Dynamic firewall to help defend from DDoS attacks
Connecting state and local government leaders
With DHS funding, Waverly Labs is developing a software-defined perimeter that would open up the firewall only when it gets single packet authorization from the network client.
The software-defined perimeter (SDP) “Black Cloud” project being developed by the Cloud Security Alliance and Waverley Labs has won a government contract to start delivering open source tools that both public and private organizations can use to defend against distributed denial of service (DDoS) attacks.
The Department of Homeland Security awarded the $630,000 contract to Waverley as a part of DHS’ broader DDoS Defenses program, through its broad agency announcement HSHQDC-14-R-B00017.
Open source tools delivered under the DHS contract will be essentially a subset of the overall toolkit planned for the Black Clouds project, according to Waverley CEO Juanita Koilpillai -- in this case dealing specifically with the dynamic firewall capability of the SDP.
“They use a combination of existing firewall mechanisms overlaid by a software capability that allows you to shut down all of the firewall rules,” she said. A controller works in conjunction with an SDP gateway that opens up the firewall as soon as it receives a single packet authorization (SPA) from the network client, Koilpillai explained.
That SPA is what Waverley is designing for the DHS, she said, and it needs to be very small, very quick and very lightweight. It will be the key to this DDoS solution because every other packet delivered to the SDP will be dropped until this SPA is received. Once it is, the user is authenticated and the firewall is opened.
“The whole idea is that there will be no acceptance of connections until that SPA packet is received, and that should take care of a lot of those bandwidth attacks,” Koilpillai said. “The problem is how quickly we can do this and how quickly we can drop the packets.”
A DDoS attack is one of the oldest cyber threats, but it still proves broadly effective in making websites and other online resources unavailable for large periods of time. In its recent State of the Internet survey, Akamai Technologies noted a big increase in such attacks in 2015 compared to the previous year as well as a dangerous spike in their effectiveness, with peak DDoS attacks of up to 100 Gbps making up a greater part of the total.
DDoS works by using multiple machines to direct so much traffic at targeted systems as to overwhelm them, thereby preventing the target from providing its intended service. DDoS attacks can also deliver hidden malware.
Because the Internet was initially developed to be as open as possible, it left many holes that have allowed sophisticated threats such as man-in-the-middle and SQL injection attacks. The SDP concept is starting to catch the eye of government security professionals, because it turns the current notion of cybersecurity on its head by making total security the starting point for any Internet communication.
The Cloud Security Alliance/Waverley SDP project, which is being developed in partnership with security vendor Vidder Inc., aims to stop attacks and enable highly secure cloud-based applications. The rapid approach of the Internet of Things is making that a more urgent need.
“We are already seeing success with commercial SDP deployments by Global 100 corporations,” said Jim Reavis, CEO of the Cloud Security Alliance. “We believe that federal agencies will find many applications for this DHS-funded SDP project in protecting both legacy IT assets and cloud services of all classification levels.”
The main problem for government agencies moving applications to the cloud is being able to protect access to them. Koilpillai sees gateways being used for specific applications that can drop packets until they see a valid SPA from a valid user and a valid device. Organizations can then keep a bank of these users and devices with specific keys assigned to them, she said.
“That’s how we envision these gateways and controllers to be used at the application level when you move applications to the cloud,” she said. “Instead of having gateways just at the peak connections, you can distribute them among multiple applications and scale that way. That’s the power of having controller and gateway mechanisms implemented in software.”
The open source components Waverley is developing will be a combination of gateways, controllers and on-boarding mechanisms, according to Koilpillai. Agencies can deploy them broadly against DDoS attacks, and application developers can have their own on-boarding mechanisms for critical users, such as systems administrators.
Waverley will add its own value to the solution by providing services to help organizations figure out how to implement the tools in their own environments, she said, as well as managing the gateways for them and monitoring the tools throughout their deployment to make sure they are being effective.
“What we deliver will be out of the box solutions,” she said, “though the organizations will have to decide how they want to on-board their users and devices.”
The DHS contract allows for an open timeline for when Waverley will deliver the tools, though Koilpillai noted that it already has a gateway aimed at systems administrators that can be downloaded and used now. A gateway specifically for DDoS is still in the future since “that’s a little more high performance” than the gateway that’s available today and needs more work before it can be delivered.
Different pieces of the controllers will be rolled out every three months or so, she said. Waverley will also be conducting operational pilots in order to provide working examples for potential users before they download the tools.