Equipment and software testing is a fact of life for the network security manager. When a pile of security and performance patches comes in from the great unknown, the test lab is your sanity check. When your RFP for new equipment hits the street, the test lab is where you verify whether hardware meets the specs. When planning changes to your security infrastructure, the test lab is where you experiment on your theories.
Magazine and online product reviews, analyst reports and white papers can help with product assessments, but a well-equipped test lab will give you the peace of mind that a product is right for your enterprise.
So what makes a good test lab?
For most network managers, building a test lab isn't a foreign task: It's just a smaller version of their production network. But, setting up a reliable testing environment means acquiring infrastructure, adding test equipment and establishing repeatable procedures to keep you from reinventing the wheel. Proper security testing starts with solid network infrastructure, and, because testing is an ongoing process, it pays to have a variety of equipment on hand.
Fortunately, network infrastructure is cheap — at least for testing purposes. With the exception of testing performance, you can live with off-the-shelf 10/100 switching equipment and slightly antiquated servers. If you can't scavenge from within the company, high-quality gear for pennies can be found at online auctioneer eBay, the de facto marketplace for used technology (see "Infrastructure via eBay," p. 40). Next, you need samples of all your production security infrastructure devices, especially firewalls. But, before charging up the company credit card, check with the manufacturer — some offer indefinite loans of demo units or significant discounts on cold-spare hardware. For software, where the vendor's cost is zero, negotiating a test lab license should be part of your standard purchasing procedure.
Finally, take a peek in your storerooms. You probably have a pile of dual-650 MHz rackmounted servers sitting around; they are perfect for testing. Your criteria here should be memory and ease of reconfiguration. In our lab, we use 2U Hewlett-Packard LPr servers. Dell, IBM and Compaq boxes are also excellent choices. As you stack up servers, you'll need a KVM (keyboard-video-mouse) switch. Forget the little eight-port ones you see around — they won't do. The Avocent Autoboot XP4040 is a recently retired — but still widely available — workhorse with virtually unlimited expansion capabilities. If you have a large corporate KVM switch, you might be able to use that. It's good practice to use these switches' built-in security features to keep the lab and production systems from being shown on the same console. This will also eliminate the potential of accidentally rebooting or, worse, reformatting the wrong system.
Systems generally fall into two categories: permanent and temporary. Perma-nent servers form the backbone of your lab's software services. For example, every lab needs a certificate authority to test PKI features. It pays to set this up once — not every time you need a digital certificate. You'll also find that authentication servers, such as RADIUS and LDAP, are repeatedly used and should be permanent fixtures. Any common corporate applications that can be easily replicated, such as Microsoft Exchange or Lotus Notes, along with your corporate Web server and database, should be running permanently in your test lab. You'll also need a file server to store software kits and other data.
