The best security strategies encompass people, operations, and technology. The first two typically fall within an autonomous domain, e.g. within a company or IT department that can enforce procedures among employees, contractors, or partners. But since the Internet is a public resource, such policies cannot be applied to all potential users of a public website or email server. Thankfully, technology offers a range of security products to address the various vulnerabilities.
Firewalls can go a long way to solving some problems by restricting access to authorized users and blocking unwanted protocols. As such, they are a valuable part of a security strategy. But public websites and eCommerce servers cannot know in advance who will access them and cannot 'prescreen' users via an access list. Certain protocols can be blocked by firewalls, but most DoS attacks utilize authorized ports (e.g. TCP port 80 for a web server) that cannot be blocked by a firewall without effectively blocking all legitimate HTTP traffic to the site, thereby accomplishing the hacker’s objective.
Firewalls offer some security against a single user DoS attack by denying access to the offending connection (once it is known), but most DoS attacks today are distributed among hundreds or thousands of zombies, each of which could be sending legal packets that would pass firewall scrutiny. Firewalls perform a valuable service in an integrated security strategy, but firewalls alone are not enough.
Likewise, access lists in the router can be used to block certain addresses, if such addresses can be known a priori. But websites open to the public are, by nature, open to connections from individual computers, which are exactly the agents hackers use to initiate attacks. In a DDoS attack, thousands of innocent looking connections are used in parallel. Although router access lists can be used to eliminate offending packets once they are identified, routers lack the processing power and profiling heuristics to make such identifications on their own.
In addition, complex access lists can cause processing bottlenecks in routers, whose main function is to route IP packets. Performing packet inspections at Layers 3, 4, and 7 taxes the resources of the router and can limit network throughput.
End systems cannot be considered secure without antivirus software. Such software scans all inputs to the system for known viruses and worms, which can cause damage to the end system and any others they may infect. Even after a virus is known and characterized, instances of it are still circulating on the Internet, through email, on CDs and floppy disks. A good antivirus subscription that is frequently updated for the latest protection is invaluable to any corporate or individual computer user.
But even antivirus software is not enough to catch certain attacks that have been cleverly disguised. Once a system is infected with a new strain, the damage can be done before the virus or worm is detected and the system is disinfected.
Such packages include software that watches for email anomalies, database access queries, or other behavior that may exploit vulnerability in the application. Because it must be very specific—and very close—to the application it is protecting, application protection is typically implemented as software on the host. Dedicated servers would benefit from well-designed application security software that will maintain the integrity of the code and detect anomalous behavior that could indicate an attack. Certain malicious code can attempt to overwrite registers on the end-system and thereby hijack the hardware for destructive purposes.
Intrusion Detection Systems (IDS) are designed to 'listen' to traffic and behavior and set an alarm if certain conditions are met. Some IDS implementations are implemented in the host, while others are deployed in the network. The IDS sensor monitors traffic, looking for protocol violations, traffic rate changes or matches to known attack 'signatures'. When a threat is detected, an alarm is sent to notify a (human) network administrator to intervene.
Host-based intrusion detection systems are designed as software running on general purpose computing platforms. Not to be confused with application security software (mentioned above), which runs on the end system and focuses primarily on Layers 5-7, software based intrusion systems must also focus on Layers 3 and 4 of the protocol stack. These packages rely on the CPU power of the host system to analyze traffic as it comes into the server. General purpose computers often lack the performance required to monitor real-time network traffic and perform their primary functions. Creating a bottleneck in the network or on the server actually helps the hacker accomplish his goal by restricting access to valuable resources.
End-systems provide the best environment for signature recognition because packets are fully reassembled and any necessary decryption has been performed. However, signature-based intrusion detection has its limitations, as described below.
The next step in the evolution of intrusion security was content-based Intrusion Prevention Systems (IPS). Unlike IDS, which require manual intervention from an administrator to stop an attack, a content-based IPS automatically takes action to prevent an attack once it is recognized. This can cut down response time to near zero, which is the ultimate goal of intrusion security.
IPS must be intelligent, however, or the remedy might actually accomplish the hacker's goal: denying resources to legitimate users.
Prevention mechanisms can also be harmful if detection is subject to false positives, or incorrect identification of intrusion. If the prevention action is to disable a port, protocol, or address, a false positive could result in denial of service to one or more legitimate users.
