You can add items from the left menu by dragging them here.

IPv4 is the long-standing Internet Protocol which uses addresses like A.B.C.D and an associated netmask. IPv6 is a new open
standard - long suffering to get to popular use. There are many differences between IPv4 and IPv6 but one worth
noting is that Internet Protocol Security (IPSec) is built in to IPv6 while it is added into IPv4 by specifying
protocol 41 in the header packets.

An organization called The Internet Assigned Numbers Authority (IANA) defines a particularly interesting
field in the header of an Internet Protocol (IP) packet. This is the field that defines the protocol in play
for that packet.

Here are some codes:
1 - ICMP
2 - IGMP
4 - IP encapsulated
6 -
Transmission Control Protocol (TCP)
17 - User Datagram Protocol (UDP)
41 - IPv6
47 - Point to Point protocol uses
this (PPTP) Generic Router Encapsulation Protocol (GRE).
50 - IPSec Encapsulated Security Header (ESP)

When using IPSec, there are
many permutations to enable a particular feature set. For example, authentication and encryption are not only independently available, the method
that each uses may be specified at the time of setup. It's commonly known that any particular cryptographic primitive can
be broken at an unexpected time. So the ability to plug-in a new primitive is a huge advantage. VPN
/>Although people associate a VPN with encryption, this is not a necessary requirement. A VPN is a way to use
a shared network to create a link which behaves like it is dedicated. Of course, adding authentication and encryption is
a common desire.

There are several ways to set up a virtual private network. A VPN is a VPN
independently of the method used. If IPSec is used, then this provides authentication and encryption and integrity while another protocol
tunneled inside could join two Local Area Networks (LANs) together. Typically this is done by using GRE. (See my article
for more information on Confidentiality, Integrity and Availability (CIA).

IPSec mostly operates at layer-3 in the OSI model, while
other VPN solutions operate at higher levels. Secure Socket Layer (SSL), Transport Level Security (TLS), Secure SHell (SSH).

Note
that IPSec connections use 'mutual authentication'. This means that the client and the server check each other's identity before proceeding.
IPSec also encapsulates everything that is sent over the tunnel independently of the application that uses it. SSL, TLS and
SSH are controlled by the application so that, for example your browser may hold a particular SSL session open in
an encrypted communication with a banking site, while another tab in the same browser is using non-encrypted links to the
internet. WIth IPSec, everything that is routed over the tunnel is encrypted. Split tunneling as applied to a tunnel like
IPSec, is where some traffic is routed through the tunnel and some through an unencrypted path. Normally, split-tunneling is considered
a security risk.
Modes

Tunnel mode is often used between gateways, or at an end-station to a gateway where
the gateway is a proxy for its hosts. The entire packet is encrypted and a new header is attached. The
original IP addresses are not visible and only the tunnel endpoints (gateways) are visible. Unless an authentication header is also
used, NAT will work. When a gateway terminates a tunnel, it is typical to do so onto a virtual interface
so that the rest of the routing and applications which use the data coming from that interface need do nothing
special apart from choose the correct virtual interface name. The data entering the physical interface is encrypted, but it comes
out (inside the gateway) as an unencrypted packet without any IPSec headers; it looks like normal data.

Transport mode
is used between hosts - that is, individual machines. In this case, the original IP addresses are included in the
authentication check. This prevents NAT from working because when NAT alters the IP address, the integrity check fails.

Transport mode is NOT a VPN. Call it a 'secured connection'. A VPN implies a tunnel. Transport mode does not
provide a tunnel.
What in the packet specifies which mode is used

There is no 'mode' flag so the
current mode has to be deduced. This is fairly easy. When the field called 'Next Header' is literally "IP", then
this means that the encapsulated packet is a complete IP-datagram. Since this includes the original IP addresses, they are obfuscated
and it must be in 'tunnel mode'.

IP is the 'IP' in TCP/IP, UDP/IP... so you can see that
TCP and UDP are transmission controls while IP is the transport used in each case. It's the IP layer that
handles addresses.NAT

In tunnel mode with AH applied, or in transport mode, NAT is not possible but there is
a further encapsulation method called NAT-T (for NAT-traversal) which uses UDP 4500 to apply a routable UDP packet where the
payload contains the encrypted packets. Both endpoints must be capable of NAT-T and configured to use it. Before NAT-T is
applied, the endpoints check that each can do NAT-T, and they test the path to see if NAT-T is required.
If not, then the UDP encapsulation is not used.PAT

