1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULJanuary 31, 20111SUBJECT 2825OUTLINE OF INVESTIGATIONFORRESILIENCY OF NETWORK INFRASTRUCTURE COMPONENTSIssue Number: 1JANUARY 31, 2011Summary of TopicsThis is the first issue of the Outline of In
2、vestigation for Resiliency ofNetwork Infrastructure Components, Subject 2825. This outline describesthe test standard by which network infrastructure devices are evaluatedagainst published vulnerabilities that affect a particular device. The deviceis expected to continue to operate as intended while
3、 subjected toexploits of published vulnerabilities. An example of a publishedvulnerability from National Institute of Standards and Technology NationalVulnerability Database (NVD) may describe multiple buffer overflows in aparticular device. This outline does not evaluate the effectiveness of aprodu
4、ct to defend against or counter an exploit of a publishedvulnerability but its ability to continue to operate as intended per themanufacturers claims of performance while subjected to the exploit(s)under the test criteria of the published vulnerabilities.COPYRIGHT 2011 UNDERWRITERS LABORATORIES INC.
5、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULJANUARY 31, 2011SUBJECT 28252No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULCONTENTSINTRODUCTION1 Scope .42 General 4
6、2.1 Units of Measurement .42.2 Undated References 43 Glossary .5PERFORMANCE4 General 64.1 Test Samples and Data .64.2 Physical Connection 65 Frames 76 Normal Throughput Test .87 Exception Test 88 Resiliency Test .99 Markings 10JANUARY 31, 2011 SUBJECT 2825 3UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR
7、 FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULINTRODUCTION1 Scope1.1 This network device resiliency outline applies to the performance of individual network infrastructureequipment. It is intended to determine the ability of such equipment to continue to operate as intendedper manuf
8、acturers claims of performance under specific network traffic while being subjected to exploitsof published vulnerabilities.1.2 This outline applies to the following key network infrastructure components: switches, routers, proxies, firewalls, intrusion prevention systems, load balancers, universal
9、threat management devices, and converged network server equipment.2 General2.1 Units of Measurement2.1.1 Values stated without parentheses are the requirement. Values in parentheses are explanatory orapproximate information.2.2 Undated References2.2.1 Any undated reference to a code or standard appe
10、aring in the requirements of this standard shallbe interpreted as referring to the latest edition of that code or standard.JANUARY 31, 2011SUBJECT 28254UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3 Glossary3.1 CONVERGED NETWORK SERVER EQUI
11、PMENT A device offering converged network andserver capabilities. A device that may have the combined abilities of a switch, router, firewall, intrusionprevention system, load balancer, proxy or universal threat management device and typical server typecapabilities, including server virtualization.3
12、.2 FIREWALL A network device that applies security policies to traffic.3.3 INTRUSION PREVENTION SYSTEM A data link layer network device that connects to segmentsof a network layer, detects attacks and attempts to counter the attacks.3.4 LOAD BALANCER A device that directs incoming traffic to one or
13、more servers along multipleroutes.3.5 MANUFACTURERS CLAIM OF PERFORMANCE The network performance specifications of theproduct, against which the product is tested. Network throughput performance specifications included inthe operating instructions and/or product literature is considered to be manufa
14、cturer claims.3.6 NETWORK TRAFFIC Network data streams comprised of multiple application types.3.7 PROXY An intermediate device that translates a request for services from its input andregenerates the request via its output.3.8 ROUTER A networking device that connects and directs packets between dif
15、ferent data linklayer networks.3.9 SWITCH A data link layer networking device that connects different segments on the samenetwork layer.3.10 TEST EQUIPMENT Specialized test equipment to perform the testing.3.11 UNIVERSAL THREAT MANAGEMENT DEVICE A network layer device that can performseveral functio
16、ns of a switch, router, firewall, intrusion prevention system, load balancer or proxy to thenetwork traffic including security.3.12 VULNERABILITY A description of an individual product or individual technologys security flawthat has the potential to allow a negative behavior in the product. Vulnerab
17、ilities are discovered eithervia research or in the field.3.13 VULNERABILITY DATABASE A public repository of vulnerability descriptions (e.g. NISTNational Vulnerability Database).JANUARY 31, 2011 SUBJECT 2825 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PER
