I first came across the Mu Security Analyzer when a coworker on a multicompany government project raved about how the appliance found a zero-day vulnerability in an e-mail inspection device that was protecting a top-secret government agency. It was a rather simple script bug in the other vendor’s product, but it would have allowed uncontrolled code execution. The implication was that our top-secret project could have been compromised by an external hacker running penetration tests against our e-mail services. Initially, the manufacturer of the compromised mail filter refused to believe that a weakness existed in its product. That is, until we sent the exploit, automatically generated by the Mu analyzer, that the vendor's engineers could run to see for themselves.
[See slideshow: Mu-4000 Security Analyzer: A Guided Tour ]
Mu Security’s Mu-4000 is a 2U appliance with RAID-configured drives and redundant power supplies that scans other computer devices using known vulnerabilities and malformed (fuzzed) traffic. The goal is to locate both security vulnerabilities and performance problems in the network. The Mu-4000 is constantly updated with the latest published vulnerabilities, but these types of exploits are not the Mu-4000’s strong point. Published Vulnerability Attacks (or PVAs, as Mu Security calls them) only go back a maximum of three years and comprise slightly more than 1,000 exploits.
Fuzz buster
The Mu’s ability to intelligently fuzz traffic is its strongest selling point. Unlike vulnerability scanners or penetration tools that check only for known vulnerabilities, fuzzing can uncover previously unknown vulnerabilities by hitting network devices with mutations of normal packets and commands. The Mu-4000 understands more than 50 different protocols (IPv4, IPv6, VoIP, SIP, CIFS, ICMP, and SSH, among others) and can generate malformed traffic in millions of ways. The Mu-4000 includes the capability to automatically restart hung hosts and capture packet traces (in pcap form) of both sent and received traffic. The Mu can also capture what is going on in the target device’s network interface or management port, and fire off scripts or kick-start other monitoring devices when a particular event happens.
I ran the Mu-4000 with its 3.0 release code in a test lab against several popular security appliances and a variety of different computer platforms. The Mu-4000 configures like most any security appliance. You plug a computer into its front console port, connect to the Mu’s SSL management port, and configure basic IP information. After that, you can connect using an Internet browser, configure the rest of the device, and start your testing.
The Mu-4000 runs on a modified version of CentOS (essentially Red Hat Linux), modified so that its IP stack will not choke on all the malformed traffic it will be sending. When the device is first started, you must install a license file that specifies which protocols may be attacked. Access to the Mu-4000 can be divided between system admins, who have complete control of the device, and regular users, who can see only results from scans that they create and run. The Mu-4000 has four IP interfaces that can be used in target analysis, and the device can create the attacks or be used as a pass-through device to record information you're gathering with another tool.
| Test Center Scorecard | ||||||
|---|---|---|---|---|---|---|
 |  |  |  |  |  | |
| 30% | 20% | 20% | 20% | 10% | ||
| Mu-4000 Security Analyzer (Version 3.0) | 9 | 9 | 9 | 8 | 8 |
8.7
Very Good
|
This whitepaper explains the terminology and concepts behind Data Replication technologies and establishes some sizing rules through worked examples. Learn the new paradigm in disaster tolerance—protect data anywhere.
Download now »
Server virtualization is a popular option for dealing with mounting datacenter costs. Another equally promising approach is the use of an Application Delivery Controller. Citrix NetScaler provides a low-cost way for organizations to reduce their server count and accrue cost savings from a reduction in space, cooling, power and personnel.
Download now »
The emergence of WLANs has created a new breed of security threats to enterprise networks.
Included in HP ProCurve WLAN solutions is security technology that alleviates threats from WLANs through:
* Monitoring wireless activity inside and out of the enterprise
* Classifying WLAN transmissions into harmful and harmless
* Preventing transmissions that pose a security threat to the enterprise network
* Locating participating devices for physical remediation
Effectively address data protection challenges, implementing solutions that help store and protect business–critical data while cutting costs and improving efficiency and reliability.
Download now »
Sign up to receive Security Resource Alerts
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
1 Recommendation
