Last week I wrote about how the Dyn attack exposed the IoT as a new area of opportunity for major DDoS attacks. In particular, Dyn illustrated how easy it is for misconfigured IoT devices to be compromised and cripple the DNS system. The only true solution requires us to start fundamentally rethinking how we approach IP-based security solutions.
In the case of Dyn, some say that replacing DNS with DNS Sec would have prevented the attack, but the problem is bigger than DNS. There are thousands implementations of DNS on the Internet today and all of these services are open to access without authenitication. The IoT is probably the biggest example with thousands and thousands of devices, cameras, appliances, thermostats, toys … anything that can be turned against you. That is how the current system works.
What needs to be changed is the DNS security paradigm that is based on “access before authentication” and was instituted at a time when devices, networks and firewalls were essentially static. It relied on us knowing the IP addresses and using firewalls to control where the access is coming from.
With the advent of virtualization and the cloud, IT changed rapidly with the influx of mobile devices and clients accessing services and devices from anywhere. Overnight we went from trying to secure static, defineable networks and services to ones that are now highly dynamic. IT is now anything but static and everyone has access to your services and devices before they are required to authenticate.
The analogy is a house that allows access before authentication (our current environment). Bad guys are allowed to walk up to the house and knock on the door. If no one is home and the door is locked, they can start trying to pick the lock with no resistance. They might get in, they might not. But everyone has access and the ability to try and exploit it. In the authentication before access house, the attacker cannot see the door, or the house, or even know it is there to begin with.
So the paradigm has to change and it starts with knowing who we are giving access to. And the only way to know who we give access to is to authenticate first. It is a fundamentally different approach that will require having a client on every device – something not everyone is willing to accept yet. But devices are central to any IT environment. Only by putting a client on the device can you authenticate users in way that ensures that the service is completely shut off to everyone except those authenticated and authorized.
We cannot keep doing it the same way and expect to be secure and a willingness to change must be accepted in order for it to happen.
In fact, there exists today proven solutions that protect enterprises from volumetric DDoS attacks. SDPs are emerging to handle DDoS attacks as well as a key component in a new security paradigm for reducing and eliminating risk. They incorporate industry input and lessons learned from successful commercial implementations of SDP by leading enterprises such as Coca-Cola, Mazda, and Google, and large government organizations like the DHS.
Software Defined Perimeters (SDP) employ an authenticate-first approach by securing every connection to a predetermined service, application or critical infrastructure. The primary effect of the SDP is that it allows good packets and connections while dropping bad packets and preventing bad connections. In the event of a DDoS attack, SDP proactively identifies malicious traffic, automates the ability to immediately block it, and stops the traffic from reaching the protected services.
SDPs continue to be tested in organized industry “hack-a-thons” (such as RSA) with an estimated 10 billion attempts to date – all unsuccessful.
For more information, check out this white paper on Software Defined Perimeters.
Also feel free to check out the industry’s first open source reference implementation of SDP developed by Waverley Labs. The reference architecture and repository can be accessed and downloaded here.