|
|
|
|
|
|
| ISP Resources |
| ISP-Lists ISP Glossary ISP News The List ISPCON Events Free Newsletters |
|
|
|
||
| internet.commerce | ||
|
Partner With Us |
Intrusion
Detection Systems:
Webscreen Technology
With a unique method of protecting a network from DDoS attacks,
Webscreen Technology's WS100 and WS1000 appliances are looking at threat
prevention in a whole new way.
[April 24, 2002] |
 |
Gary Milo founded Webscreen Technology last year after working as a network security consultant for blue chip clients in the city of London. While helping customers guard against denial of service attacks, Milo says, he realized that a dedicated device focused exclusively on blocking such attacks could be a popular solution among the clients he served.
Milo, current Webscreen chief executive officer, explains that developing
the product involved taking a new look at an all too common problem.
|
Webscreen
Technology |
 |
"My background in security led me to believe that there was a way of solving this that was beyond the normal bounds of IP," he said. "DDoS [distributed denial-of-service ] is a difficult problem to crack using normal IP-type filtering, because a lot of the traffic looks like normal web server traffic."
Instead of employing traditional methods to prevent attacks, Webscreen's product blocks access based on a visitor's profile. "We actually keep a history of people's activity on a web site, and their behavior—the sort of the things they look for on the web site—so that when an attack comes in, we have this background immediately available to make a decision whether or not to allow somebody to access the site," he said.
This means that, during a DDoS attack, regular visitors to a site should have no trouble getting in—but visitors with non-human or unfamiliar behavior patterns, will be blocked. "We think this is a unique feature of Webscreen, that you actually get a service for your customers while the other guys get blocked," Milo said.
"We could be described as IDS as the edge of the network—though we don't do pattern matching and we don't do signature analysis," Milo said. "The traffic passes through Webscreen and builds up a profile of each user, based on his IP address. By accessing that profile, we can filter one set of users we want to allow through, and a different set of users that are attacking us and we want to keep out."
Charming solution
The profile that Webscreen uses is based on a system called CHARM technology.
"The higher a CHARM factor you have, the more likely you are to get through
a Webscreen during an attack," Milo said. "The various parameters in terms
of have we seen you before, what's your behavior like, how much traffic
are you sending to us now, how much have you sent to us in the past, determine
your CHARM value."
 Packet path is screened through CHARM technology. |
The strength of the attack determines the CHARM value required to pass
through at that particular time (above). "If your CHARM value is
above the CHARM threshold for that attack, then you stand a better chance
of getting through," Milo said. "If it was a very strong attack, then
we'd have to like you a lot, basically, to allow you through. If it was
a lesser attack, then we could just know a little about you and still
let you in."
Milo admits that first-time visitors with bad timing could be blocked.
"We will kill some innocents, but essentially, as long as they're behaving
in a human-type way and not demanding 100 copies of the index page every
second, they'll get through," he said. "Obviously, if you happen to be
looking at a web site for the first time at exactly the same time as an
attack comes in, then you won't have quite as good a profile."
 First product offered by Webscreen, the WS100 |
The WS1000, due for release within the next few weeks, runs at 1 Gbps. The gigabit product, according to Milo, will be targeted at the ISP market. "Just as these attacks are an annoyance for individual users, they would also be an annoyance for an ISP," he said. "They could use a gigabit box to protect a large number of devices: we can defend up to 512 entities behind Webscreen."
The WS100 is currently priced at £15,000 per unit, about $22,000 U.S. Around-the-clock technical support is available on the WS100 system for £4,500 ($6,500 U.S.) per year. Extended business hours are covered for £3,000 ($4,300 U.S.) per year and business hours for £1,500 ($2,200 U.S.) annually. Pricing for the WS1000 has yet to be determined.
Plug and play appeal
Network consulting firm C&C
Technology has spent the past few months beta testing Webscreen's
product.
According to Paul Fullylove, C&C's Sales Manager, it was a logical match. "We specialize in optimization, design, and security," he said. "With the combination of security services and infrastructure design, we wanted to have a look at anything that was new on the market."
Fullylove explains that the greatest advantage that he sees in using an appliance like Webscreen is simply an increased awareness of the presence of attacks. "A lot of the clients that I see don't actually realize whether they're being attacked or not, and this is something that point that out to a very strong degree," he said. "It's amazing how many just do not realize that they're under threat."
John Foster, C&C's Technical Director, adds that the product's simplicity
and performance should be strong selling points. "Plug it in, and it just
works: there's very little configuration or system management overhead
from it," he said. "And as an appliance, its performance is very high.
A lot of multi-function boxes, in a high-bandwidth environment, are going
to miss some of the traffic."
 Newly revised Webscreen graphical user interface (GUI) has been simplified. |
In general, Fullylove explains, they were impressed by Webscreen's response to any concerns they had. "We sat down with them and went through all the problems, and found that within the next few days a lot of the problems were already being worked upon," he said. "The fact that the company responded to negatives and positives very quickly was quite a strong point, in my point of view."
Ultimately, the greatest testimonial that Fullylove can give is that they haven't had any cause to remove the product since testing began. "It was very easy to get to grips with," he said. "We put it on our network, and it's still up and running today."
— End
Online Resources:
Intrusion
Detection Systems Directory
IDS
Quick Reference Chart
| Related articles: | ||
| [Dec. 24, 2001] | White Paper: Reducing Network Security Risk | |
| [Sept. 25, 2001] | Physical Security Augments Logical Security | |
| [July 11, 2001] | ISP-Planet Survey: MSSPs | |
|
|
|
| Best of ISP-Planet | ||
|---|---|---|
|
ISP-Planet
Guide
ISP-Planet's Principal Studies Directories:
Q1 2008 Top U.S. ISPs by Subscriber (Updated 07/22/2008)
ISP-Planet's Blogroll | ||
ISP-Planet's
RSS feed
