場次: C3• Full coverage of OWASP Top-10 by negative & positive security models • Protection...
Transcript of 場次: C3• Full coverage of OWASP Top-10 by negative & positive security models • Protection...
場次: C3
公司名稱: Radware
主題: ADC & Security for SDDC
主講人: Sam Lin (職稱)總經理
L4-L7 ADC (appliance or NFV) and Security service (appliance or NFV ) for (Software Define) Data Center
Sam Lin
Radware Taiwan
SDDC definition
Slide 3
Data Center Use Case: 1傳統server
Slide 4
Web
DB
App
FW/IPS Alteon
ADC Alteon
ADC
-SLB
-GSLB
-Caching
-SSL
-IPS
Data Center Use Case: 2 virtual server
Slide 5
Web
DB
App
FW/IPS Alteon-NG
ADC Alteon
ADC
+APM
+FastView
+WAF
+SSO
+DDoS
Data Center Use Case: 3virtual network on NFV
Slide 6
Web
DB
App
NGFW/IPS
-NFV
Alteon ADC
-NFV Alteon ADC
-NFV
Software Define Data Center use case 4
Slide 7
Web
DB
App
NGFW/IPS
-NFV
Alteon ADC
-NFV
Alteon ADC
-NFV
Cloud
Orchestrator
SDN Controller
Alteon-NFV & DefensePro-NFV for Cloud in a Rack
Slide 8
Radware 2014
9
(for Cloud
Controller:)
1. SLB
2. SSL
3. Cache
4. APM
5. FastView
6. AS++
7. VX Hypervisor
8. vDirect
9. Cloud Signaling
10. DDoS
11. BWM
12. WAF
13. SSO
14. GSLB
(for SDN
Controller:)
Alteon 100M-80G
(#1Vision L7 Controller)
DefensePro 200M-40G
#1 DDoS +IPS)
LinkProof 100M-16G (#1線路平衡)
Alteon features:
Gartner ADC 2014
• Alteon NG ADC for Private/Public Cloud
Slide 10
Alteon Platform Line-Up- Number 1 vision
Slide 11
Alteon 6420
20 - 80 (160)Gbps 1 - 88 vADCs
ADC virtualization - for any size data center!
Alteon 5208 5-26 Gbps 1 - 24 vADCs
Alteon VX - Isolated Resource
On Demand
Services
Infrastructure
Layer 4-7 Services
Network
Global SLB
SharePoint
1Gbps
IP Domain 1
Customer Managed
Global SLB, Security,
ITM
Fully featured ADC
Health Checks, Layer
7 Configurations, etc.
Vlans, ARP Tables,
Virtual Routing and
Forwarding Tables
Physical Resources
(CPU, Memory, SSL)
Private:
config file
logging
statistics
On Demand
Services
Infrastructure
Layer 4-7 Services
Network
ITM
Oracle
2Gbps
IP Domain 2
On Demand
Services
Infrastructure
Layer 4-7 Services
Network
Security
Marketing
Applications
2Gbps
IP Domain 3
Customer “Monitor Only” Provider Managed
Private:
config file
logging
statistics
Private:
config file
logging
statistics
Slide 12
• ADC市場中最極緻的Layer 4-7 效能 ---Alteon 5208
• Default 5G(可擴充到10G,20G)throughput ---最完整!
• ADC市場中,2個10G ports 加6個1G ports及效能Layer 4 CPS 700K ---最強大!
• Default vADC 2個 (可擴充到24個) ,完整獨立且不相互干擾 ---最特別!
• 內含SSL, cache加速, STP,RIP,BGP,DDoS防護 • 含TCL語言功能延伸 • HTML加速及網路速度監控功能一年授權 ---最新穎! • 可擴加WAF及動態結合中華電信DDoS外線防護功能 -
---最完善!
