F5 Friday: When Firewalls Fail…

New survey shows firewalls falling to application and network DDoS with alarming frequency…

With the increasing frequency of successful DDoS attacks there has come a few studies focusing on organizational security posture – readiness, awareness, and incident rate as well as costs of successful attacks.

When Applied Research conducted a study this fall on the topic, it came with some expected results but also uncovered some disturbing news – firewalls fail. Often. More often, in fact, than we might like to acknowledge. That’s troubling because it necessarily corresponds to the success rate of attacks and, interestingly, the increasing success of multi-layer attacks.

The results were not insignificant – 36% of respondents indicated failure of a firewall due to an application layer DDoS attack while 42% indicated failure as a result of a network layer DDoS attack. That makes the 11 in 12 who said traditional safeguards are not enough a reasonable conclusion.

There is a two-part challenge in addressing operational risk when it comes to mitigating modern attacks. First, traditional firewalls aren’t able to withstand the flood of traffic being directed their way and second, stateful firewalls – even with deep packet inspection capabilities – aren’t adequately enabled to detect and respond to application layer DDoS attacks.

Because of this, stateful firewalls are simply melting down in the face of overwhelming connections and when they aren’t, they’re allowing the highly impactful application layer DDoS attacks to reach web and application services and shut down them.

The result? An average cost to organizations of $682,000 in the past twelve months. Lost productivity (50%) and loss of data (43%) topped the sources of financial costs, but loss of revenue (31%) and loss of customer trust (30%) were close behind, with regulatory fines cited by 24% of respondents as a source of financial costs.

A new strategy is necessary to combat the new techniques of attackers. Today’s modern threat stack spans the entire network stack – from layer one to layer seven. It is no longer enough to protect against one attack or even three, it’s necessary to mitigate the entire multi-layer threat spectrum in a more holistic, intelligent way.

Only 8% of respondents believe traditional stateful firewalls are enough to defend against the entire landscape of modern attacks. Nearly half see application delivery controllers as able to replace many or most traditional safeguards. Between one-third and one-half of respondents are already doing just that, with 100% of those surveyed discussing the possibility. While sounding perhaps drastic, it makes sense to those who understand the strategic point of control in which the application delivery controller topologically occupies, and its ability to intercept, inspect, and interpret the context of every request – from the network to the application layers. Given that information, an ADC is eminently better positioned to detect and react to the application DDoS attacks that so easily bypass and ultimately overwhelm traditional firewall solutions.

Certainly it’s possible to redress application layer DDoS attacks with yet another point solution, but it has always been the case that every additional device through which traffic must pass between the client and the server introduces not only latency – which impedes optimal performance – but another point of failure. It is much more efficient in terms of performance and provides a higher level of fault tolerance to reduce the number of devices in the path between client and server. An advanced application delivery platform like BIG-IP, with an internally integrated, high-speed interconnect across network and application-focused solutions, provides a single point at which application and network layer protections can be applied, without introducing additional points of failure or latency.

The methods of attackers are evolving, shouldn’t your security strategy evolve along with it?

2011 ADC Security Survey Resources:


Published Nov 11, 2011
Version 1.0

Was this article helpful?

No CommentsBe the first to comment