We evaluated these claims using Spirent Avalanche, a Layer 4-7 traffic generator analyzer. We configured Avalanche HTTP traffic from up to 40,000 clients, as in a large enterprise network. We measured performance in both inline and tap modes, and we also measured performance while the system was under attack.
With only benign web traffic, the FireEye device forwarded traffic at 4.224G and 9.259Gbps in inline and tap modes, respectively. Both results are in line with FireEye's performance claims.
We then repeated these tests while concurrently offering the multi-stage malware samples (again, we offered these consecutively, at the maximum possible rate). This time, the NX 10000 forwarded traffic at 4.207G and 9.298Gbps in inline and tap modes, respectively. Those numbers are virtually identical to the tests with benign traffic only, with the minor differences most likely explained by bandwidth contention among many TCP flows.
The FireEye appliance again identified all components of all 60 malware samples offered in the inline tests. Some malware samples were not identified in the tap-mode tests, but we believe this was due to an overloaded CPU in the switch mirroring traffic to the FireEye device. The switch reported CPU utilization of 100% and became unresponsive during multiple iterations of the tap-mode tests. While the missed reports should not be "charged" to the FireEye device, this does point up the importance of using tap infrastructure capable of forwarding all traffic at 10G Ethernet wire speed.
Advanced attacks require advanced defenses. The NX 10000 represents an innovative and effective approach to combating multi-stage malware. Combined with a conventional IPS (or using its own IPS module, available soon), the FireEye appliance should help large enterprises keep malware off their networks.
Network World gratefully acknowledges the assistance of Spirent Communications, which supplied its Spirent Avalanche C100MP traffic appliance. Spirent's Michelle Rhines, Ankur Chadda, Angus Robertson, and Chris Chapman also supported for this project. Thanks, too, to malware-traffic-analysis.net, which provided permission to use its packet captures of recent multi-stage malware attacks.Newman is a member of the Network World Lab Alliance and president of Network Test, an independent test lab and engineering services consultancy. He can be reached at email@example.com.
How We Did It
We assessed FireEye's NX 10000 in terms of features, attack coverage, and performance. Features testing required no separate methodology. Instead, we discovered functions supported by the device in the course of security and performance testing.