Port address Translation (PAT) is also an issue with AH
in VPNs because the ports are modified by PAT, and the AH hash includes the port numbers. When the ports
are modified, the hash cannot match and the protocol marks it as a failed packet.PROXY

In firewall terms -
a proxy either operates at layer-4 as SOCKS, or at the application layer as an application which acts as a
server to the client, and a client to the server. These are specialised applications and so are limited in number.
You are likely to find a legacy program or even a mainstream popular program that cannot use SOCKS or does
not have an application level proxy. When a proxy is used, the IP address exposed to the internet is that
of the firewall and NAT as IP masquerade is not required for the purpose of hiding internal addresses - or
allowing the traffic to route on the internet. The proxy provides a hide-NAT function. But if there is no SOCKS
version of the application, or if there is no specific proxy, then you will need to use a NAT function
to hide the address.

Incoming data is only allowed to existing sessions that are in a state table. The
state table entry is created when the internal client first makes the connection outbound. The contents of the state table
are removed when the link becomes inactive (or it terminates naturally). Those outbound packets leave with the public address as
the source address in the header. As the packet flows though the NAT device, its target becomes the original inside-address
that initiated the packet.

A normal router only makes decisions about routing, that is whether to forward apacket as it just follows the information in the header. However, a NAT router can choose to deny or allow
and alter packets according to a policy which looks very much like a layer-3 firewall policy. Even the direction (inbound/outbound)
is relevant.

A limited range of available addresses for NAT is called a pool of addresses. For example,if you arranged to have 12 externally addressable public IP addresses, then this would be a pool of addresses that
are available for outbound connections or inbound connections. This small pool of addresses is successfully shared among a large number
of internal users because at any given time, there are only a relatively small number of concurrent sessions. You need
a slightly larger pool than the peak number of concurrent sessions.

In the header, the fields that makeup the addressing information is checked with a redundancy checksum. It does this to detect errors in the header that
could be caused by in-flight interference or data loss. Since NAT changes items in the header field, it must also
recalculate and insert a new checksum.

An application proxy acts as a server to the original client, andas a client to the intended server, so it automatically provides an IP masquerading style function. SOCKS does a similar
thing, but operates at layer-5.

As mentioned above, there are only a limited number of proxy applications, andtherefore, NAT may still be required for applications that have no security proxy.

This is the least restrictiveNAT. It binds a local address and port to a public address and port. Once configured, it can be used
by any remote host on any remote port address. It is unlikely to see a firewall configured this way.

Any external target host can return packets to the designated port. The remote host can only use the source
port established by the NAT mapping.

This is most restrictive NAT implementation where the source address and portand destination address and port are tied down. Any applications that do referral and handover fail to work over symmetric
NAT

If an IP packet becomes fragmented it might be necessary for NAT to reassemble the fragments. Thenit can do a recalculation of higher level checksums and track which packets belong to each connection.

The algorithm in (RFC 1191) experiments with the network path to find out the packet size that can be transmitted
without fragmentation. When found, it sets the "don't fragment" bit in the appropriate packet header field.

FTP andSIP are examples of applications that send IP addresses within their data stream. Both these use multiple ports and therefore
simple NAT will break the IP address and port number relationship between the client and the server.

Unfortunately,NAT is implemented differently by separate vendors and sometimes even within a particular vendor's product range. This means that applications
need to dynamically work around the various implementations, and of course this is difficult.

An ALG provides hide-NATstyle function and there may be a specific FTP or SIP proxy. If so, then the proxy knows how to
be a client to the server, and a server to the client without introducing NAT issues.

Its purpose is
to extend the life of IP version 4 since IPv4 uses a 32 bit address which, although has 4 billion
combinations, is comparable to the number of people on Earth. IPv4 addressing would have been fully allocated but for the
invention of NAT.

When an organisation uses addresses from these ranges, they are not exposed in the internet. This
means that other organisations can use the same addresses, but they cannot directly connect to one another.

To use
the internet, an RFC 1918 addressing scheme needs to somehow convert an internal address to a routable intenet-compaitble address. It
does this by mapping some unique characteristic of a particular session to an IP address.

A NAT 'device' provides
translation between the IP address mapping. An organisation can use a NAT device to share a public IP address with
the entire internal network.

This makes the edge device look to the internet like a single very busyhost because all traffic has the source address of the NAT device. The NAT device works by storing a mapping
between the internal address and the source port used by that internal host. It can do this because the source
ports are generated at random. It also knows to refuse a connection in the unlikely event that two independent machines
generate the same source address at the same time business firewalls.

