulnerability in an e-mail inspection device that was protecting a top secret government agency. It was a rather simple script bug in the other vendor's product, but it would have allowed uncontrolled code execution. The implication was that our top secret project could have been compromised by an external hacker running penetration tests against our e-mail services. Initially, the manufacturer of the compromised mail filter refused to believe that a weakness existed in its product. That is, until we sent the exploit, automatically generated by the Mu analyzer, that the vendor's engineers could run to see for themselves.

Mu Security's Mu-4000 is a 2U appliance with RAID-configured drives and redundant power supplies that scans other computer devices using known vulnerabilities and malformed (fuzzed) traffic. The goal is to locate both security vulnerabilities and performance problems in the network. The Mu-4000 is constantly updated with the latest published vulnerabilities, but these types of exploits are not the Mu-4000's strong point. Published Vulnerability Attacks (or PVAs as Mu Security calls them) only go back a maximum of three years and comprise slightly more than 1,000 exploits.

Fuzz buster

The Mu's ability to intelligently fuzz traffic is its strongest selling point. Unlike vulnerability scanners or penetration tools that check only for known vulnerabilities, fuzzing can uncover previously unknown vulnerabilities by hitting network devices with mutations of normal packets and commands. The Mu-4000 understands more than 50 different protocols (IPv4, IPv6, VoIP, SIP, CIFS, ICMP, and SSH, among others) and can generate malformed traffic in millions of ways. The Mu-4000 includes the capability to automatically restart hung hosts and capture packet traces (in pcap form) of both sent and received traffic. The Mu can also capture what is going on in the target device's network interface or management port, and fire off scripts or kickstart other monitoring devices when a particular event happens.

I ran the Mu-4000 with its 3.0 release code in a test lab against several popular security appliances and a variety of different computer platforms. The Mu-4000 configures like most any security appliance. You plug a computer into its front console port, connect to the Mu's SSL management port, and configure basic IP information. After that, you can connect using an Internet browser, configure the rest of the device, and start your testing.

The Mu-4000 runs on a modified version of CentOS (essentially Red Hat Linux), modified so its IP stack will not choke on all the malformed traffic it will be sending. When the device is first started, you must install a license file that specifies which protocols may be attacked. Access to the Mu-4000 can be divided between system admins, which have complete control of the device, and regular users, which can only see results from scans that they create and run. The Mu-4000 has four IP interfaces that can be used in target analysis, and the device can create the attacks or be used as a pass-through device to record information you're gathering with another tool.

Because the Mu-4000 is easily capable of sending millions of attack packets, testing projects can get complex in a hurry. To simplify the process, Mu Security has smartly configured all scanning activity around analysis templates. Creating and using a template is essentially a step-by-step process that the Mu-4000 leads you through while it defines attack types, monitors, and actions to take in response to events. You select protocols and a myriad of custom attack parameters in an attack template. Monitors allow you to capture more information on the target, including from its own management console and log files. For example, if your attack locks up the target, the Mu appliance can capture what the target device's SSH-enabled management console looked like at the moment the device froze. Event triggers allow you to kick off external network monitors or initiate events such as file downloads on remote systems.

Peerless profiles

The resulting template is an XML file that can be sent to other Mu-4000 users so they can duplicate your test. The management and configuration GUI is nearly flawless. It's helpful and wizard-driven to a fault. If you don't like GUIs, you can use XML files to drive the device instead.

When the Mu-4000 finds a vulnerability, it will duplicate the attack to confirm that it is re-creatable, and if so, will then step itself through the entire attack sequence to find out exactly which string of sent information caused the fault. Network packet captures are standard, and that information is included with the information gathered by other monitors to profile the problem. The Mu-4000 profiles security issues better than any other vulnerability assessment tool I've used. Reporting itself is good, but not excellent. Detailed and summary reports are included, but the Mu doesn't allow easy customization of reports, nor does it hook into Crystal Reports, for example.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Roger A. Grimes

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?