Conventional thinking supposes firewalls are meant to protect an enterprise from the outside world. But can that firewall protect your company from being used in a distributed denial-of-service attack?
Denial-of-service attacks are not something to be taken lightly. A series of DDoS attacks on CNN, Yahoo, and eBay in 2000 caused $1 billion of damage, the Yankee Group estimates.
Unlike many other security breaches, combating DDoS attacks involves both protecting your systems from such an attack and preventing your systems from being used in such a way.
Los Angeles-based Cs3 is offering a Reverse Firewall, which monitors outgoing data so a company's systems cannot be used in a DDoS attack. Cs3 is offering their software pre-loaded and pre-configured on a Linux server for $3,995.
At first glance, one might think such a product would only appeal to companies that are super paranoid about their systems being used for DDoS attacks. Yet one must remember, when systems are used for DDoS, they have been compromised. Also DDoS attacks can freeze a company's network when being launched from that location.
Cs3's reverse firewall monitors the packages of data leaving the system, said Cs3's co-founder and CTO K. Narayanaswamy. The product uses a patent-pending technique of "fair service scheduling" that monitors outgoing packets based on where they come from inside the network. If a high number of "unexpected" packages come from within the network, a potential signal of an attack, then the firewall can notify the network administrator of it.
The Reverse Firewall also makes sure a user's network isn't buggered up during a DDoS attack.The product is targeted at companies both large and small as many DDoS attacks come from small companies. The box is designed to work in addition to a traditional firewall. The product fills a particular niche of protecting the user from being used in DDoS attacks. The closer it is installed to a network the better. "Basically, you install it and forget it," Narayanaswamy said.
While firewalls and other filtering devices can be configured to slow down DDoS attacks, truly combating such things requires controls at the ISP and backbone levels, said Frank Prince, senior analyst at Cambridge, Mass.-based Forrester Research Inc.
Companies could set up automated recognition systems to filter out suspect traffic, but most users are afraid that customer traffic won't get through, said Prince.
As more home users get always-on Internet access, they may find their systems are used in DDoS attacks, Prince said. Such users don't know if there system is used for an attack or don't really care.
"The big enterprises are usually the targets of these attacks," Narayanaswamy said. "But they are coming from small companies and even home users with cable or DSL connections. People have upgraded their bandwidth without upgrading their knowledge."