When a packet is returned from the
internet to the internal device, the NAT device looks up the original IP address in its 'state table'. It can
do this because the random port is preserved throughout the session.

Instead of sharing an internet-routable address, it can
be mapped to a single internal address. This allows the administrator to have an internal address which could change, while
advertising a permanent address to the internet. This also allows a network which uses internal addressing to serve various services
(like www) to the internet. The idea can be extended so that different internal addresses are chosen based on other
criteria like the arriving packet's destination port and originating address. In this way, multiple internal servers hosting www, ftp, mail
all separately could be known to the internet as a single external IP address, but the NAT device directs port
80 traffic to the www server, and port 25 to the mail server, and port 21 traffic to the ftp
server.

NAT is quite flexible. Good implementation allow NAT to be applied based on very specific conditions. This provides
flexibility. What gets NAT applied can depend on:

Each IP header has a checksum which is used todetect random changes to the packet in transit (errors), so the NAT device must recalculate the checksum

TLS encrypts
but operates at layer 4 and does not mask the port number so it can solve a problem, for example,
when multiple SIP phones are behind a NAT device. Where IPSec won't work, TLS could be used instead for security.


The lifetime of a NAT device's state table is quite short which demands 'keep-alive' messages. Unfortunately battery-powered devicesusing keep-alive run down quicker when maintaining an active-connection.

If NAT is detected between the endpoints, and bothendpoints can do NAT-T, and they are configured to use it, then UDP port 4500 is used for IKE and
also the ESP data.

If you have access to a trusted and physically protected network (not the internet), then
it may be an Actual Private Network (APN). In that case, encryption is not necessary.
SSTP

The LayerTwo Tunnelling (session) Protocol uses registered UDP port 1701. It does not directly provide confidentiality. Instead, it uses a separate
encryption protocol, for example L2TP/IPSec L2TPv3 .

An MPLS Wide Area Network (WAN) uses efficient tags to makerouting decisions. It is much quicker than conventional routing because header analysis is done only once. It works over several
types of network traditionally in the category of APNs - like frame relay and ATM. When VPN is applied to
MPLS, then additional efficiency, flexibility and security is obtained. The efficient MPLS network carries the VPN traffic. MPLS combines the
performance and capabilities of Layer 2 switching with the scalability of Layer 3 routing.SSL/TLS

Secure Socket Layer and Transport
Layer Security normally gives a web-browser session-based encryption but uses it to encrypt the whole OSI stack. Since SSL uses
port 443 which is normally permitted outbound from any organization, it has this advantage over IPSec. OpenVPN can run over
UDP and it enjoys wide operating system support.DTLS

Datagram Transport Layer Service () is good for securing applications that
are delay sensitive. For example, for VOICE, the Session Initiation Protocol (SIP) is often preferably run over UDP but since
TLS demands a reliable transport (i.e. TCP) this means that TLS is not always good choice for tunneling SIP. DTLS
is a datagram version of TLS.

A hash is a number derived from a message which is in-practice unique
to that message. Therefore, if a message is changed in transit, then a re-calculation of the hash will reveal a
difference and expose the interception. MD5 and SHA-1 are commonly used hashes. The hash is known as Integrity Check Value
(ICV).

Computation of the ICV in IPSec depends upon a shared secret and if the secret has beenshared in a secure manner then it effectively authenticates the parties involved. The ICV thus inherits the capability to authenticate
the end-points.

To share a key, and to frequently refresh keys, IPSec uses an Internet Key Exchange (IKE)protocol. For testing purposes, manual keying is permitted but it is not considered a solid method to use in production.
Within IKE, you will find some modes.

Main mode is slow but secure. - six packets are exchanged
and all are encrypted. Aggressive mode is fast but less secure - only three packets are exchanged, and some information
is in plain text. The aggressive mode with a fixed pre-shared key is possibly subject to a dictionary attack, so
make the pre-shared key very strong if you have to use that combination.

A Security Association (SA) is little
more than a database record in a security Association Database (SADB). In it, you find details of the negotiated algorithms,
timings, destination address and other parameters which have been agreed upon for a particular IPSec exchange. There is a pair
of agreeing SA records in the sender and the receiver for both outbound and inbound data. Therefore, for any tunnel,
you will find a total of four SAs. Each of these SA records is indexed by a Security Parameter Index
(SPI). In this way, multiple tunnels and tunnels that independently link different networks are allowed on a single unit. In
fact, multicast is allowed by duplicating the SA across all members of a group.

