In August, a collection of military, government, and nongovernmental humanitarian organizations from 22 countries in the Pacific gathered in Singapore for Pacific Endeavor 2012, a joint exercise to test how quickly and how well they could communicate in the face of a disaster. While the simulated mission was peaceful, some of the participants were put through a separate, more hostile test—Cyber Endeavor, a full-on "live fire" cyberwarfare exercise focused on "protecting information in a collaborative environment, "with both innocent bystanders and hostile attackers."

The battle was fought on a closed "cyber range," a network designed to put network security teams through their paces and expose them to the most up-to-date exploits and attack methods available to hackers in the real world. Using BreakingPoint FireStorm network security testing appliances from Ixia, two teams created test traffic against the "Blue Team" defenders in the exercise. A "Green" team created normal, benign application traffic against the network's infrastructure, and a "Red" team that staged attacks drawn from a library of up-to-date vulnerabilities and exploits, using simulated botnets, real malware, and malformed packets designed to stress network infrastructure.

The Defense Department has invested heavily in cyber-ranges, including DARPA's multimillion dollar effort to build a National Cyber Range, a project now in the process of being transferred to U.S. Cyber Command. The NCR's goal was to create a secure, self-contained network facility that could be set up to emulate both internal Defense Department networks and commercial networks for evaluating and certifying cyberdefense tools. And the NCR isn't alone—there are several other cyber-range facilities operated by other parts of the DOD.

The problem, of course, is that those facilities are isolated and physically locked down—and expensive to operate. They usually require building a load of virtual machines to generate attacks and application traffic, and it takes significant work to create automated traffic that both takes advantage of emerging threats and doesn't give itself away by being too "canned." And if an organization wants to train on the NCR, they'll need to send their cyber-security team to it—and get proper clearances.

Ixia's BreakingPoint technology has made it possible for the range to come to the team, by packaging it into an appliance-based service. It provides a stream of threat and vulnerability intelligence to update systems so that they can keep defenders on their toes with threats that are current. That obviates the need to maintain a full-time threat intelligence modeling capability of their own. Military commands such as the US Pacific Command and European Command have used the platform for other joint exercises because of its portability and the fact that it doesn't require clearances for other militaries and non-governmental agencies to use.

The platform is also used by corporate customers, including telecom providers and banks. "Telcos and even most enterprises will have these labs built out that they can do testing in," said Scott Register, Ixia's Director of Market Strategy for Security & Applications. "They'll buy our equipment and services to test their infrastructure—it gives them the constant ability to harden themselves to new attacks."

The BreakingPoint FireStorm hardware can encapsulate the systems needed to generate the network environment within which the attacks take place into a single box. FireStorm uses specialized "network processors" to generate traffic rather than individual client virtual machines, creating essentially an entire networked domain within a box that can be put in a network rack—or even placed on a conference room table. The FireStorm appliance, a 4U rack-mountable system that uses specialized network processors and field-programmable gate arrays to generate up to 120Gbps of network traffic. A new, more portable version, the FireStorm One, generates up to 40Gbps of application traffic and attacks—and up to 1 million TCP sessions per second.

The traffic that comes out of a FireStorm appliance isn't just a playback of a packet capture or other canned threats. "We are creating actual application traffic and live attacks (with FireStorm)," said Ixia's Senior Director of Marketing Kyle Flaherty. "There's real stuff going over the wire." The application traffic includes over 160 different protocols for consumer and enterprise applications, and client simulators can be set up to connect to actual application servers as part of a test.

The attacks used are drawn from a library of vulnerability and malware profiles updated every two weeks through Ixia's Actionable and Threat Intelligence service. "The last ATI package, which we shipped out this week, included 28 new 'strikes' (Ixia's term for attack packages)," Flaherty said. By using a web-based interface to the appliances, an attack team can pick a set of attack strategies and let them loose.