CHAPTER 2
Network Security Testing Basics
Security testing
is a broad term that means a lot of different things. Some of this test‐
ing will be network-based, and the goal may not necessarily be about system compro‐
mise. Instead, the testing may be more focused on impacting the service in negative
ways, like causing the service to stop or be otherwise unavailable. When a service is
taken offline, it’s considered a security issue. Because of that, stress testing can be an
important element of security testing.
To perform network-based testing in which you are testing more of the networking
elements than the applications, you need to understand how network protocol stacks
are defined. One way of defining protocols and, more specifically, their interactions,
is using the Open Systems Interconnection (OSI) model. Using the OSI model, we
can break the communications into different functional elements and see clearly
where different pieces of information are added to the network packets as they are
being created. Additionally, you can see the interaction from system to system across
the functional elements.
Stress testing not only creates a lot of information for the systems and applications to
handle, but also generates data the application may not expect. You can perform
stress testing, and should, by deliberately breaking the rules that the application or
operating system expects communications should follow. Many attacks use this rule-
breaking. They can cause application failures, either by getting them to shut down or
by causing application exceptions that may be exploited for application or system
compromise.