AH runs a hashover the contents of the packet - excluding so called 'mutable' fields like the Time To Live (TTL) field. AH
permits mutual authentication, tamper detection and message integrity. AH does not provide encryption but it does guard against a replay
attack.The AH includes five interesting fields.
Next header
SPI - 32-bit identifier
length of the AH
Sequence number
Authentication data
(The ICV)
NOTE

If IP addresses are part of an integrity check, then a protocol like Network Address
Translation (NAT) can look like a malicious attack. In that case, you need to hook inNAT-Tas discussed above.

ESP surrounds the payload with a header and a trailer and encrypts the payload. This provides confidentiality and protects against
a replay attack. ESP provides tunnel and transport modes.

ESP calls in an external encryption algorithm and does not
directly implement it. It is interesting and perhaps useful only for testing, that ESP allows a 'null' encryption algorithm. Thus
ESP could be configured without AH or an effective encryption method.

The HMAC ICV is constructed as follows.(Please refer to the diagram).
Given a message...
A magic number (random digits) is padded to a fixed block size
by appending nulls. (ipad)

1 and 3 are combined with the XOR function.
4 and 1 are appended
5
is hashed
The key (3) is combined with another fixed block padded magic number. (opad)
7 and 6 are hashed/>
This gives an HMAC of the message. Note that although the HASH can be applied by an onlooker, the
onlooker does not know the key and so cannot reproduce the particular hash result. Also, the magic numbers are padded
to a fixed block size to thwart particular kinds of crytpanalysis and to fit in with algorithms that use a
fixed block size. The magic numbers provide a variation in result even when the same message is re-sent. Otherwise a
statistical cryptanalysis attack could be performed on similar data or known plain-text. Since the sender and receiver share the key,
they can extract the magic numbers and the message. The fact that the sender and receiver were authenticated during the
key exchange, the message is also authenticated.

There is a marked difference between a VPN provisioned by a customer
and one at a provider. When the customer does it, the providers end-point devices are unaware of the VPN and
the customer's equipment terminates the VPN. When the provider manages the VPN, the provider's equipment terminates the VPNs for one
or more customers.

You can add items from the left menu by dragging them here.

When you subscribe to Dish Network satellite service the company provides a satellite receiver and remote control. The providedremote comes automatically programmed to control the receiver. You can also program the remote to control your television, DVD player
and other electronic devices, removing the need for multiple remotes. Often, a Dish Network technician programs the remote for you
at the time of installation. However, if this is not the case or you have a new television or DVD
player, you can program the remote yourself.

2)Press and hold the mode button on the remote control forthe device you are programming business firewalls. For example, press and hold the "TV" button if you are programming
the remote control for your television.

4)Enter the three-digit code for your device. The codes are listed by brand
and found in the user manual for your remote control or online at the Dish Network website. Often, each brand
has more than one code. Use the first one listed.

7)Press the "Power" button again to turn onthe device. firewall software Test some of the other keys to ensure your remote is programmed to the device.
Try the volume and the mute buttons or the channel buttons. If these do not work, repeat steps 2 through
7 with another code for your device.

If you do not have access to the codes, use your remote
to scan for a code. In step 4, instead of entering the code, slowly press the down arrow button until
the device turns off. Press the "#" or the "OK" button, continue with step 7.

You can add items from the left menu by dragging them here.

You can add items from the left menu by dragging them here.

1.2 References Documents
The list of all the documents that are reffered to prepare this document will be listed out
here in this section. (SRS and Project Plan)

2.0Coverage of Testing
2.1 Features to be tested
The list of
all thefeatures that are to be tested based on the Implicit and explicit requirements from the customer will bementioned in
this section

2.2 Features not to be tested
The list of all the features that can be skippedfrom testing phase are mentioned here, Generally Out of scope features such as incomplete modules are listed here. If severity
is low and time constraints are high then all the low risk features such as GUI or database style sheets
are skipped. Also the features that are to be incorporated in future are kept out of testing temporarily.

3.0Test
Strategy
3.1 Levels of testing
Its a project level term which describes testing proceedures in an organization. All the levels
such as Unit, module, Integration, system and UAT (User Acceptance test) are mentioned here which is to be performed.
3.2
Types of testing
All the various types of testing such as compatibility,regression and etc are mentioned here with module divisions/>
3.3 Test design techniques
The List of All the techniques that are followed and maintained in that company will
be listed out here in this section. Some of the most used techniques are Boundary Value Analysis(BVA) and Equalence Class
Participation(ECP).

