Contact Us
+1.831.460.7010

 


 

Q What specifically do the vulnerability tests do?


A IWL Vulnerability, and the vulnerability tests available with the SilverCreek TESTS Module, tests the robustness of an SNMP agent in the face of a Denial of Service attack.

Some DoS attacks focus on finding vulnerabilities in the encapsulation of SNMP packets. If the agent has any weaknesses at all in the algorithms it uses to decode an SNMP packet, then it is likely to crash, hang, reboot, or exhibit other undesirable behavior. SNMP packets are encapsulated according to ASN.1 which describes the grammar, and BER which describes the translation mechanism, for SNMP packets.

The IWL Vulnerability SNMP vulnerability tests introduce abnormalities into the grammar and the encapsulation of the SNMP packet to make it malformed. The parameters that can be changed for encapsulation are type, length, and payload. By changing the tag (what ASN.1 type is it?),length (how long is the payload?), and value (the payload) to wrong or unexpected values, a normal, valid packet becomes a pathological packet.

The IWL Vulnerability Test Suite addresses the issues cited in CERT Advisory CA 2002-03 (Vulnerability Note VU#854306), concerning vulnerabilities in SNMP request handling. The Test Suite has more than 700,000 test cases arranged in ~450 test groups. Each group focuses on a specific concept:

* Modifying the Type of a specific component of the SNMP packet
* Modifying the Length of a specific component of the SNMP packet
* Modifying the Value of a specific component of the SNMP packet (to something unexpected, problematic, indecipherable, etc..)
* Modifying community string values

Here are a few examples of the test types:

(1)
{ V1-get-community-l-1 {}
" V1-get-community-len-1 The test packets sent in this test have invalid
length field in community string BER encoding.
The test packets sent in this test have very long community string value,
and each of them a gain has length field encoded as value from 0 to (2^512).
The expected outcome is for the agent to discard those malformed packets
and continue to respond to normal requests."
}

(2)
{V1-get-OID-l-2 {}
" V1-get-OID-l-2: The test packets sent in this test have invalid OID BER
encoding.
For example, OID length part contains very big integer value
(2 ^ i -1),(2 ^ i),(2 ^ i +1), where i ranges from 1 to 512, and the
message contains multiple variable bindings.
The expected outcome is for the agent to discard those malformed packets
and continue to respond to normal requests."
}

- Network Computing wrote about their experiences with IWL Vulnerability:
http://www.nwc.com/1319/1319sp2.html

 

Q What is the difference between IWL's SNMP Vulnerability tests and the free tests available from the University of Oulu?


A The University of Oulu tests are:
- only for SNMPv1.
- non-deterministic (you cannot determine the exact input that caused the SNMP agent to fail)making it almost impossible to diagnose and debug your Agent
-standalone -- not integrated with other tools and facilities.
-are not supported --you are on your own

InterWorking Labs' tests are:
- for SNMPv1, v2c, and v3
- deterministic: each small test is defined and tied to a specific output
- integrated with the SilverCreek Test Suite, minimizing the learning curve.
- designed to work with SilverCreek tools, output mechanisms, etc.
- You can pinpoint the cause of your device failure. This is useful when sending the results to the manufacturer to request a patch to the agent’s vulnerabilities.

 

Q What is the execution time for the test suites?


A We tested a v2c agent that tested in 12 hours (but it did reboot several times),but we tested a v1 agent that tested in less than an hour. It depends on how complex the agent is and how many vulnerabilities exist.

 

Q Do we need Administrator access in Windows, or superuser access in UNIX to run the software?


A No.


 

Q How many test variations are there for v1, v2c, and v3?


A For SNMPv1 vulnerabilities:
105 test cases, with 30,000 test instances each, equals 3,150,000 possible

For SNMPv2c vulnerabilities:
113 test cases, with 30,000 test instances each, equals 3,390,000 possible

For SNMPv3 vulnerabilities:
191 test cases, with 30,000 test instances each, equals 5,730,000 possible

-As a side note, it is a good idea, for more extensive testing to use:
* the v3 and v2c vulnerability tests against a v1 agent
* the v1 and v2c vulnerability tests against a v3 agent
* the v1 and v3 vulnerability tests against a v2c agent
In this way, you can make sure that the agent discards the tests that are not appropriate for the version of the agent.

 

Q Does IWL Vulnerability have a Remote Control API like SilverCreek?


A Yes there is a Remote Interface so that you can set up IWL Vulnerability to run overnight and pick up the test results in the morning.


 

Q How do I know IWL Vulnerability is working?


A It is very common for a device to act "funny" during IWL Vulnerability testing. IWL Vulnerability is by nature sending confusing and problematic packets to your device. Regularly, your device will crash and stop responding to IWL Vulnerability. You may need to reboot your device. It is a good idea to save test results to determine the precise pathological packet that caused the device failure.

It is also a good idea to open the console window and enable the packet watch/debug feature. This allows you to see what IWL Vulnerability is sending to your agent and what your agent is returning.

 

Q I was also looking at another SNMP vulnerability product, why should I buy this one?


A The alternative products we have seen are absurdly overpriced. We have both end user and manufacturer solutions priced appropriately.

 

 

Q What other options exist for SNMP vulnerability testing?


A There are only a few options for companies considering a vulnerability test suite:
- Do nothing, wait for attacks or for customers to contact you for a patch, then worry about it.

We encourage you to evaluate IWL Vulnerability and compare it to other solutions on the market. We are confident that you will find that you get the most value for your money with InterWorking Labs’ SNMP Vulnerability Test Suite available in SilverCreek.

 

Q The Vulnerability scare is over, why should I care now?


A End Users of Network Devices

Reports from the field confirm that even after vendor patches were installed, IWL Vulnerability found additional vulnerabilities on many network devices. This means those devices were still vulnerable to new network attacks. It is important to be pro-active and take all measures to secure network. IWL Vulnerability, the SNMP Vulnerability Test Suite, is an essential tool in the arsenal of network security protection solutions.