We’re Changing the World today, but is the World Ready for the Application-Delivery Firewall?

I don’t have an office anymore. I write from diners, coffee shops, hotel rooms, and airplanes. My world changed 18 months ago, when the patriot hacker, The Jester, attacked WikiLeaks and goaded the hacktivist collective Anonymous into attacking Visa, MasterCard, PayPal, Amazon, and others, with volumetric floods. Since then, I gave up my desk job and have lived on the road, preaching the gospel about DDoS attacks and letting customers cry on my shoulder.

The targets of those WikiLeaks attacks saw their firewalls go down amidst the TCP floods and ended up using their “F5s” as their firewalls. This event was one of the top reasons for the genesis of F5’s Application Delivery Firewall, which officially launches today with a whole host of features aimed at reporting and mitigating volumetric DDoS attacks. It couldn’t come at a better time for F5 or our customers, many of whom are facing a new round of DDoS attacks.

 

With the launch of this Application Delivery Firewall, we are betting big that DDoS isn’t going away (it’s only going to get worse) and that we have the best tools to deal with it on-premise. It’s a different approach, one that revolves around defending the application. We’re attaching network firewall policy directly to the application object, in the same way that we already do for web application firewall policy.

We’re ready to change the world with this solution, but the question is whether the world is ready to change with us?

One of the security architects (who was getting pounded by the Cyber Fighters) wasn’t ready to hear about the new application-centric firewall paradigm. In fact, he had already panicked and embiggened his firewall (from the same vendor). The conversation we had made him the perfect stand-up to represent the conventional firewall.

Fallacious Arguments favoring Traditional Firewalls

1. I rely on my firewall to fail before my servers do. During all of the Cyber Fighter attacks, across the whole theater, to our knowledge no F5 gear had fallen anywhere. When we pointed this out to the architect, he responded that he wasn’t surprised. Not because of the superior performance metrics of the F5 application-delivery strategy, but because architects like him need the firewall to fail first – it is easier for his team to ride out the storm with a downed firewall than to have to reboot thousands of overloaded servers. Here’s the thing though: The Cyber Fighters have been attacking since September 2012, and they plan to keep attacking for another year. You can’t hide behind a failed firewall that long and still have a job.
2. I can’t put my SSL keys on the firewall. Most customers don’t, and won’t have to. Even with the application-centric firewall, most customers deploy with multiple tiers, and keep the SSL keys on the second tier. Customers that aren’t doing this are finding that, in order to fight off SSL attacks, they are doing things that they thought would have been unthinkable, like giving their SSL keys to a CDN. We say it’s better to locate them a little closer to your perimeter but still keep them inside. Put them in a FIPS 140 boundary and use elliptic curve ciphers to preserve forward secrecy.
3. My security team doesn’t work with my app team. Application Centric Firewall policies make a lot of sense when you think about it – they are easier to prune and result in faster, easier-to-manage rulesets. But the reason that we get blank stares when we talk about it is either that people don’t get it or that they know that their teams won’t easily give up something familiar.

In the same way that weak defenses “hide” behind a failed firewall, all of these arguments “hide” behind it too. These are real challenges (well, #1 and #2 are anyway) which can be solved with vision, engineering, and process. Solving them gets us closer to having dynamic defenses so we can keep the “Open” sign up even in the worst cyber weather.

If the world figures out how to overcome these problems, we can all move forward. Our job for 2013 and 2014 will be to help people get past these excuses so that they can move on to bigger and better things – namely not living in fear from DDoS attacks and running their businesses. And maybe I can go back to writing code and not living out of a suitcase.

Related blogs & articles

• Defending Against Denial of Service Attacks
• The New Application Delivery Firewall Paradigm [Whitepaper PDF]