Whenever the test engineers need to develop the test cases for a range kind of input, thebest technique suggested is BVA.
BVA says that whenever there is a range for an input, just concentrate onthe boundaries and not the entire values in between. In other words LB
or Lower bound is the minimumrange and UB or Upper bound is the maximum range, So the values that will be considered in the BVA
technique are
LB, LB + 1, LB - 1, UB, UB + 1, UB - 1. And one MVor mid range value can be added If the range is too lengthy.[MV = (LB+UB)/2]
Equalance class participation:

When there are more number of requirements for a single feature, then ECP is very helpful. ECP is applied
by dividing
the different classes of inputs based on their properties and then develop the test cases.

To Understand
these two techniques, we need to take an example of test case based on the requirements of a particular feature./>Example: The Email ID field of a web application needs to be developed on following specificaions or requirements,
a)The word
limit for the email text box field must be Minimum of 4 characters and Maximum of 20 characters.
b)Only Lowercase
alphabet allowed.
c)It should not accept special characters except @ & _ .

Once we understand the requirements, BVA
= 3 characters(LB-1), 4(LB), 5(LB+1), 12(MV), 19(UB-1), 20(UB), 21(UB+1).
ECP states that data can be divided into different class of
inputs, these can be determined based on the type of data that need to be provided for
testing anyparticular feature. In the above example by considering the BVA , the ECP table can be divided into two categories./>Valid and Invalid.
Example: Valid = 4 char, 5 char, 12 char, 19 char, 20char, a-z, @, _, a_5#.etc
Example: Invalid = 3 char, 21 char, A-Z, All special char except @ & _, 0 to 9, Alphanumeric texts,
Empty spaces, decimals etc.
Based on these two types of inputs, you can create two tables, and

All the
documents that aregenerated during thetesting process needs to be updated simultaneously tokeep the testers and developers aware of the proceedings.
Also the naming conventions and declaring new version numbers for the software builds based on the amount of chnange is
done by the SCM ( Software Configuration Management team ) and the details will be listed here.

The list
of all the tasks that need to be measured and maintained will be present here.Different metrics for tracing back the
exact requirement and test case depends on the availability of metrics at the right time.

The list ofall the features , or modules that are planned for automation testing will be mentioned here. The application only undergoes
automation testing after being declared STABLE by the manual testing team.

The list of Automated tools, like QTP, Loadrunner, Win runner, etc which will be used in this project wil be mentioned along with license details.

Thestandards or metrics that need to be acheived by the testing team before declaring the product fit will be
listed here. So before handovering to the customer, the timeat which the testing needs to be stopped is mentioned here
in this section.

network security In highrisk projects, or huge projects thatconsists several modules, It is necessaryto minimize the repetitive process to be efficient. The situations when the testing needs to be suspended or temporarily halted
will be listed here in this section.

The list of all the documents that are to be prepared during
the testing process will be mentioned here in this section. All the copies ofverification documents after each level are submitted
to the customer alongwith the user manual and product at the end of theproject.

Environmental components and combinationsthat will be simulated for testing the product will be made sure that it is very close to the actua
environment when the end user works on the product. All the details will be mentioned here in this section that
is to be used for testing the application.

How much staff is to be recruited and what kindof training is to be provided to accomplish this project successfully will be described here in a detailed fashion.

Risks :Example, Resources may leave the organization, license and update deadlines, customer may change the requirements in terms of
testing or maintenance in middle of the project. etc

Contingencies :Maintaining bench strength, Rechecking initial stages ofthe wholeprocess, Importance and priority settings for features to be tested and features to be skipped under time constraints to be
listed and shared clearly.

Some features or testing methods have to be done mandatorily even though, the customerdoes not mention it in his requirements document. These assumptions are listed out here in this section.

Asthis document is published and circulated, the relevant and required authorities will approve the plan and will update this section
with necessary details like date and department etc firewall hardware.

We will use examples extensively to discuss the
entire phase of test development in our article, Please note that these are just standard methods and approaches towards testing
and can vary slightly from company to company. (But the core remains the same.)


Arguably, this isthe most important stage of the testing life cycle, in this section or phase of the testing part; the testers
will develop the test cases based against the requirements of the customer.There are usually three levels of requirements, to be
understood by the testers before they can proceed to write the test cases for the product

Used Case:These are the snippets created by the Business Analyst to describe the functionality of certain features of an application, It
briefly states the roles of actors, actions and responses that are required to be included in test cases before executing
them on the product or software.

