IBM researchers have developed a hardware prototype for protecting large-scale, high-speed networks

English | Deutsch

Zurich, Switzerland, 6 December 2006—The EU project DIADEM Firewall is a prototype of a novel architecture to block attacks against large-scale networks—an increasingly severe threat in this IT era where businesses are becoming ever more networked to provide goods and services on demand. Together with their project partners, scientists at the IBM (NYSE: IBM) Zurich Research Laboratory have developed a hardware module for large-scale, high-speed business networks. The technology gives businesses and network service providers entirely new capabilities to offer their customers secure, high-speed broadband services, thereby guaranteeing business-critical network availability at all times.

Attacks against large-scale networks that cause a breakdown of network connectivity and services, so-called distributed denial-of-service (DDoS) attacks, are a growing source of concern as businesses become increasingly networked and offer more and more services online. A DDoS attack usually happens when a network is flooded with so many requests that it cannot keep traffic moving at a regular pace. By hijacking thousands of home and business computers and using them as so-called zombies to flood and overload a network, DDoS attacks can bring down entire corporate systems, usually as part of a blackmail attempt.

The impact of such network outages on businesses is tremendous. Today, many businesses such as online shops, electronic financial traders, and airline booking portals are vitally dependent on network connectivity. Their potential loss of revenue can quickly reach millions of euros for every minute without connectivity, not accounting for the negative impact on corporate image and reputation. A security survey conducted by IBM in 2006 showed that 74% of 3000 leading companies worldwide rated upgrading their firewall as the most important measure against cybercrime.

Another aspect is that, in the near future, more and more end-users will presumably upgrade to broadband services. This will obviously generate more traffic, which in turn means that the cost of dealing with malicious data traffic is predicted to increase exponentially.

To block DDoS attacks in an effective and cost-efficient way, the DIADEM research team took a whole new approach. They developed a prototype of a distributed detection and automatic reaction system. It is centrally located in the network and managed by the network operator, thereby shifting the responsibility back to the provider to ensure the security of the network.

This new distributed firewall deploys monitoring elements throughout the network. These monitors continuously track traffic patterns at the edges of a network and report them to a system manager. The manager automatically detects abnormalities and adjusts the policies of all firewalls in the network accordingly. As a result, malicious hosts are disconnected from the network. "This is a radical departure from the current approach, where end-users are responsible for installing and maintaining their own firewall systems," explains Patricia Sagmeister, project leader at the Zurich Research Lab. "Unfortunately, the current approach is dangerously insufficient, as demonstrated all too often in recent times."

The IBM team in Zurich has developed a business solution prototype suitable for high-speed corporate networks. It is an innovative architecture that offloads the processing-intensive packet filtering task efficiently to a hardware module. The hardware module filters incoming data at extremely high speeds, which is essential in order to protect broadband networks against DDoS attacks. For the core of this module, IBM researchers developed a sophisticated, highly efficient algorithm that is capable of reliably filtering incoming data packages at network speeds up to 40 gigabits per second. Thus, the system is able to filter as many as 100 million packages per second in order to detect and immediately react to DDoS attacks.

"IBM's hardware module constitutes the kind of solution for large-scale deployment in distributed corporate networks that network operators and internet service providers need to ensure the integrity of their networks," states Sagmeister. Whereas, until now, individual users were in a poor position to protect and defend themselves against most kinds of malicious attacks, the DIADEM solution will allow internet service providers to secure their networks—including the systems of their clients and users—in a central fashion.

This paradigm shift in security management means that internet service providers can offer a real added value by providing a level of protection against malicious traffic that is significantly higher than what the average end-user can achieve. "DIADEM will pave the way to the next generation of distributed high-speed broadband firewalls with policy-based control," predicts Sagmeister.

Preliminary tests and performance evaluations of the DIADEM firewall and the hardware module have been successful. Now it is up to internet service providers and network operators to assume responsibility for implementing and managing centralized network security.

About the DIADEM Firewall project

The DIADEM Firewall project focused on a solution for adaptive security by means of a distributed programmable firewall to stop distributed denial-of-service (DDoS) attacks. The collaborative research project, which was officially launched in 2004 and completed on September 30, 2006, received funding in part from the EU commission and the Swiss government. Partners involved in the Diadem Firewall include France Télécom's R&D department, the University of Tübingen in Germany, IBM Research - Zurich, Imperial College London, Groupe des Ecoles des Télécommunications in France, Jozef Stefan Institute in Slovenia, and Polish Telecom.