18、MISSION FROM ULPERFORMANCE4 General4.1 Test Samples and Data4.1.1 All network devices to be used for all tests must be fully representative of production units at thetime of the test.4.1.2 No substitute devices or components can be used and no accessories can be used if not intendedto be used with t
19、he product in service.4.1.3 The following samples are to be provided for testing:a) One sample of completed assembly provided in production form.b) Installation and operating instructions.c) Detailed configuration instructions as provided by the manufacturer to support independentconfigurations of t
20、he product.4.1.4 All network traffic will be applied sequentially and continuously during the course of testing. Networktraffic will be applied to match relevant vendor throughput performance specifications including data,connection rate and total connections.4.1.5 Each product shall be tested with
21、every valid software option enabled simultaneously, as per themanufacturers instructions.4.1.6 Each product shall be separately tested in every valid hardware configuration, as per themanufacturers instructions.4.2 Physical Connection4.2.1 For all tests, the product is connected through ANSI/TIA/EIA
22、 568A-5 unshielded twisted pair ULtested and verified copper cabling (commonly called CAT-5e), or ANSI/TIA/EIA 568-B.1 unshieldedtwisted pair UL tested and verified copper cabling (commonly called CAT-6), or single mode fiber opticcabling UL tested and verified.4.2.2 The network cable shall be at a
23、minimum 25 feet in length.4.2.3 Each physical network port on a given product used for functionality will be tested. When more thanone physical port exists, the tests will be performed on each individual port as both an input and an output.A random sampling of multiple ports shall be designated as i
24、nput and a random sampling as output fornormal bidirectional testing. A dedicated network management port is not required to be tested.JANUARY 31, 2011SUBJECT 28256UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL5 Frames5.1 Frames shall be use
25、d of a minimum size of 64 bytes up to a maximum size of manufacturersspecifications as listed in their documentation.5.2 Test frames will comprise of frames that are representative of the protocols defined in Table 5.1.Table 5.1Applicable protocols for throughput testStandard Edition Protocols for N
26、ormal Throughput TestRFC 854 05-1983 Telnet Protocol SpecificationITU H.323 12-2009 H.225 Call signalingITU H.323 12-2009 H.225 Registration, Admission and Status (RAS)ITU H.323 12-2009 H.245 (a multimedia control protocol)ITU H.323 12-2009 H.248 (a media gateway control protocol)ITU X.224,T.124,125
27、 02-2002 Remote Desktop Protocol (RDP)RFC 1001 03-1987 Protocol Standard for a NETBIOS service on a TCP/UDPtransportRFC 1034 11-1987 Domain Name ServiceRFC 1094 03-1989 Network File System (NFS) protocol specificationRFC 1094 03-1989 Remote Procedure call Mount protocol specificationRFC 1094 03-1989
28、 Remote Procedure call NFS protocol specificationRFC 1157 05-1990 Simple Network Management Protocol (SNMP)RFC 1350 07-1992 Trivial File Transfer Protocol (TFTP) Revision 2RFC 1459 05-1993 Internet Relay Chat (IRC) protocolRFC 1833 08-1995 Binding Protocols for ONC RPC Version 2 (RPC BIND)RFC 1939 0
29、5-1996 Post Office Protocol (POP) Version 3RFC 2251 12-1997 Lightweight Directory Access Protocol (LDAP) Version 3RFC 2326 07-2010 Real Time Streaming Protocol (RTSP) 2.0RFC 2616 06-1999 HyperText Transfer Protocol version 1.1RFC 2818 05-2000 HyperText Transfer Protocol over TLSRFC 2821 04-2001 Simp
30、le Mail Transfer Protocol (SMTP)RFC 2865 06-2000 Remote Authentication Dial In User Service (RADIUS)RFC 2911 09-2000 Internet Printing Protocol (IPP) version 1.1RFC 3164 08-2001 BSD Syslog ProtocolRFC 3261 06-2002 Session Initiation Protocol (SIP)RFC 3501 03-2003 Internet Message Access Protocol (IM
31、AP) version 4.1RFC 3550 07-2003 Real-Time Transport Control Protocol (RTCP), Real-TimeTransport Protocol (RTP)RFC 3588 09-2003 Diameter Based ProtocolRFC 3920 10-2004 Extensible Messaging and Presence Protocol (XMPP)RFC 3977 10-2006 Network News Transfer Protocol (NNTP)RFC 4251 01-2006 Secure Shell
32、Protocol Architecture (SSH)RFC 4271 01-2006 Border Gateway Protocol (BGP)RFC 5389 10-2008 Session Traversal Utilities for NAT (STUN)5.3 Test frames for a given protocol will vary from a minimum of 64 bytes to a maximum defined for thegiven protocol based on the specification defined in Table 5.1.JAN
33、UARY 31, 2011 SUBJECT 2825 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL5.4 Test frames for a given protocol will represent random valid frames for that protocol for each test.6 Normal Throughput Test6.1 In this test, the manufacturers cla