Login screen should contain username, password, connect to fields, Login, Clear andCancel buttons.
Connect to field should not be a mandatory field but it must allow the user to connectto a database whenever he requires.
Upon entering the valid username, valid password and clicking on Login button, thecorresponding page according to the level of user ( admin, member, guest etc) must be displayed.
Upon entering someinformation into any fields and clicking on Clear button, all the fields must be cleared and the cursor must be
placed in the username field.
Upon clicking on the Cancel button, the login screen must close.


Implicit Requirements : Sometimes the customer is unaware of the finer details and provides rough requirements list, in that case
the business analyst produces a list of requirements on his own to improve the value of the product.


Explicit Requirements : Requirements that aredemanded by thecustomerfall in this category, these requirementswill always receive priority in testing and
cannot be listed under Features not to be tested in the Test Plan document.

Special Requiements / Validations/ Business rules and standards.
Initially whenever the login screen is invoked the Login and Clear buttons must bedisabled.
Cancel button must be always enabled.
Upon entering some information into any of the fields the Clearbutton must be enabled.
Upon entering any information into the username and password field the Login button must beenabled.
Tabbing order ( Hitting tab on keyboard should highlight fields in specified sequence.) Username, password, connect to, Login,Clear and Cancel.

Implicit requirements
Initially whenever the login screen is invoked the cursor must be availablein the username field.
Upon entering invalid username, valid password and clicking Login, the following message must be displayed"Invalid username. Please try again."
Upon entering valid username, invalid password and clicking Login, the following message must bedisplayed. " Invalid password. Please try again."
Upon entering invalid username, invalid password and clicking on Login, the followingmessage must be displayed. " Invalid username/password Please try again." Explicit requirements
Initially whenever the login screen is invoked,the Login and Clear button must be disabled.
Cancel button must be always enabled.
Upon entering information inany field, Clear button must be enabled.
Upon entering username and password details, Login button should be enabled.
Tabbing order must be Username, Password, Connect to, Login, Clear and Cancel.


( Sometimes Diagrams/ Flowcharts areavailable to depict the flows in usedcases, but we will consider a table and jot down the requirements efficiently as
listed below )


( The table hasbeen splitted into two divisions, each for the main flow andalternative flow for better understanding,Thereis a lotof documentation and methodology involved in testing when an established CMMI level or ISO
certified company enters the arena.)

Identify the module to which the used case belongs to. In our examplethe login screen use case generally belongs to the securitymodule.
Identify the functionality of the use case with respectto the total functionality. example: Authenticationfor login screen
All the Look and Feel ( GUI ) related test casesneed to be written by the Test engineers directly even if the HLI, LLI and snapshots are not available. (
Important )
Identify the functional points and prepare the Functional Points Document ( FPD ).
Identify the actorsinvolved in the use case wether normal or administrator etc.
Identify the inputs required to perform testing, valid andinvalid inputs need to be identified with respect to the functionality of the features.
Identify wether this used caseis linked with any other use case, such as homepage or admin page or database connections page to confirm authentication.

Identify the Pre conditions and ensure that the build version released is the correct one and can be usedfor executing the test cases hereafter.Methodology
Understand the Main flow of the application. Usually all the valid inputs andnormal actions of a valid user fall under the main flow.
Understand the alternative flow. Generally the spontaneous andunpredictable inputs from actors such as invalid entries and interchanging the order of inputs will create different responses from the
application. Such scheme of things fall under alternative flow.
Understand the special requirements.Most of the time default settings andstandards are developed by the coders and in some cases the customer may request a non conventional approach with respect
to the applications behavior, In such case understanding the requirement and creating proper test case is very crucial.
Documentationis very very important and all the documents need to be created seperately. The different versions and reference tables makes
the test cases lengthy but will help later to trace any defects to the requirements by using Traceablity Matrix.
Functional points document ( FPD ) is to be maintained in order to understand features that need to be tested
and features that need to be skipped.The point where user can perform some action on the application is called as
the Functional point. Chronology of Documents in Testing

It is a document that contains tables of linking informationand is used for tracing back the route of test development activities. There are many documents that need to be
maintained by the test engineers and the business analysts in order the complete the inputs in this Matrix tables. In
case any confusing or questionable circumstance arrives in future, This TM document can be reffered to find the root cause.


( The numbers denote the example serial numbers from the corresponding documents UCD ( Use case document ), FPD ( Functional Points document), TSD ( Test scenarios Document), TCD (Test case Document ), DPD ( Defect Profile
document) respectively. Sometimes Differenet traceability matrix tables are maintained according to the standards of the company, for example :

Thisis the phase where the test engineers will prepare and execute the test cases. One of the best techniques
is to refer the use cases, pick up the standard test case templates and prepare test cases based ondifferent categories.While
do remember to maintain Traceability matrix alongside testexecution to avoid rework and confusions at a later stage.


