The Radware FireProof is a 1U device that has many features typical of other Radware products, including switching, routing and load-balancing. We were specifically interested in the product's SynApps technology. DoS protection is as simple as configuring the FireProof, then enabling the Application Security feature. We configured the FireProof to act as a router, separating the Web server's segment from the upstream Cisco Systems router.
We looked at a Radware technical document about the SynApps technology to get a clear picture of how the FireProof goes about mitigating attacks. The FireProof blocked all ICMP traffic during our ICMP floods and took the floodgate approach for both of our SYN floods. This is the one drawback of the FireProof: Only a single host using a nonspoofed SYN flood can cause the FireProof to go into floodgate mode, thus affecting all traffic and using the FireProof to enhance the attack. It would be better if the FireProof could identify single-source attacks and block accordingly.
The FireProof didn't count open connections to our Web server (and therefore didn't protect against the Naptha attack). The Web Server Director (which we didn't test) can be configured to limit the number of connections; this still results in a floodgate-style mitigation, but it's better than nothing. The FireProof was able to detect and mitigate some of the Targa attack, but a vast majority of the packets reached the target server.
The FireProof lacks detailed attack-reporting and -analysis tools. In fact, the only indications of ongoing attacks were single entries in the alarm log -- and the entries were quite minimal. Inevitably, an administrator will have to turn to some type of traffic analyzer or network sniffer to get details of the ongoing attack.
FireProof 2.2 with SynApps and running on the Radware Application Switch 1. Radware, (888) 234-5763, (201) 512-9771; fax (201) 512-9774. www.radware.com
Mazu Networks TrafficMaster Enforcer
Mazu's TrafficMaster Enforcer came installed on a 3U IBM eServer running a highly modified Linux variant under the hood. The installation and configuration were straightforward, and the GUI navigation is well-designed. Real-time traffic graphs are available to show the general goings-on of network traffic, but the traffic breakouts, both during attacks and in the historical view, make viewing individual packet characteristics difficult. You can view only one packet at a time, which makes side-by-side comparison tough. This is unfortunate because the TrafficMaster's underlying engine does an excellent job correlating similarities in traffic packets. In fact, this is the primary factor that separates TrafficMaster from rivals: the capability to data-mine traffic for similarities that could be used to detect and stop attacks.
TrafficMaster works by detecting traffic anomalies (attacks) passing through it, and by acting as an Ethernet bridge, reviewing the characteristics of the packets used to cause the anomaly, constructing a potential Mazu filter that would help mitigate the anomaly, then offering the filter to the user for activation. The user reviews the filter and, if things look good, clicks a button to install the filter into TrafficMaster's internal firewall, which in turn filters the traffic passing through it.
One complaint we have about the TrafficMaster is that some of the recommended filters are complex and go overboard for what needs to be done. For example, our ICMP flood resulted in a complex filter that wound up blocking dozens of partial network address spaces (which, when taken together, approximated the entire Internet address space) rather than a simple filter that would deny all ICMP traffic in one shot. The version we tested also did not let us edit the recommended filter. Mazu is working on adding this feature as well as making custom filter creation easier.
TrafficMaster's recommended filters given for the SYN floods blocked all incoming SYNs. In those recommended filters, however, we could easily see two particular characteristics (static TTL and IP length values) that, when we created a custom filter for them by hand, blocked all attack traffic successfully without impacting our legitimate traffic. We hope the Mazu engine will be able to come to that same conclusion on its own -- and we're willing to bet it will. But this is one case where human review was required to formulate the best solution. Although TrafficMaster didn't get points for our doing the work, we did consider it in our final subjective grade. After all, the TrafficMaster's traffic-analysis tools, like those found in Arbor's Peakflow and Asta's Vantage System, make it much easier for a user to review the problem and make informed mitigation decisions.
TrafficMaster also offers its SYNQueue technology, which helps mitigate SYN floods automatically without the need for a filter. Essentially, TrafficMaster monitors the incoming rate of SYNs against a user-defined threshold. As soon as that threshold is breached, TrafficMaster will start to send RSTs (connection reset packets) to the server to keep it from being overwhelmed. This response is immediate, as opposed to the user intervention needed to install a Mazu filter. However, the device makes no differentiation between legitimate and attack traffic during this RST flurry.
The strength of TrafficMaster's data-analysis engine shone during the Targa attack, when it filtered out the bulk of the anomalous attack traffic. In the end, however, we felt as though we were left playing Russian roulette when it came to installing the recommended Mazu filters. The complex filter recommendations made it unclear as to what was to be filtered; the inability to edit the filters and make them more sane was frustrating; and their impact on legitimate traffic, despite some provided statistical impact ratings, always seemed to be random. The company says all these problems will addressed by print time, and says it has added some other enhancements that should help TrafficMaster fare well in these types of situations.
TrafficMaster Enforcer for DDoS version 1.0. Mazu Networks, (617) 354-9292. www.mazunetworks.com
REPORTS
ANALYTICS
Follow 
