Putting firewalls in front of servers to mitigate threat is the number one security mistake cloud computing providers commit, according to Arbor Networks’ solutions architect for Asia-Pacific, Roland Dobbins.
He is visiting Australia as a keynote speaker at the Australian Network Operators Group 03 (AusNOG-03) summit.
Drawing on the July 4 distributed denial of service (DDoS) attacks on the Republic of Korea and US, Dobbins said old habits died hard and many organisations were ill-equipped to fend off the assaults despite previous occurrences.
“People are designing and implementing systems that are brittle and do not scale well and are not defensible,” he said. “We learnt that DDoS attacks were very run-of-the-mill but because organisations are often unprepared, even small unsophisticated attacks can take them down.”
While Australia largely avoided the July 4 incident, Dobbins said the country’s situation was very much like the rest of the world.
Internet security shortcomings are a global trend and Dobbins flagged lack of preparation as common practice among cloud providers. But the biggest blunder was an over-reliance on firewalls.
Companies deploy firewalls under the impression that they are the panacea for all security dangers. This was wrong, according to Dobbins, because firewalls were stateful inspection devices which only allow packets that have connected with an external host to go through.
“By definition, every connection that comes into a Web server, a DNS or a mail server is an unsolicited connection,” he said. “By placing that firewall in front of a server serves no purpose from a security standpoint. Secondly, it makes things worse because even the biggest firewall has finite amounts of memory used for state table space so attackers can craft traffic that will pass that rule and crowd out legitimate user traffic.”
Dobbins was concerned about the lack of talk about DDoS in cloud computing discussions despite him labelling it “the cloud model killer”. With the cloud model predicated upon applications and data being hosted in a datacentre and remotely accessed by users, a successful DDoS attack on a cloud provider can cause severe collateral damage, he said.
“Cloud computing has the potential to raise the bar on security that is only if providers do the things they need to do,” Dobbins said.
He recommends a six-phase methodology for dealing with all types of security incidents:
1. Preparation: The single most important step to allow the execution of the other five phases. Cloud providers need to design and implement the architecture of its cloud services in a way that is scalable in the face of an attack and to ensure visibility in their network traffic and application behaviour so to exert total control.
2. Detection and identification: This is being able to understand an event is taking place and having visible network traffic is the key to this step.
3. Classification: Once an event is detected, the next stage is to classify the hazard and understand what type of threat is this particular event to the application services and infrastructure.
4. Trace back: Again, traffic visibility is vital the moment it ingresses a network. From peers, upstream, downstream and from users, providers can find out where the breach is happening.
5. Reaction: Take appropriate action to mitigate threat. Companies that are unprepared are prone to take a stab in the dark and can make things worse.
6. Post-mortem: After the attack, sit down to discuss how the attack was handled. Gather feedback and take it back to the preparation phase.