The Test cases can be divided into three types:
GUI test cases Guidelines to be followed when preparing GUItest cases
Check for availability of all the objects on the application
Check for alignment of all theobjects, even though customer does not specify them in the requirements
Check for consistency of the objects ( Color,appearance, resolution, spelling etc )
And any such feature that can be tested just by observing or a defectthat can be avoided by just looking and pointing out in the development stage will fall under GUI test cases.
Functional test cases
The functional test cases can be classified into two categories, +ve test cases and -ve testcases. +ve test cases are written for the steps that user follows in order to perform the functions that the
feature is supposed to do, In other words the Main flow of the application can be tested with +ve test
cases with valid data and inputs.
Whereas -ve test cases will be used to test the irregular and abnormalexpected actions by the end user on the applications functionality. At least one set of Invalid input as test data
is required to produce a -ve test case.

Non Functional test cases
The test cases that areprepared to test the applications stability, Load or performance related features will fall under the non functional test cases. We
will discuss performance and load testing details in other chapters of this knol. Please refer the Complete theory Index above
to navigate to other sections.

Test case template is used to create the Test case document easily andeffectively. There are the following fields in a test case template
Objective : The purpose of this test casewill be mentioned here.
Project Name : The code name of the project or the product name will bementioned here which will be specific to the company policies and may vary from organisation to organisation.
Module name: The particular module the test case belongs to for ex. Login screen . will be mentioned here.
Author/Prepared by : The test engineer, lead and other relevant names of people will be listed here who are responsible
for the end document.
Test scenarios : Based on the FPD the features are shortlisted that need to betested and the scenarios and possible combinations will be listed in this section.
Revision history : The authority ofteam leaders and test managers have to review and approve the test document before testers can proceed for executing the
test. The relevant authorised signatures and timestamps will be present in this section

Test Case Document : FieldsExplained
Test case ID : The serial numbers of the test cases is listed here
Req/Ref ID :Thereference serial numbers or ids from the use cases will be listed here to create a cross reference matrix for
the corresponding test case
TC Type :The type of test case wether GUI, +ve or -ve will be listedhere
Description : The details of the action that the test engineer needs to perform on the features willbe mentioned here clearly.
Test Data : In order to perform functionality testing, It is very important to testthe features with a range of data, and also approach with different techniques such as BVA and ECP. To keep
the test case document tidy, test engineers prefer to create linking tables of test data in a seperate document or
provide the inputs data at the end of the test case document. The test data can be divided into two
categories Valid and Invalid inputs data, in order to write +ve and -ve test cases efficiently.
EV : Expectedvalue after performing the action will be listed here
AV : The actual behavior of the application after executingthe test case will be recorded and listed here.
Result : The comparison of EV and AV will bedone and the result, either PASS or FAIL will be mentioned here in this section accordingly.
Priority : Thepriority is assigned to different test cases based on their effect on the testers to continue further execution of test
cases on the application. In other words sometimes simple defects can create navigational blocks and prevent testers from accesing the
entire features of the application and hence such defects will receive high priority , similarily GUI related defects receive low
priority.
Build No : The version of the build that is released by the development team will be listedhere.

The following XL sheet is an example of a standard test case for our login screen functionality.Some results are PASS and some results are FAIL in order to make the Bug reporting and Result analysis chapters
easier to understand.

Afte the succesful execution of test cases, the tester will compare the expected values withthe actual values and , declare the result as pass or fail.


Bug Tracking and Reporting :Very Important stage is to update the DPD ( Defect profile document ) and the let the developers know of
the defects.

The fields in the defect profile document are as followed
Defect ID : The sequenceof defects identified are arranged serialwise and listed here
Test case ID : The corresponding test case number basedon this defect is identified and will be mentioned here ( advantages of Cross reference matrix )
Description :The brief description of the defect will be listed here.
Steps for reproduceability : The steps that the testerfollowed to encounter the defect will be mentioned here, in order to assist the developers in quickly identifying the Bug.

