How Hole Punching Technology Can Improve Network Security

Discover Path Networking's innovative global stateful synced firewall, featuring unique hole-punching technology that provides advanced security for your network against both internal and external threats. Learn how our solution seamlessly syncs across global networks for unparalleled protection.

Hole-punching tech, shield & nodes on map for Path Networking's stateful synced firewall.

Hole-punching is a patented technology developed by Path Network’s engineering team that allows for the return traffic of outbound connections to be accepted on demand without requiring the presence of firewall rules constantly allowing the conversation. This allows customers to restrict their firewall to only accept unsolicited traffic for listening services such as web servers, DNS servers, or game servers. As a result, the overall attack surface of the user’s network is vastly reduced. We accomplish this by storing state about conversations once they are initiated on the egress path.

an image from our monitoring system with hole-punching stoping an abuse from a custoemr inside our network
An image from our monitoring system with hole-punching stopping an abuse from a customer inside our network.

If you have read previous blog posts, you may have realized that our network is entirely Anycasted. To reiterate, the idea is that each customer IP address is announced by all of our Points of Presence (PoPs). Traffic destined to these IPs will be routed to the nearest PoP. One of the many advantages of this approach is that attacks are automatically dispersed across the network in relation to their geographical location. Each PoP is responsible for mitigating attacks in the surrounding region which means that no additional latency is incurred in order to scrub traffic. Additionally, certain services that we offer such as website DDoS protection benefit greatly since assets can be cached and then served as close to the user as possible.

The prudent reader may have asked themselves how our Anycast network knows to allow the return traffic when it could arrive at any PoP. To solve this, Path has constructed a network-wide state synchronization mechanism where each mitigation appliance that sees an egress connection being initiated shares the information in a decentralized manner over intersite tunnels. These optimized tunnels consistently allow us to notify all other PoPs before the response has the chance to be seen by our network.

An upside to the fact that we track outbound connections for our hole-punching system is that this allows us to easily detect abusive behavior originating from customers. An excess of holes punched for a given server is a highly likely indication that nefarious activity is occurring such as scanning and DoS attacks. Consequently, customers routing their traffic symmetrically not only improved from superior protection against external threats but also the automatic detection of threats originating from within their network.

Website: https://path.net/
Twitter: https://twitter.com/path_network
Sales: sales@path.net