Site Map

Flanagan Consulting

Archive    20 Mar 2006     #50


By William Flanagan, Publisher

Redundant hardware and links come to mind first when thinking "high availability" of network services.  But being able to use those links assumes they are not overwhelmed by unwanted packets--for example, by a denial of service (DoS) attack that floods your network with useless traffic.

Better protection against DoS is becoming available as protective devices incorporate hardware (ASICs, FPGAs, etc.) that can apply more (and more complex) filtering rules at gigabit rates.  Intrusion Prevention Devices (IPDs) that drop useless packets protect your workstations and servers that sit behind the IPD and allow them to continue to work during an attack.

Years ago, the Access Control List (ACL) on a router deterred the first DoS attacks.  The list was configured manually for the source addresses and ports.  Attackers quickly learned to vary their identity, and many other tricks.  Defenders added packet parsing to find known patterns that indicated malicious intent--something that applied only to, and could be put in place only for, specific instances of each type of attack.  Stemming the newer floods requires dynamic adaptation and an awareness of the vulnerability, not just specific exploits. 

Even if an IPD maintained a dictionary or description of every possible "attack" packet (a "killer" packet, for example), it wouldn't stop the latest DoS vandals because many "attacking" packets are perfectly normal when examined individually.  To react to some attacks, the IPD must recognize a larger pattern than the bits in a packet.  Thanks to hardware processing, the rules for filtering can look at entire flows, catching anomalies such as out-of-order events or a process that's aimed at a particular vulnerability.

Saw an interesting demonstration of IPD from 3Com's TippingPoint Division, hosted by its partner, Siemens.  The IPD not only stopped attacking packets, but also recognized and recorded their identity.  The log of discarded flows named a form of attack (the name of a worm) or the vulnerability the attacker aimed at (heap buffer overflow) along with IP addresses and port numbers. 

An IPD operates in-line:  traffic passes through the box transparently.  That is, the IPD itself has no IP addresses on its ports;  a pair of ports (1a 1b) passes packets, without buffering, while examining the flow for identifying marks of an attack (or of a worm, virus, phishing scam, etc.).  The two adjacent devices on the LAN segment (often a router and a switch) don't see the IPD.

When the IPD recognizes a packet as malicious, it stops forwarding it.  Only the beginning of the packet, a fragment, leaves the IPD box.  Routers and switches automatically discard fragments, so servers and workstations never see the attack.

But getting back to redundancy, dual links to you ISP require dual IPDs, configured to prevent unfiltered traffic reaching your network. 

In a less-demanding environment, one IPD might be all that's installed.  If it failed in a way that prevented it from filtering packets, but could still pass them transparently, which would you have the IPD do:  pass all or drop all?  With only one box available, you might want to accept unfiltered traffic for a while, until you could repair the box.  Keep in mind that most PCs exposed to the Internet can be compromised within minutes. 

If you have dual IPDs, the recommended configuration is for a failed IPD to halt traffic on its link, forcing all traffic to the other link with the IPD still working.   If the throughput capacity is a gigabit/s, one link could be sufficient until repairs are made.

"Flanagan Consulting" and "ViewsLetter" are Service Marks of W. A. Flanagan, Inc.

Flanagan Consulting
W. A. Flanagan, Inc.
45472 Holiday Drive, #3
Sterling, VA 20166
Ph:  +1.703.242.8381
Fx:  +1.703.242.8391
In Converged Networking,
We have the Experience