34、ims of performance will be validated. During the normal throughputtest, the product shall continue to operate at a minimum of 99% of manufacturers claims of performance.6.2 The product shall have a minimum throughput of 100 Mbps.6.3 The product shall be able to maintain 500 active concurrent open se
35、ssions for a minimum of 60seconds. These sessions can be randomly selected from any protocol listed in Table 5.1.6.4 The product shall be subjected to all test frames as defined in Section 5, Frames. Each testconfiguration shall be subject to the protocols listed in Table 5.1. Each protocol defined
36、in Table 5.1 shallbe transmitted to the product at the maximum frame rate specified by the manufacturers instructions for90 seconds. The products maximum frames per second transmitted is calculated as:Product Published maximum throughput claim frame size = Maximum frames per second6.5 There shall be
37、 no frame loss or corruption in the transmission and re-transmission from the product.Every frame that is transmitted must be received and unaltered unless the application protocol requires it.Frame loss or corruption will be determined by evaluating every transmitted frame against what isredirected
38、 and received into the test equipment.7 Exception Test7.1 This test validates the ability of the product to continue to operate as intended per the manufacturersclaims of performance while being subjected to random invalid and valid network traffic.7.2 During the exception test, the product shall co
39、ntinue to operate at a minimum of 50% ofmanufacturers claims of performance. The product shall continue to process valid network traffic duringthe test.7.3 The product shall be subjected to a stream of network traffic at its maximum rated throughput for fiveminutes with maximum frame size under the
40、following conditions:a) 50 random source addresses;b) One broadcast destination address,c) 20% of all frames having invalid TCP, IP, UDP header flags and options turned on randomly;d) 20% of all frames randomly altered from their original valid state;e) 20% of all frames fragmented and distributed r
41、andomly through the entire transmission if themanufacturers operating instructions claim that the product can support fragmented traffic.JANUARY 31, 2011SUBJECT 28258UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL7.4 The product shall be subj
42、ected to a stream of simulated network traffic at its maximum ratedthroughput for 5 minutes with maximum frame size:a) One fixed source address;b) 50 random destination addresses;c) 20% of all frames having invalid TCP, IP, UDP header flags and options turned on randomly;d) 20% of all frames randoml
43、y altered from their original valid state;e) 20% of all frames fragmented and distributed randomly through the entire transmission if themanufacturers operating instructions claim that the product can support fragmented traffic.7.5 The product shall be subjected to a stream of simulated network traf
44、fic at its maximum ratedthroughput for five minutes with maximum frame size:a) Maximum (no fewer than 50) random source addresses per manufacturers operatinginstructions;b) Maximum (no fewer than 50) random destination addresses per manufacturers operatinginstructions;c) 20% of all frames having inv
45、alid TCP, IP, UDP header flags and options turned on randomly;d) 20% of all frames randomly altered from their original valid state;e) 20% of all frames fragmented and distributed randomly through the entire transmission if themanufacturers operating instructions claim that the product can support f
46、ragmented traffic.8 Resiliency Test8.1 This test subjects the product to its normal throughput test while transmitting to the product exploitsof known vulnerabilities. The product shall continue to operate as intended per its manufacturersperformance claims and specifications.8.2 The product subject
47、ed to the resiliency test shall continue to operate at a minimum of 95% ofmanufacturers claims of performance.8.3 Vulnerabilities shall be described as published events of flaws from the following public andaccessible databases:a) MITRE Corporation CVE database (referred to as CVE)b) NIST NVD databa
48、se (referred to as NVD)c) Open Source Vulnerability Database (referred to as OSVDB)d) Security Focus Bugtraq ID database (referred to as BID)JANUARY 31, 2011 SUBJECT 2825 9UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL8.4 The product shall b
49、e tested to all known published vulnerabilities that are available at the specific dateof the test that are applicable for the product. A list of published vulnerabilities that are being tested for aspecific date must be available to the vendor.8.5 The product shall be subjected to exploits of published vulnerabilities. The product shall not cease tocontinue to function as described in its operating instructions.8.6 The product shall be subjected to the normal throughput test for a duration of one hour. The networktraffic shal