Submitter : The name of the test engineer who has submitted the defect will be mentioned here.
Dateof submission: The date on which the defect report was logged will be listed here
Build No. : Thecorresponding build that was released from the developers to the testing department will be listed here
Version no: Theversion no. to which the build belongs will be mentioned here.
Assigned to : The development lead will fillthe corresponding developers name for whom the defect is assigned.
Severity : This field describes the seriousness of thedefect from the testers point of view. And can be classified into 4 types
Fatal / Sev1/ S1/ 1: If the problems encountered are related to the unavailability of functional feature, then such type of defects prevent testers
from pursuing further testing , and hence are rated Fatal . Sometimes these defects are also called as show stopper
defects. ( Missing fields or features )
Major / Sev2/ S2/ 2 : If the features are available andfunctional testing can be carried but the results are not according to the expected value then these defects are termed
as major defects (ex. an add button displays 5 when entered 2 + 2 , In which case the function
is working properly but not according to expectations.)
Minor / Sev3/ S3/ 3 : If the problems are relatedto the GUI or the Look and feel of the applications features, then these are treated as minor defects. (
inconsistent objects or spelling mistakes fall under this category.)
Suggestions/ Sev4/ S4/ 4 : If the problems are relatedto the overall value of the application or can enhance the user friendliness of the application, after being rectified, then
these defects are classified under the suggestions list.
Priority : Priority describes the sequence in which the Development teamwill look into the defects and arrange them to be rectified. Priority can be classified into 4 types
Critical/ P1/
High / P2
Medium/ P3
Low / P4
Usually in normal situations , thehighest severity defects will be given the highest priority and the least ones accordingly, but sometimes depending on the situation
and barriers between the developers and testing team's knowledge bank , the correlation may change.

For example :Whenever there is a customer visit in a short notice, then all the GUI cases ( minor defects ) will
receive Critical or High Priority from the developers. and Similarily If some part of the application is to be released
at a later stage in another build to the testing team then the testers consider the missing functionality as Fatal,
but the developers will keep it assigned at a Low priority.


Below is the Defect Profile documentexample based on our Login Screen test case document execution . Again It is to be noted , that the
template and description styles may change from company to company.

You can add items from the left menu by dragging them here.

Flashback of 2006, all in the computer world, has stunned as Alienware unveiled their new breed of customizable gaminglaptop, the Alienware Area 51 At that time, this gaming laptop was hands down every gamers' dream for a gaming
laptop. If not for its high price then everyone would probably work double jobs just to get their hands on
this formerly jaw-dropping gaming notebook - including myself.

What could make a player for a gaming laptop What a
game or 3D application you think would not be without a snag on the Alienware Area 51 M7700 3. 8
GHz Hyper-Threading raw computing power of Intel's Pentium 4 processor will be made available to run Add Nvidia's GeForce 7800
GTX with 256 MB dedicated memory for stunning visuals firewall software. Not to mention its 4 GB PC5300 DDR
2 RAM. And of course no one would be indicated with a clear mind for less than 7200 rpm for
a hard disk you have already paid all the previously mentioned powerful specs. Definitely not!

Well, that still were
times when all I could do what I daydream my hands on the world's best gaming laptop. Fortunately for me,
the time for dreaming is over. Even with our current economic challenges, I've done it well enough to be able
to make my own gaming notebook that I deserve.

Ok. Now here is the fun part. I finally have
enough to splurge money to play at my dream gaming laptop right SO ShoppingI've tried to do. And you know
what Alienware will not sell no longer my dream! How ironic. firewall software How ironic, yes. I think my
dream will remain a dream for a little more - Oh yes! I spend at least not on this baby!/>
To get after countless hours trying to quality information from Alienware customer support as I could get my hands
on the Alienware Area 51 M7700, I gave up on the Alienware terrible customer service, and I took a step
back to assess what I will still have options in what I've dreamed of.

Then it hit me. EBay!
There, I've finally found an Alienware Area 51 M7700! Just then and there, I almost bought it almost specifically with
less than $ 1,000 price tag. Fortunately for me I have not let my emotions get the better of me.
I checked the details of the device, which sells from this eBay seller. It looks like it is in excellent
condition, I will give the device, but know that are configured to the specs a little low for my taste.
And the worst No option for a guarantee! Oh no! Definitely not with that one now. Not if I end
up going for problems that may arise after the purchase of the rig soon want.

Only if it was
too dark, a light shone . They had left some of the few Alienware Area 51 M7700 on the planet.
And not only that. There units are configured even better than I dreamed it would be years back. And the
best part You have a 1 year warranty as an option. Need I say more

Start blogging by clicking in this area. Then simply type whatever you wish. You can also drag an object from the left hand column into this area. This will allow you to add pictures, videos, etc. to your blog posts.