Network stress test tools: Dos and don'ts
- — 20 July, 2010 04:37
Network stress testing tools are not for the underfunded, the underskilled or the faint of heart. Consider them carefully before deciding whether to purchase them or how to use them.
See the companion article "Stress-testing your network" for details on software from BreakingPoint, Mu Dynamix, Spirent and Ixia. Here are dos and don'ts to help you get the most from these tools.
Do consider how often the tools will be used and in what ways. They are expensive to buy and support. Make sure the use justifies the expense.
Do get full and accurate information on the application and protocol mix to be sure you create a representative test environment.
Don't assume you know what your performance requirements are for the new application, security device or network.
Do engage security, network and business managers to determine current and projected requirements so you understand what needs to be tested.
Don't buy what you can't support. If an enterprise doesn't already have a dedicated lab and supporting staff to test new equipment and applications, it won't be able to get much benefit out of any of these products. They can make an existing testing infrastructure more robust, but can't create a useful lab by themselves.
Do consider consulting services that use one or more of these tools to help with vendor evaluation, cloud services performance, new application testing, etc. Even if you can't justify purchase and support costs, you can still leverage their services.
Do understand the differences between products. One product may not satisfy corporate IT testing requirements. Are you concerned about performance testing (up to Layer 4 or up to and including the application layer), security testing or both? You may find that you need to purchase and support two or even three of these products--and that may drastically change your plans.
Do evaluate reporting and remediation capabilities. How does the tool report test results? Is it good at comparing test results and pinpointing the problems, or will staff have to sift through results and do manual comparisons? The product should facilitate regression testing and provide capture replays.
"Capture replay is pretty high on the list from a troubleshooting perspective," says Phatak. "One of the first things that is going to happen is the developers will say, 'Show me the traffic.'"
Don't underestimate training. These are complex tools that require operation by highly trained, highly skilled personnel for you to get their full benefit.
Don't neglect penetration testing. The products have great value but are not a substitute for systematic penetration testing using attack tools, including Metasploit, Canvas from Immunity, or Core Impact from Core Security Technologies.
"These tools are still no substitute for using traditional pen-test tools," says Phatak. "These can indicate how good or bad your IPS is doing, but they're not a going to give you a good, deterministic answer about whether someone can break in or not.
"You can get a false sense of vulnerability or a false sense of security if you don't understand that."