 |
 |
 |
|
 |
 
Melior, Inc. - CyberWarfare Defense: Is A Firewall Enough?Dallas, TX, December 1st, 2004 Full Text: The majority of network administrators use some kind of Firewall to protect their network. A Firewall provides policy-based access control to the various devices behind it, generally while allowing access to the Internet from the internal machines. Most people assume that a Firewall can protect the network from an attack. There are many types of Firewalls. Some operate as filtering gateways with simple port level protection, while others provide detailed connection state tracking. Some Firewalls operate at the application level using a proxy server. There are advantages and disadvantages to each approach, and some more expensive Firewalls use multiple approaches, involving both policy- and proxy-based systems. All Firewalls share a similar disadvantage: they are addressable. Firewalls work on the upper layers of the ISO/OSI model, taking data from one IP address and sending it to another (or from one group to another). They make an “appearance” on the network as any other device would. Once there, Firewalls always listen on an IP address, and data can be sent to a Firewall directly, since for the most part Firewalls concern themselves with layer 3 and above. Because of this, they are generally not prepared to handle network anomalies, such as the foundation of hackers’ and attackers’ tools in use. The systems these “bad guys” use, allows them to hand craft packets, which otherwise would not exist on a network, such as oversize ICMP pings, bad packet fragments, smurf amplification attacks, badly formed packets, land attacks, and SYN floods. It is this departure from the expected network behavior, which has allowed these attacks to have good success exploiting weaknesses inherent within the modern day operating systems and application servers. The Expected vs. the Unexpected Because Firewalls work on the expected and apply their policies to that, they are weak in the area of the unexpected. Moreover, since they operate in the upper levels of the ISO/OSI model, they simply do not need to understand how the data gets to them - and that can be exploited as well. Hackers know all the details of this information and can craft packets, which break standards or simply bend the rules to their own gain. To a hacker, this is a clever little game to see which is smarter: their expertise or the Firewall? If a hacker knows the TCP/IP stack better than the Firewall does, or exploits a known vulnerability, he or she can bring it down, and your whole network with it. Don't think of a Firewall as the end of network protection, but as possibly one of the weakest links in your network security solution – and often a single point of failure as well. It is addressable and it does not know much if anything about the lower levels of packets, and relies primarily on administrative policy to protect network assets. What this means is that it is likely your Firewall is vulnerable to various forms of attacks. Even worse, it may blindly pass the attack through to your internal network or simply crash when it sees certain attacks (such as “synk4”). In addition, the “holes” you have punched into your Firewall to let valid traffic through, are staring hackers in the face. By way of powerful (and free) Penetration Testing tools, such as NMAP or Nessus, they can see exactly which ports are available and will concentrate their attacks there. Your weaknesses are as good as advertised! While Firewall vendors have attempted to address the dDoS problem, the basic problem will always exist. As long as your Firewall is addressable, it is vulnerable! The solution then is a network protection device that is not addressable or detectable in any way and is capable of blocking anomalous traffic. Melior, Inc. introduces Barbican™ CyberWarfare Defense Systems. Barbican™ - "A fortification at a gateway or drawbridge on the approach to a castle." Is your Castle’s Internet gateway in need of fortification? Are you currently experiencing distributed Denial of Service (dDoS) attacks, or observe several Penetration Testing probes on a daily basis? Barbican™ dDoS attack defense, developed by the authorities on CyberWarfare Defense, is an expansion on Melior’s proven expertise in dDoS attack defense. Barbican™ takes a radically different approach from most Firewalls. Instead of being a server that connects two networks through its assigned IP numbers, the Barbican device can be compared to an Ethernet bridge that functions in-line. The Barbican device does not “listen” to any IP. It is as completely un-addressable as an Ethernet cable would be. This means that unlike traditional Firewalls, it cannot be addressed directly so it cannot be attacked. More over, good valid data enters one port and exits the other without any IP or MAC address being changed in the packet. However, Barbican is much more astute than any Firewall, because it has access to every detail of every packet. It knows the real-time details of IP packet assembly and TCP stream sequencing better than the hackers, and can respond far faster than any hacker, generally in the millisecond range! Unlike an Intrusion Prevention System (IDS), it uses no signatures to slow it down or provide false positives, and it does not require network baselines. Barbican actually handles every connection, and once a packet is verified as being part of a valid connection, it recreates each packet on its protected network interface to be sure it is pristine. Following every TCP/IP rule to the point of being pedantic, Barbican glues IP fragments back together to protect from fragment attacks, deals with port scans (i.e. Penetration Testing probes), floods, hand-crafted packets and similar anonymous behavior. Furthermore, Barbican will detect and report to port scans, and report the IP address of attackers. Forged IP packets are reported on and then simply dropped. The Barbican device is actually capable of making sure that every packet passing through it is part of a valid connection. It is so efficient, that not a single dDoS packet is ever sent into the protected network. This includes SYN floods! Not even a single SYN of a SYN-flood attack will enter the protected network! Barbican can sit in front of a traditional Firewall to protect that Firewall from attack, while often lightening its processing load, allowing completely transparent and configuration-free installation into networks, where Firewalls are already deployed and configured. In addition, it can act similar to a policy Firewall and completely block unused ports and services, without anyone on the outside knowing that the port is blocked. Data sent to blocked ports, like any invalid data, is simply dropped. The Barbican device not only tracks connections like an advanced Firewall, but acts much like an application level proxy-based Firewall to give the benefits of proxy firewalling, but on every TCP port. Furthermore, it does this in such a way as to make it look like all ports are open. Hackers don't know where to focus the attack! It also has a unique TCP fingerprint evasion technique preventing hackers from determining what operating system your servers are running. Simpler scanners will often end up scanning their own reflections! The combination of intensive connection tracking and network cloaking against Penetration Testing on a completely un-addressable device marks a new approach to network security that can be deployed into any network for immediate dDoS protection. About Melior, Inc. Melior Inc. ('melior' is Latin and means 'better') is a privately held US company headquartered in Dallas, Texas, with offices in Dortmund, Germany and New Delhi, India. Melior provides solutions against distributed Denial-of-Service (dDoS) attacks, which also protect against Penetration Testing for vulnerability exploitation. Melior, Inc. contributes actively in anti-Crime and anti-Terrorism efforts with goverment agencies in the United States and in Europe. Barbican, Barbican RNP, iSecure, Perfectionists At Work are registered trademarks of Melior, Inc. For more information and reseller contacts, please visit Melior's CyberWarfare Defense web site at www.dDoS.com Contact Information: Mr. Matt Gair Chief Operating Officer and Co-Founder Melior, Inc. US Headquarters Columbus A. Langley Building 1501 Beaumont Street Dallas, Texas 75215 USA Tel: +1 (214) 421-5975 and 1-888-4MELIOR Fax: +1 (214) 421-5951 and 1-888-TOFAXUS www.dDoS.com |
|
© Copyright 1987 - 2006 Melior, Inc. - CyberWarfare Defense
Trade- and Servicemarks, Copyrights, and Patent-Pending Protection is effective in WTO countries.
v 07132013-2043 NetGroup GmbH Dortmund/MEZ