This article originally appeared in the May 2011 issue of NGN.
Application-layer attacks have become the No. 1 security concern of businesses, according to a recent study by Arbor Networks.
Anonymous used application-layer attacks late last year in an attempt to bring down Amazon.com, MasterCard, PayPal (News - Alert), Visa and others that played a part in trying to stop WikiLeaks’ online operations following the site’s infamous release of U.S. government communications with other countries. But these are just some of the more high-profile instances of application-layer attacks, which Rakesh Shah, director of product marketing and strategy at Arbor Networks, says are on the rise.
Such attacks target HTTP, or web servers; e-mail servers; and DNS infrastructure, he explains. In the process they can effectively render services and websites unavailable.
Confidentiality, integrity and availability are the three pillars of security, adds Shah, but if services aren’t available due to an application-layer attack then the other two pillars are not all that relevant.
Arbor Networks has tools to detect and stop application-level distributed denial of service attacks. Shah says while some security tools, like firewalls, that claim to do DDoS actually were designed to solve other problems like confidentiality, which addresses things like preventing hackers from stealing data off servers. The Arbor Networks solutions instead look at NetFlow information and data coming from the routers at the gateways of data centers, he says. If an attack is detected, this solution cleans the infected data and re-injects it back into the data center. He adds that the company’s solutions don’t do traditional signature detection; instead, they look at baselines of normal traffic and if spikes are detected, they check to see if those spikes are legitimate traffic or attacks. Arbor Networks also sells an intelligence engine that collects data from a vast number of probes within a network to look for new threat types, he adds; that information is then compiled into an active threat feed.
Application-level security is “one of the emerging areas in security technology,” agrees Fortinet (News - Alert) Inc.’s Drew Savage, director MSSP Americas service provider and carrier group. Fortinet actually refers to this as application control, which Savage says is being driven by mobile data growth. Fortinet’s application control solution makes securing content far more easy and efficient because it addresses security from the client, through the network and the server.
Jim Freeze, vice president of marketing and business development at Crossbeam (News - Alert) Systems, which sells a platform used by large enterprises and service providers to consolidate their network security infrastructure, agrees that application-layer attacks are a growing problem. As a result, Crossbeam’s partners are increasingly building application-awareness into their solutions, he says.
For example, Check Point has a new solution that identifies traffic at a granular level, so companies can allow or disallow certain applications that can be problematic as threats or malware, he says. Meanwhile, a new product from Actiance that recently was certified to run on the Crossbeam Systems platform is focused on social media and financial services and other industries that use lots of social media to communicate. The Actiance technology provides content gateway services from stuff like Facebook (News - Alert) and Twitter, which companies can’t block access to, but that they need to offer security around, he says. The Actiance solution looks for abnormalities that might occur in certain social media apps, it scans for malware, and it allows companies to set and enforce policies (like block access to certain stuff for certain people).
Crossbeam CTO Mike Akerman adds that one of the simplest approaches to content analysis is to use intrusion prevention, which typically involves the partial reconstruction of streams and looks for signatures that indicate an attack. But security devices that do partial reconstruction are not very aware when protocols are acting in a non-standard way, he says.
Akerman adds that last October an advanced evasion technique was introduced jointly to CERT and appropriate vendors by Stonesoft and ICSA Labs. The technique is mechanism to use normal protocols like HTTP, TCP, etc., in non-standard ways.
And we’re going to see even more things to this affect as IPv6 adoption increases, he says, given IPv6 is lengthier and more complex.
“IPv6 is going to be a rat’s nest for this kind of capability,” he says.
“The primary difference with IPv6 is that it uses IPsec as the main means of packet protection,” Aviv adds. “However, the same threats, in particular DDoS and reflection DDoS attacks, will remain a persistent challenge especially during the migration phase from IPv4 to IPv6 whether the company opts for tunneling (6to4), transport relay translator, or dual-stack implementation. The key is to ensure upfront that security products such as IPS and WAF can perform the packet inspection required to identify malicious packets in the encapsulation.”
Edited by Stefania Viscusi