Please wait while the page is being loaded Skip this advertisement >
Tuesday | 2 December, 2008
ARN

Mu Security Analyzer

Mu-4000 fuzzer shines with wizard-driven test configuration, intelligent workflow, excellent vulnerability profiling, and auto-generated zero-day exploits
Roger A. Grimes (InfoWorld) 04 January, 2008 07:28:03
Page:

My testing found two previously undocumented security vulnerabilities and more than a few performance issues. In one case, a single malformed packet locked up the target so badly the firmware had to be re-imaged to regain control. One of the Mu-4000's best features is its capability to create a custom (Linux-based) binary that wraps any found vulnerability, essentially fingerprinting the security hole. You can download the self-documenting binary and send it to technicians so they can recreate the problem without needing their own Mu-4000.

After running the Mu box, I asked myself why anyone should consider one of these pricey devices over the average free fuzzer off the Internet. First, the Mu-4000 has built-in fuzzing logic that you simply cannot find in free products. Mu's fuzzing is stateful, which allows the device to better mimic real-world conditions, and it is intelligent, methodically altering the state, structure, or semantics of a protocol in ways designed to expose weaknesses in the target. Mu's development staff understands how a problem in one area translates into high problem likelihood in another, and they have designed the tests accordingly. Also, the Mu-4000 contains business logic and workflow that can turn untrained employees into a professional penetration team in a day.

The Mu-4000 Security Analyzer gets my strong buy recommendation for any company worried about unknown security vulnerabilities, and for security device vendors trying to make their products as secure as they can be.

The Bottom Line: Mu-4000 Security Analyzer (Version 3.0)

Mu Security, musecurity.com

Overall score: Excellent 8.7/10
Capability: 9/10 Ease-of-use: 9/10 Management: 9/10 Reporting: 8/10 Value: 8/10

Cost: Ranges from US$40,000 for eight protocols to US$300,000 for a fully loaded system with 50+ protocols and subscription to one year of vulnerability signature updates

Platforms: Linux-based appliance

Bottom Line: The Mu-4000 uses intelligent fuzzing logic to expose security weaknesses and performance issues in any device that talks to a network. Intelligent, wizard-driven workflow makes tests a snap to configure, and the security profiles produced are top notch. The Mu can even generate exploit binaries for newly discovered vulnerabilities. A fully loaded appliance carries a hefty price tag, and a limited set of protocols is supported.

