Menu
Menu
The new attack vectors

The new attack vectors

Application-level attack protection needed, says F5 CTO Karl Triebes.

Current firewalls operate at too low a level on the network to catch a growing type of malicious attack, which targets applications, says Karl Triebes, chief technical officer of network management company F5. Typical of attacks at this level were those launched on a number of major companies including credit card and finance companies as a revenge against these companies’ opposition to Wikileaks.

Some of these attacks used a tool called Slow Loris (after a sloth-like animal) and worked by starting up millions of dummy application sessions, making it impossible for genuine users to get through. This is a particularly hard-to-stop variant of a distributed denial of service (DDOS) attack, says Triebes.

A firewall working at the network level cannot detect the difference between a genuine attempt to access the application and a malicious dummy, says Triebes, who is visting NZ as part of an Australasian tour.

As part of its mission to improve the efficiency and agility of business networks, F5 makes it its business to identify network traffic at the session level, so as to spread the load for maximum efficiency – a discipline known as application delivery networking.

As an outgrowth of this capability F5’s specialist hardware and software can track sessions that aren’t really doing anything and may be malicious, and terminate them, leaving the way clear for genuine traffic, says Triebes.

The F5 hardware and software can also inherently manage very high concurrency in application access, he says.

“Most of the DDOS attacks we’ve seen in the past were very much focused on the network; they’d do things like flooding SYN packets. What really changes here is they started attacking applications quite directly.

“These attacks have been around for a long time, but the awareness level of the world when they saw the impact these were having [in the Wikileaks case] was amazing, because customers saw that traditional network-level firewalls weren’t able to cope and deal with the attack.”

F5’s products are also front-and-centre when it comes to dealing with the challenge of genuine access to applications from an increasing range of devices such as smartphones, many of them “bring-your-own” devices owned by employees partly for private purposes and therefore potentially vulnerable from a security point of view.

In 2010 F5 acquired uRoam, a company specialising in SSL virtual-private-network connectivity. The uRoam software “could identify what the client was, the type of operating system it was running, what antivirus software they had; basically to meet corporate compliance matters. Based on that, it could apply different types of permission to that user.

“Suppose a user wanted to read his email but could only do it from a kiosk at an airport. He could log in and could only see certain things and we could have a sandbox at the session level, which we could guarantee would be erased [afterwards]. He wouldn’t have to worry about leaving data on that computer.

“We took that technology and integrated it with our core products, We effectively do the same type of things with mobile devices as well; we have a client running in iOS, one in Windows Mobile one for Android; we cover the gamut of mobile devices as well as traditional devices. The benefit is now, with the age of BYOD, IT administrators can now set permissions for devices they weren’t [previously] able to manage.

“It allows you to establish a secure connection from a device that would otherwise be [unsafe] and there’s obviously the advantage that it increases productivity.”

Another issue with the growing use of mobile devices is the volume of signalling traffic handled by the network operator. “With 4G the Diameter protocol has become the protocol of choice for newer data centres run by network operators,” says Triebes. “The signalling layer connects billing, subscriber management and other systems at the data centre and ties that to the individual user sessions. It’s the money protocol.” But increasing use of more advanced mobile devices means increasing traffic from such management systems.

“We acquired a company, Traffic Systems, based in Israel, that provides what we think is the best-of-breed Diameter signalling solution. Using that, coupled with what we already do managing traffic at these operator data centres we believe we can provide a pretty compelling solution.”

Most F5 appliances use special-purpose hardware. This is preferable not just for scale but for reliability. If you’ve got machines front-ending a mission critical system “they’d better have five nines reliability,” says Triebes “[Commodity] servers are about two nines and a five.

“We offer a number of appliances, from a Gbit/s all the way up to 42 Gbit/s, plus two chassis-based solutions or Viprion, a lower-end and a higher-end solution.

“One thing we introduced recently on the chassis is virtualised clustered multiprocessing. What that allows you to do is run multiple versions of [F5’s flagship product] Big IP and segment your applications or your network infrastructure, so you don’t have to have a large box running everything; you could have a fully-loaded Viprion chassis running 16 virtual instances of our software.”

Triebes does not see the change of IP networks to IPv6 presenting major problems or demanding a significant change in approach; controversially, he advises continued use of network address translation (NAT) to give an organisation’s internal domain an address range of its own, translated to a limited range of outside addresses.

In view of the vastly larger range of addresses available under IPv6, many experts have pronounced NAT dead. But “it avoids a lot of problems,” Treibes says. “It’s inherently more secure because you can protect your inside space and it gives you a lot better flexibility in assigning IP addresses locally versus globally; I don’t see v6 changing that paradigm.

“By the time v6 got out there everyone was so used to NAT and the benefits that it provides that it’s not going to go away.”

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO New Zealand newsletter!

Error: Please check your email address.
Show Comments