Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

R E V I E W

Arming Your Top Security Guns

May 1, 2003
By Patrick Mueller

>> continued from previous page

Busy Windows

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Busy Windows
	Executive Summary
	How We Tested
	Where Does Protocol Modeler Fit?
	Hailstorm Protocol Modeler Looks To Find Its Niche
	Report Card

The Protocol Modeler GUI is decent, though a few quirks prevent it from presenting a highly polished front end. All component windows are contained within the master window and can be moved around and docked and undocked, and many can be closed and later reopened. You'll want as large a monitor as possible because of the myriad subwindows and data sprawling across the screen. The transaction-editor pane hasn't been updated since we last examined the tool (more than a year ago) and still presents a clunky interface that requires the user to scroll horizontally for miles while searching for the desired field. The company promises better integration with the transaction editor in future versions. Even with a large display, working in the GUI can be a bit cramped because some of the subwindows cannot be closed, and resizing widgets can be tricky.

The fact that this hard-core network-vulnerability testing tool is housed on a Microsoft Windows platform may strike some as a bit strange. After all, cobbling together network vulnerability testing tools offering the same functionality typically means spending time with custom packet-generation libraries and a compiler on your preferred BSD or Linux platform. But it turns out that Windows is a logical choice for this tool. In terms of ease of use and familiarity, Windows GUI widgets create a familiar home for most users. Some religiously Unix-oriented network-security geeks may bristle at anything coming out of Redmond, but you can't please everyone all the time. Any NIC supported under Windows will work fine.

As for reporting, by storing the data in a SQL-based repository of the user's choice, custom reports based on specific requirements can be created outside Protocol Modeler. The built-in reports are sufficient for most testing and even include (where appropriate) rollup graphs and narrative explanations.

Crash-Test Dummies

Unfortunately, we faced some insurmountable glitches with version 3.06 (shipped to us for testing) that were especially painful given Protocol Modeler's hefty $25,000 price. The QA cycle that let this version out the door leaves us less than impressed. According to Cenzic, the changes made in 3.06 were all performance related, but the developers seem to have outsmarted themselves: Protocol Modeler frequently ran out of file handles and crashed spectacularly. Any intensive test fell prey to these faults. The company issued patches and the engineering team scrambled, but Cenzic could not fix the problems during our testing window.

The Web-crawling wizard experience detailed earlier left us with Microsoft Visual C++ exception windows covering the screen and a crashed version of Protocol Modeler. We encountered similar disappointments on other long-running tests. For example, we tried running a SQL Disclosure attack on a single user-supplied input on a Web page being posted back to a Web server. We watched the logs on the HTTP server (the user will often find him or herself monitoring closer to the target application) and got a glimpse of the types of attempted queries. We observed 8,600 attack queries before Protocol Modeler finally crashed (Cenzic said the fault injector was probably close to finishing, given that number). Unfortunately the product doesn't do any checkpointing, so we couldn't find out if any vulnerabilities were discovered in those queries.

A more critical feature gap is the lack of any indication of the approximate and relative run-times of the fault injectors, some of which can run for hours or days, depending on the size of the test. Even nicer would be a: "This test requires about 7 minutes per iteration, times 60 loops = 7 hours" message.

Web Links

• "Proxies Add a Protective Shield" (Network Computing, March 5, 2003)
• "Secure to the Core" (Network Computing, Jan. 23, 2003)
• "Tipping the Scales" (Network Computing, Sept. 30, 2002)

Art Meets Science

The Protocol Modeler experience is, in many ways, like staring at a blank 6-foot canvas with a full palette in your hands. Using the tool successfully takes creativity. We don't claim to be the Picasso of the Protocol Modeler world--frankly, much of our work was painting by numbers with the wizards, though we did begin to devise some interesting tests as we became more comfortable with the Protocol Modeler environment. Make no mistake: The product is difficult to use. Allow at least a full week to ramp up on the tool and assemble a preliminary test network. This assumes you have advanced knowledge of both IP networking protocols (at every level) and advanced knowledge of security vulnerability theory and practice. If not, allow much more time. According to Cenzic, a few days of on-site training come with the purchase price. We recommend taking full advantage of this.

At press time Cenzic had launched a new product, Hailstorm Web. The core engine technology is the same as Hailstorm Protocol Modeler but also includes extensive workflow management for structured use within an organization. Security expert and QA analyst roles let application security testing tasks be distributed logically. Predictably, the focus is on HTTP-based applications.

Hailstorm Protocol Modeler 3.06, $25,000. Cenzic, (408) 626-9004. www.cenzic.com

Patrick Mueller is a senior security analyst for Chicago-based security consultancy Neohapsis. Write to him at pmueller@neohapsis.com.

Post a comment or question on this story.