An alternative to signature recognition is network behavior analysis (NBA). Rate-based systems must provide detailed analysis and/or control of traffic flow. A baseline of traffic patterns is established, usually during a learning mode in which the device only 'listens' without acting on any alarm conditions. A good system will have default parameters set to reasonable levels, but the 'listening' period is required to learn the traffic behavior on various systems. The listening period should be 'typical,' in the sense that no attacks or unusual traffic patterns should be present. For example, Saturday and Sunday are probably not good days to build a baseline for a corporate server that is much busier during the workweek. Periods of unusually high or low traffic also make bad listening intervals, such as Christmas vacation week, unusually high traffic due to external events (press releases, sales promotions, Super Bowl halftime shows, and so on).
Once a baseline is established, rate-based systems watch for deviations from the known traffic patterns to detect anomalies. Good systems will allow an administrator to override the baseline parameters if events causing traffic surges are foreseen, for example, a server backup scheduled overnight.
While signature-based systems are scrutinized for false-negatives, or failing to identify an attack, rate-based systems should be scrutinized for false positives, or misidentifying legitimate changes in traffic patterns as attacks. Whether setting alarms or taking preventative action, rate-based systems must be well-designed to avoid unnecessary overhead.
Equally important for rate-based systems are their analysis tools. Administrators should be able to view their traffic patterns on a variety of levels, and use this information to tune their network resources.
Conventional stateful firewalls drop packets or stateful connections, but they cannot correlate packets to a source. FortiDDoS has a unique feature that allows it to promptly correlate attacks and verify if they are initiated by a single host. If it can do that (in case it is a non-spoofed attack), it blocks the offending source for a longer period of time.
It is important to understand the differences between a stateful firewall and a stateful NBA system such as FortiDDoS. Here are the key differences: Conventional stateful firewalls have rules that allow or deny packets or individual connections based on their individual characteristics. They do not remember packets in an aggregate way.
FortiDDoS operates on an aggregate basis. It looks at packet rates—typically within one second, over a period of time. It measures packet rates for various Layer 3, 4, and 7 parameters and compares against thresholds set for them. If the rate exceeds the threshold, it blocks them for a configured period.
In a firewall, the administrator can set a rule that allows the UDP destination port 1434 regardless of the rate. A FortiDDoS administrator, on the other hand, can set a rule that allows UDP 1434 only if the rate is within 10 packets per second. Beyond this rate, the UDP packets destined to that port are dropped.
There are some features in FortiDDoS that are similar to a firewall. Like a firewall, FortiDDoS allows you to configure Layer 3, 4, and 7 blocking conditions. It is therefore important to learn how to migrate a firewall security policy to a FortiDDoS security policy.
FortiDDoS is a rate-based IPS device that detects and blocks network attacks which are characterized by excessive use of network resources. It uses a variety of schemes, including anomaly detection and statistical techniques, to detect and block malicious network traffic. When it detects an intrusion, the FortiDDoS blocks traffic immediately, thus protecting the systems it is defending from being overwhelmed.
Unlike conventional content-based IPS, an NBA system does not rely on a predefined attack “signature” to recognize malicious traffic. An IPS is vulnerable to “zero-day” attacks, or attacks that cannot be recognized because no signature has been identified to match the attack traffic. In addition, attack traffic that is compressed, encrypted, or effectively fragmented can escape many pattern-matching algorithms in content-based IPS. And many rate-based attacks are based on genuine and compliant traffic being sent at high rates, effectively evading the IPS.
An NBA provides a network with unique protection capabilities. It delivers security services not available from traditional firewalls, IPS, or antivirus/spam detectors. The detection, prevention, and reporting of network attacks is based on traffic patterns rather than individual transaction or packet-based detection, which enables the FortiDDoS to serve a vital role in an effective security infrastructure. Rather than replacing these elements, an NBA complements their presence to form a defense-in-depth network security architecture.
FortiDDoS is a hardware-based NBA solution. Unlike software-based solutions, it maintains normal levels of processing and data throughput during denial of service attacks.
FortiDDoS appliances are powered by one or more purpose-built FortiASIC-TP2 traffic processors that maintain massive connection tables and still perform with the lowest latency in the industry. Each FortiASIC-TP2 processor maintains the following resources:
Figure 3 illustrates the number of FortiASIC-TP2 traffic processors for each FortiDDoS appliance model. Note the following:
With its massive computing power, the FortiDDoS system maintains the magnitude of bidirectional traffic data that security administrators need to prevent DDoS attacks. The system uses counters, historical data, and predictive models to enforce intelligent rate limits based on granular Layer 3, Layer 4, and Layer 7 parameters and aggregations.
The result is excellent security, fewer false positives, and visibility into key trends.
|
Note: FortiDDoS 600B and 900B are not designed to support DNS ACLs, DNS anomaly detection, or DNS flood mitigation. |
