App firewall helps counter DDoS threats

Application firewalls can better weed out bad requests and help businesses prevent denial-of-service attacks from happening, says security expert who expects to see security "revolution" in cloud computing.
Written by Tyler Thia, Contributor

With cyberattacks getting more sophisticated, enterprises that rely on Web applications should look to application firewall for better protection, particularly against distributed denial-of-service (DDoS) attacks, urged a security expert.

Vladimir Yordanov, director of technology at F5 Networks, explained that with 80 percent of attacks hitting Web apps these days, traditional protection such as the conventional perimeter system firewall offers very little protection. Such systems are the reason why DDoS-type attacks are successfully executed to compromise Web sites and payment systems, he added.

"Tradition systems, such as intrusion prevention or intrusion detection systems, cannot block effective requests as these are not easily detected. The attacks targeting coding or browser flaws are usually let through, and it is the application firewall's job to weed out bad traffic," Yordanov noted during an one-on-one interview with ZDNet Asia on Monday.

Typically, the application firewall responds by sending a cookie or response to ensure the user is real and sending a valid request, before allowing access into its system, the security expert pointed out. In many instances of DDoS attacks used recently against PayPal, MasterCard and Visa, requests are sent out by botnets, or zombie machines, and these computers are not able to respond to requests, he added.

According to earlier reports, this series of attacks--codenamed "Operation Payback"--were initiated by supporters of jailed WikiLeaks founder Julian Assange, whose Web site has been shut down by Internet service providers, Web hosting companies and payment providers across the U.S. and Europe.

As a form of protest to the treatment of WikiLeaks and Assange, supporters made use of 3,000 voluntary computers and up to 30,000 hacked machines to shut down the Web sites of PayPal, Mastercard and Visa, which had earlier deemed WikiLeaks to be a criminal organization and denied it their services.

No foolproof solution
Besides creating app firewalls, other forms of protection that enterprises could look at include "clean pipes" from ISPs that filter out bad traffic and putting in place a high level network security, Yordanov pointed out. Also, enterprises can sanitize their protocols, ensure that all information needed to establish the connection is present before allowing access, he added.

However, as security technology is constantly evolving, hackers and cybercriminals have managed to find ways to compromise systems, and this is made worse by the increasing access of networks from mobile devices. Yordanov let on that the more dispersed a workforce is, the greater risk of an attack, which is currently a situation that criminals are exploiting.

Conceding that no solution is 100 percent foolproof, the executive said the best way for a system to be kept safe from attacks is to have the system shut down.

"Rather than having the Web site be compromised, it's better to have it shut down completely," Yordanov said. "If the engineers are able to trace the IP addresses of where the requests are sent, they can also eliminate the sources by blocking the addresses, but only if they are static. But increasingly, these requests change frequently, so it is not that useful."

The F5 director noted that while shutting down the system is helpful, the option is suited only for enterprises with enough manpower to constantly monitor Web traffic.

Cloudy security prospects
When quizzed on the level of security for cloud computing, the IT expert expressed pessimism at the current situation, but said things will improve given time.

He revealed that he had personally gone through SLAs (service level agreements) offered by six cloud providers, but none made commitments to protect customers' data.

"One even asked for all of your data, but there is no procedure that tells you how to get it back, and how they actually protect the data," Yordanov noted. "[Protection agreements] are all worded loosely now."

He went on to say that the industry is still at an early stage, rather like e-commerce when it first started. The executive expects to see a similar "revolution" within cloud computing to spur adoption, though.

In the meantime, many large enterprises are eyeing the private, rather than public, cloud, he said. That is because cloud providers are not sure if they can fully guarantee the safety of their clients' data, so private cloud deployments are a way of shielding themselves from potential legal action, Yodanov added.

Editorial standards