Page:
Target CLI: When setting up a monitor for a target that has a command line interface, it's useful to log in to the target manually and run some commands, check the output of a program, or examine the format of a log file. The Mu-4000 creates an interactive CLI inside the browser that is functionally equivalent to running a terminal emulation session from a laptop. Here we see the output resulting from typing the "top" command in the target-CLI window.
Target CLI: When setting up a monitor for a target that has a command line interface, it's useful to log in to the target manually and run some commands, check the output of a program, or examine the format of a log file. The Mu-4000 creates an interactive CLI inside the browser that is functionally equivalent to running a terminal emulation session from a laptop. Here we see the output resulting from typing the "top" command in the target-CLI window.
View all images
  • Mu-4000 Security Analyzer: The Mu-4000 uses published vulnerabilities, existing external scripts, and a stateful fuzzer to find security weaknesses and performance limitations in network devices and applications. The Mu-4000 carefully monitors how the target device responds to protocol mutations -- dynamically generated packet streams designed to find software implementation flaws by violating the state, structure, or semantics of a given protocol specification.
  • Getting started: From the home page of the Mu-4000's Web-based UI, users can examine previously collected results, create new analyses, create and edit analysis templates, and configure and administer the appliance. A status window at the top of the page shows currently running processes, and lets you toggle among them.
  • Setting up the test: After you set the IP addresses of the Mu-4000 interfaces and targets, configuring a protocol mutation attack starts with establishing a successful protocol-layer connection to the target. For example, in this view the multi-step exchange required to establish an SSH session is shown on the left, while the detail of a selected message is shown on the right. If you select a mutate-able message, you can then choose from a variety of mutation options and see how the mutation changes the packet.
  • More on the mutation explorer: The more complex the protocol, the more difficult it is to find the right protocol configuration settings to create a successful connection. The mutation explorer helps point the way by listing the sequence of steps in the protocol exchange, highlighting exactly where failures occur, and decoding the protocol exchange down to the field level. The decodes show valid ranges for each field and the effect of the mutation on the formerly pristine packet.
  • Setting up monitors: Monitors allow users to observe what's happening inside the target device during a test. A monitor might use a serial console connection to the target, or an inline SSH or Telnet connection over the attack interface, or a separate system connected to the target by other means. A fault inspector, shown, is a command monitor that observes the output of a process, a script, or any other command run inside the target or a proxy monitor machine. Fault isolation is triggered based on pre-defined "interesting" output.
  • Target CLI: When setting up a monitor for a target that has a command line interface, it's useful to log in to the target manually and run some commands, check the output of a program, or examine the format of a log file. The Mu-4000 creates an interactive CLI inside the browser that is functionally equivalent to running a terminal emulation session from a laptop. Here we see the output resulting from typing the "top" command in the target-CLI window.
  • Event triggers: The Mu-4000 can execute a series of events at almost any stage of a lights-out analysis process. For example, if a fault is found in a long-running analysis, the Mu-4000 could log into a nearby system and run a script to send an SMS message to your cell phone. Here, the Mu-4000 is configured to record the output of the "top" command whenever it performs the valid test case, so as to track the activities of the top processes during the analysis.
  • Running the analysis: The next step is to run the analysis. As the Mu-4000 generates its test cases, an engine log monitors the progress in real time. After the analysis completes, users can look back at the recorded response-time or latency data (including the minimum, mean, median, and maximum values for each variant), as well as any fault conditions, collected for each protocol attack that comprised the analysis.
  • Investigating faults: The fault viewer provides detailed information on how the protocol works and how the Mu-4000 performed the testing. It also allows you to see the metadata associated with each fault, including a packet capture, a proof-of-concept exploit in the form of a Linux executable, a manager-friendly report, the engine log showing the fault isolation procedure, and an XML file detailing the protocol exchange.
  • Repeatable results: All aspects of an analysis configuration can be saved as editable and shareable XML templates. These templates are easy to re-run to show repeatable results (as shown by the first two analyses here) or to verify a fix. After a patch or update is made available, simply locate the original analysis and click the "Rerun" link.
Related Stories
  • +

    Symantec SIM brings friends 08 January, 2008 10:33:19

    Symantec's SIM comes with an active network to help it analyze your events
    What is it, one might reasonably ask, that separates a SIM (security information manager) from a basic log-file aggregator? Both will, of course, aggregate log files, but a SIM must go further, gathering incident alerts and status conditions from a variety of network security and infrastructure sources. A good SIM will then add some intelligence to the mix, helping the security engineer figure out which information is worth his or her immediate attention and which can be ignored until time to pass a compliance audit.
  • +

    BGP bug bites Juniper software 19 December, 2007 08:09:41

    Bug lends itself to remote exploitation, could open way for denial-of-service attacks
    Juniper Networks has issued a security bulletin warning users of a bug in its UNOS router software.
  • +

    Cisco IDs flaw in its Catalyst switches, 7600 Series routers 21 December, 2007 08:56:28

    Fixes and workarounds have been released
    Cisco is warning that a flaw in its Firewall Services Module could result in a reload of the module, or if exploited repeatedly, could result in a sustained denial-of-service attack.
Have your say!
ARN Directory | Distributors relevant to this article
Ingram Micro Australia , itX , MPA Systems , Unixpac
ARN Directory | Vendors relevant to this article
Red Hat
Market Place
Find out how to win an IPod Touch with ARN.
Power through the disruptions: Uninterruptibility from Eaton!
Kaspersky Internet Security 2009 released - with virtual keyboard for safe entry of passwords. Try it..
Become a Lenovo Legend Now! Join the sales incentive exclusively for Lenovo Business Partners.
POS POS is the leading value-added distributor of point of sale & point of service technologies in ANZ.
 
ARN Distributor Directory
 
Find distributors by name
Find distributors by vendor
Find distributors by location
ARN Vendor Directory
 
Find vendors by name | Find by category
ARN Library


Read Material

Understanding Email Marketing: A Guide for SMBs

Email marketing is often viewed as a marketers silver bullet. If used effectively, email campaigns will provide strong results for a limited spend each and every time. Download this white paper to discover how email marketing can work for you and your business.

Sponsored Links