Firewalls don't cut it anymore as the first line of defense

Eight major U.S. banks were recently brought to their knees by daylong DDoS attacks. Experts say these types of attacks are on the rise, and every business or agency with a Web presence is vulnerable. A new first line of defense is needed -- one that sits in front of the firewall.

We are learning more about the distributed denial-of-service (DDoS) attacks that hit eight U.S. banks in September and October. Security experts now believe that multiple well-organized attackers rather than a single attacker are behind the events that caused daylong slowdowns and, at times, complete outages at Bank of America, JPMorgan Chase, Wells Fargo, US Bank, PNC Bank, Capital One, SunTrust Bank and Regions Financial Corp.

Though there's no evidence that financial data was stolen during the DDoS attacks, Gartner fraud analyst Avivah Litan says they could be a precursor to fraud in other banking channels. She cites an example where a person could place a call to a bank's call center to execute a wire transfer that can't be completed online because of the service disruption. This manual process has less sophisticated anti-fraud safeguards than the online process. Experts say that companies get distracted fighting DDoS attacks and they let their guard down in other areas of the business.

BACKGROUND: Cyberattacks on banking websites subside -- for now

The group Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for the attacks on the banks, but the "who" is not as important as the "how." It appears that different tools and techniques were used to disrupt network operations at the various banks. This is important to note as it means that a variety of defensive tactics is required to defend against future attacks.

I had an opportunity to talk to Marty Meyer, CEO of Corero Network Security, maker of an anti-DDoS appliance. According to Meyer, we are entering a new era of cyberwarfare. "In the case of the U.S. banks," says Meyer, "the attackers recruited people to download software and launch the attacks. It's not like an isolated hactivist event anymore, or a one-time thing where you get hit and the attacker moves on. It's really a prolonged cyberwar that's escalating as more people around the world get connected."

U.S. Secretary of Defense Leon Panetta alluded to this situation when he recently said that the U.S. is facing the possibility of a "cyber Pearl Harbor." Panetta says the country is increasingly vulnerable to foreign computer hackers who could dismantle the nation's power grid, transportation system, financial networks and government.

Panetta may be a bit extreme in his warning of a complete meltdown, but Meyer believes that the situation with DDoS attacks will only get worse. "The ease of getting to these tools that can be used to launch these attacks, whether simple or sophisticated, is going to increase the rate of attacks that we see. It's not going to go away," concludes Meyer, adding that any company or agency can become a victim. "Attackers are trolling for any IP address with a vulnerability. It's not a matter of a company being an attention-grabber in the market and that's the only way you'll be attacked," he says.

Firewalls can't block these attacks

In the case of some of the banks, excessive traffic was coming in at a rate of 65 gigabytes per second, totally overwhelming the infrastructure. DDoS and other advanced attacks can't be solved by opening up more bandwidth. The problem is that firewalls, intrusion prevention systems (IPS) and other infrastructure aren't designed to deal with volumetric attacks; they simply freeze up.

But some attacks don't depend on high volumes of traffic. They may be "low and slow" but apply pressure on the infrastructure devices that get strained by certain requests. For example, consider an online merchant that has a database to store information about all the products it sells. The website has a "compare products" feature. The comparison request goes to the database to pull up all the features of multiple selected products to present a dynamic Web page showing the products' features side by side. A single request for this data is harmless, but an attacker will make this kind of request over and over in rapid succession, causing the database server to become so busy that a denial-of-service condition will be accomplished.

Obviously a firewall isn't going to prevent this type of attack. To the firewall, the database requests look legitimate. The firewall can't see the malicious intent behind the requests.

Meyer says that networks need a new "first line of defense" at the perimeter. To make this point, Corero has rebranded its DDoS Defense Solution as the Corero First Line of Defense Solution. This solution is a hardware device designed to sit in front of the firewall. Its purpose is to evaluate all traffic and remove unwanted "noise" before it can get to the firewall, the IPS, and other points in the infrastructure. When the nefarious traffic is eliminated, these other devices can do the jobs they are intended to do.

Corero's First Line of Defense Solution uses industry best practices as well as sophisticated techniques and technologies to thoroughly inspect traffic bi-directionally in order to stop DDoS and other advanced attacks. The device uses several steps to move successively deeper into the protocol stack to inspect the packets more closely in order to address more issues than any firewall alone can mitigate.

The first step uses real-time reputation updates, current geolocation information and real-time threat detection to evaluate inbound traffic. For example, if packets are originating from a country where the network owner doesn't do business -- say China, for instance -- then the traffic can be blocked.

The second step limits the rates of traffic coming into a network. This would take care of the above example of the repeated requests for product comparison pages as well as a host of other issues.

Step three involves analyzing the behavior of the traffic and tossing out anything that violates protocol and application usage standards. The system also looks for questionable outbound traffic not conforming to policies and/or standards. This bi-directional inspection catches advanced attack techniques such as randomized requests for nonexistent Web pages or content that would tie up Web servers and databases.

The next step looks for known security issues in the traffic. This includes buffer overflows, injections and brute-force password attacks; random malware and exploits in the payloads; and advanced evasion techniques such as fragmentation and segmentation that can be used to hide attacks. Often advanced evasion techniques are used in blended attacks.

By the time traffic has gone through all these layers of inspection, it is deemed clean enough to continue to the second line of defense -- the firewall.

Attackers have grown sophisticated in their methods, and it takes a higher level of sophistication than a firewall to keep them at bay. It's time for a new first line of defense.

Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

IT Salary Survey 2021: The results are in