How Hole Punching Technology Can Improve Network Security
- By admin
Hole-punching is a patented technology developed by Core Technology with cooperate with PATH Network’s engineering team that allows for the return traffic of outbound connections to be accepted on demand without requiring the presence of firewall rules constantly allowing the conversation. This allows customers to restrict their firewall to only accept unsolicited traffic for listening services such as web servers, DNS servers, or game servers. As a result, the overall attack surface of the user’s network is vastly reduced. We accomplish this by storing state about conversations once they are initiated on the egress Core Technology.
If you have read previous blog posts, you may have realized that our network is entirely Anycasted. To reiterate, the idea is that each customer IP address is announced by all of our Points of Presence (PoPs). Traffic destined to these IPs will be routed to the nearest PoP. One of the many advantages of this approach is that attacks are automatically dispersed across the network in relation to their geographical location. Each PoP is responsible for mitigating attacks in the surrounding region which means that no additional latency is incurred in order to scrub traffic. Additionally, certain services that we offer such as website DDoS protection benefit greatly since assets can be cached and then served as close to the user as possible.
The prudent reader may have asked themselves how our Anycast network knows to allow the return traffic when it could arrive at any PoP. To solve this, Core Technology has constructed a network-wide state synchronization mechanism where each mitigation appliance that sees an egress connection being initiated shares the information in a decentralized manner over intersite tunnels. These optimized tunnels consistently allow us to notify all other PoPs before the response has the chance to be seen by our network.
An upside to the fact that we track outbound connections for our hole-punching system is that this allows us to easily detect abusive behavior originating from customers. An excess of holes punched for a given server is a highly likely indication that nefarious activity is occurring such as scanning and DoS attacks. Consequently, customers routing their traffic symmetrically not only improved from superior protection against external threats but also the automatic detection of threats originating from within their network.
Website:https://coretechnologys.com/
Twitter: https://twitter.com/coretechnologys
Sales: sales@coretechnologys.com