Dynamic firewall to help defend from DDoS attacks

 

Connecting state and local government leaders

With DHS funding, Waverly Labs is developing a software-defined perimeter that would open up the firewall only when it gets single packet authorization from the network client.

The software-defined perimeter (SDP) “Black Cloud” project being developed by the Cloud Security Alliance and Waverley Labs has won a government contract to start delivering open source tools that both public and private organizations can use to defend against distributed denial of service (DDoS) attacks.

The Department of Homeland Security awarded the $630,000 contract to Waverley as a part of DHS’ broader DDoS Defenses program, through its broad agency announcement HSHQDC-14-R-B00017.

Open source tools delivered under the DHS contract will be essentially a subset of the overall toolkit planned for the Black Clouds project, according to Waverley CEO Juanita Koilpillai -- in this case dealing specifically with the dynamic firewall capability of the SDP.

“They use a combination of existing firewall mechanisms overlaid by a software capability that allows you to shut down all of the firewall rules,” she said. A controller works in conjunction with an SDP gateway that opens up the firewall as soon as it receives a single packet authorization (SPA) from the network client, Koilpillai explained.

That SPA is what Waverley is designing for the DHS, she said, and it needs to be very small, very quick and very lightweight. It will be the key to this DDoS solution because every other packet delivered to the SDP will be dropped until this SPA is received. Once it is, the user is authenticated and the firewall is opened.

“The whole idea is that there will be no acceptance of connections until that SPA packet is received, and that should take care of a lot of those bandwidth attacks,” Koilpillai said. “The problem is how quickly we can do this and how quickly we can drop the packets.”

A DDoS attack is one of the oldest cyber threats, but it still proves broadly effective in making websites and other online resources unavailable for large periods of time. In its recent State of the Internet survey, Akamai Technologies noted a big increase in such attacks in 2015 compared to the previous year as well as a dangerous spike in their effectiveness, with peak DDoS attacks of up to 100 Gbps making up a greater part of the total.

DDoS works by using multiple machines to  direct so much traffic at targeted systems as to overwhelm them, thereby preventing the target from providing its intended service. DDoS attacks can also deliver hidden malware.

Because the Internet was initially developed to be as open as possible, it left many holes that have allowed sophisticated threats such as man-in-the-middle and SQL injection attacks. The SDP concept is starting to catch the eye of government security professionals, because it turns the current notion of cybersecurity on its head by making total security the starting point for any Internet communication.  

The Cloud Security Alliance/Waverley SDP project, which is being developed in partnership with security vendor Vidder Inc., aims to stop attacks and enable highly secure cloud-based applications. The rapid approach of the Internet of Things is making that a more urgent need.

“We are already seeing success with commercial SDP deployments by Global 100 corporations,” said Jim Reavis, CEO of the Cloud Security Alliance. “We believe that federal agencies will find many applications for this DHS-funded SDP project in protecting both legacy IT assets and cloud services of all classification levels.”

The main problem for government agencies moving applications to the cloud is being able to protect access to them. Koilpillai sees gateways being used for specific applications that can drop packets until they see a valid SPA from a valid user and a valid device. Organizations can then keep a bank of these users and devices with specific keys assigned to them, she said.

“That’s how we envision these gateways and controllers to be used at the application level when you move applications to the cloud,” she said. “Instead of having gateways just at the peak connections, you can distribute them among multiple applications and scale that way. That’s the power of having controller and gateway mechanisms implemented in software.”

The open source components Waverley is developing will be a combination of gateways, controllers and on-boarding mechanisms, according to Koilpillai. Agencies can deploy them broadly against DDoS attacks, and application developers can have their own on-boarding mechanisms for critical users, such as systems administrators.

Waverley will add its own value to the solution by providing services to help organizations figure out how to implement the tools in their own environments, she said, as well as managing the gateways for them and monitoring the tools throughout their deployment to make sure they are being effective.

“What we deliver will be out of the box solutions,” she said, “though the organizations will have to decide how they want to on-board their users and devices.”

The DHS contract allows for an open timeline for when Waverley will deliver the tools, though Koilpillai noted that it already has a gateway aimed at systems administrators that can be downloaded and used now. A gateway specifically for DDoS is still in the future since “that’s a little more high performance” than the gateway that’s available today and needs more work before it can be delivered.

Different pieces of the controllers will be rolled out every three months or so, she said. Waverley will also be conducting operational pilots in order to provide working examples for potential users before they download the tools.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.