Data Loss Prevention (DLP) Testing

By Spirent On July 8, 2011

Spirent (formerly Mu Dynamics) is uniquely qualified to offer DLP Testing solutions because our ancestry is in Intrusion Prevention Systems (IPS). Our founders and principal architects designed the first IPS at One Secure (later acquired by NetScreen and ultimately Juniper). Fundamentally, an IPS and the Data in Motion (DiM) functionality of a DLP system perform nearly identical functions in opposite directions. They act as filters across a network element, determining which data may safely be allowed to pass through and which must be blocked.

This process is complicated by the fact that the data is sent in discrete packets, but the determination of the safety of a particular flow generally requires examining data structures encoded over multiple packets. A DLP (or IPS) system must therefore reassemble these data structures to allow a comparison to the signatures of prohibited data structures.

This filtering analogy suggests that there are at least four related testing needs:

  1. Functional Validation of DLP Signatures: We need to validate that the Device Under Test (DUT) properly blocks prohibited content (proprietary documents, confidential information). This is true no matter how these data structures are delivered (e-mail, http, ftp, social media, etc.).
  2. Functional Validation of Legitimate Traffic Pass-through: We need to validate that the DUT properly passes business critical applications. Once again, this could be almost any mix of data protocols, services and applications.
  3. Performance Testing of DLP Signatures: We need to validate the DUT’s ability to block prohibited traffic up to the maximum concurrency/bandwidth supported.
  4. Performance Testing of Legitimate Traffic: We need to validate the DUT’s ability to continue to block prohibited traffic in the presence of valid data. We also need to characterize the performance penalty across different load/application mixes.

All of these needs require a Test System which can accurately recreate application traffic. Additionally, as we move toward a future where more information is shared via social media and other non-traditional applications the ability to rapidly test DLP signatures against these applications will become critical. Finally, the breadth of the challenge requires a tool which can adapt to test emerging needs and still be simple enough to allow test execution to distributed among multiple people and ultimately automated.
These three concepts; Accuracy, Speed and Flexibility are the guiding principles behind Spirent (formerly Mu) Studio.


Whether you download pre-built content from Spirent (formerly Mu) Test Cloud or create your own scenarios from a snapshot of live traffic; every Spirent (formerly Mu) Scenario is based upon recordings of actual network traffic.

The original traffic is parameterized to allow each recreated transaction to be unique and consistent. Any unique transaction ID’s are automatically created and remain consistent through all messages within a transaction.

Spirent (formerly Mu) Scenarios are so accurate that in many cases they can be run in “End-Point” mode against a live server.


Nearly one thousand applications are currently available on Test Cloud for immediate inclusion in your tests. New applications (and new versions of popular existing applications) are being added at the rate of several hundred a month.

Even the development of custom scenarios is simplified through the use of tools such as PCAP-to-Scenario and HAR-to-Scenario. These Spirent (formerly Mu) tools allow the user to take easily obtainable, industry standard representations of an application’s transaction and automatically create a Spirent (formerly Mu) Scenario.

Simplicity & Flexibility

ImageThe Studio 6 user interface uses a drag and drop mechanism. The user selects icons representing applications they would like to include in the test (which may be a mixture of pre-built and custom scenarios) and drags them to the test. Sliders are then used to specify the overall traffic load, the load distribution by application, and how the load will change over time.

Once configured the user simply presses play and the results are displayed in easily understandable real-time graphs.

Through adherence to these guiding principles, Spirent (formerly Mu) has created a Test System which directly addresses the four use cases outlined earlier.

Case 1: Functional Validation of DLP signatures

Spirent (formerly Mu) Studio contains a module specifically designed for Functional Testing. This package combines a single transaction with a user defined spreadsheet of values. The transaction is recreated once for each row of the spreadsheet with the values in the spreadsheet substituted for corresponding values within the scenario. Following each transaction the Spirent (formerly Mu) appliance determines whether the test “Passed” or “Failed”.

Two features make this particularly appropriate for the Validation of DLP Signatures. The most important is a function which allows the spreadsheet to specify a file whose contents will be transmitted through the DUT when the appropriate step of the scenario is reached.

Using this feature the user can create scenarios which represent file transfers via e-mail attachments, FTP, HTTP or virtually any other client/server transaction. All of these scenarios could read from the same list of files and validate that the signatures work regardless of the transport mechanism used.

The second feature is less critical. It was developed specifically for the DLP case and simplifies reporting. Within the functional test spreadsheet the user can define what determines a passed test. The signature test can therefore be configured to report “Pass” when the transaction is blocked, and “Fail” if it is allowed to pass. This makes reporting and interpreting results easier and more consistent.



Case 2: Functional Validation of Legitimate Traffic
Case 4: Performance Testing of Legitimate Traffic

These two test cases are discussed together because they both relate to the passage of legitimate traffic and because the features of Spirent (formerly Mu) Studio may make it advantageous to perform Case 4 first.

Functional testing of signatures is a relatively bounded problem. The number of signatures is a known quantity and by extension the types of information you need to block is relatively well understood. Validating that you do not block legitimate traffic is a more intractable problem. There are simply too many proprietary applications traversing the average network to make systematic testing of each one viable.

Fortunately, Studio offers a solution to this problem. Using Studio 6 in combination with Test Cloud it is easy to create custom application traffic mixes. These mixes can contain up to 50 distinct transactions. Because statistics are maintained for each of the transactions individually, it’s easy to see if certain applications are triggering failures (due to false positives) or excessive delays.

Once the problematic applications/transactions are identified, the functional module can be invoked to perform a more detailed analysis of where in the transaction a false positive is triggered. Once a new revised signature is developed it can be tested in the functional mode to validate that the problem has been resolved.



Case 3: Performance Testing of DLP Signatures

The Scale component of Studio allows the functional tests which were used to validate the signatures to be reused to characterize the performance of the DUT. The user can specify a constant transaction concurrency (up to 100,000 simultaneous users), or can define ramp-up, steady-state and ramp-down periods to characterize the device over a range of loads.

An additional Studio instance can simultaneously be used to generate a background load of legitimate traffic to measure the performance of the DUT under near “real-world” conditions.


Data Loss Prevention requires rapidly characterizing data flows as conforming with loss prevention policies or not. This can not be done with a test tool which generates synthetic data since the bytes needed for differentiation are no longer present.

Spirent (formerlyMu) Studio’s unique ability to recreate Real Application traffic makes it the best choice for DLP testing. After all, you can’t test a real network with fake traffic.

comments powered by Disqus
× Spirent.com uses cookies to enhance and streamline your experience. By continuing to browse our site, you are agreeing to the use of cookies.