• 可與雲端控控器整合
Slide 13
Alteon 5208 九大優勢
NFV-SDN-Cloud Architecture
Slide 14
Slide 15
ETSI certified NFV
Proactive SLA Management
Breakdown by application, location or specific transaction
Monitor application’s SLA and user transaction response time
Track real user transactions that breach SLAs
Real time error detection - tracking proper transaction completion
Slide 16
FastView Under the Hood
Render page for specific
browser
Transform resources
Transform HTML
Create acceleration
template
Slide 17
FastView™: Page Performance
F5’s site more than twice as fast with Radware’s FastView More than twice as fast with Radware FastView™
Slide 18
Database
Servers Firewall
Data Center
Internet
Radware ADC
Advanced Data Center 動態配置系統資源
Step #1 使用者連線應用程式
Step #4 伺服器負載平衡器便可將流量導引至新增的VM
VMware vCenter
Orchestrator
Step #2 vCenter Orchestrator 隨時監控應用程式伺服器的CPU負載情形.連線者數量及連線回應時間
Step #3 當超過管理設定的門檻數值時, vDirect 通知vCenter 新增VM,並自動通知伺服器負載平衡器更改設定
Step #5 當使用者人數開始減少,並需等到Guest OS client連線最後一筆session正常close後,vDirect通知vCenter並將會自動回收WEB/AP之Guest OS及退出SLB Pool 。
Slide 19
GSLB Elasticity & Cloud Burst
Slide 20
Data Center A Data Center B
PUBLIC CLOUD
Elastically Scale-out On-Prem Applications
Scale-out To public cloud
vDirect ADC Workflow State Sync
Web Security
Slide 21
Complete Web Application Protection
• Full coverage of OWASP Top-10 by negative & positive security models
• Protection against dozens of attack vectors listed on WASC Threat
Classification
• Efficient, accurate and difficult to evade out-of-the-box negative security
– Terminating TCP connections
– Normalizing client encoded traffic
– Blocking various evasion technics
App Mapping
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
Adaptive Auto Policy Generation (1 of 4)
/admin/
Slide 22
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (2 of 4)
App Mapping
Information leakage
Gain root access control
Unexpected application behavior, system crash, full system compromise
Threat Analysis
Risk analysis per “ application-path”
/admin/
Spoof identity, steal user information, data tampering
Slide 23
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
***********9459
P
Adaptive Auto Policy Generation (3 of 4)
App Mapping
Policy Generation
Prevent access to sensitive app sections
Mask CCN, SSN, etc. in responses.
Parameters inspection
Threat Analysis
Traffic normalization & HTTP RFC validation
Slide 24
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
Adaptive Auto Policy Generation (4 of 4)
Time to protect
App Mapping
Policy Activation
Add tailored application rules
Optimize rules for best accuracy
Policy Generation
Threat Analysis
***********9459
Virtually zero false positive
Best Security coverage Slide 25
P
The Reporting Dashboard
Slide 26
PCI Compliance Summary Report
PCI Requirement
Analysis Info
Action Plan
Slide 27
Compliance Status
WAF service in Carrier
28
Volumetric attacks Stateful attacks Application attacks
App Misuse
Attackers Deploy Multi-vulnerability Attack Campaigns
High Bandwidth or PPS Network flood attacks
Syn Floods
SSL Floods
HTTP Floods
Brute Force
Slide 29
Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server
Intrusions
“Low & Slow” DoS attacks (e.g.Sockstress)
Network Scan
SQL Injection
Cross Site Scripting
More than 50% of 2013 attack campaigns
had more than 5 attack vectors.
DefensePro Platform Line-Up— Number 1 in Carrier
Slide 30
DPx412
10Gx4+1Gx8+1GSPFx4
4/8/12 Gbps
DPx420
40Gx4+10GSPFx40
10/20/30/40 Gbps
* Scheduled for mid 2014
DP x06 1GSPFx2+1Gx4 100/200/500M/1/2 Gbps
• DefensePro NG IPS for Private/Public Cloud
Slide 31
Alteon ADC: DoS Signaling to Local AMS
Slide 32
Protected online services
Protected Organization Alteon Signals to AMS
DefensePro Alteon NG
Inclusive SSL-based attack mitigation
Firewall
Integrated WAF module
ADC health parameters:
• CPU utilization
• Tables capacity utilization
Traffic parameters:
• Bandwidth
• PPS, CPS, CEC
• Total & per service
AMS mitigates attack
DoS Signaling to the Cloud
Slide 33
Protected online services
Protected Organization
DefensePro Alteon NG
Inclusive SSL-based attack mitigation
Firewall
Integrated WAF module
Pipe is saturated
Volumetric DDoS attack
that saturates Internet pipe
Alteon signals to AMS
ERT and the customer decide
to divert the traffic
DefensePipe mitigates
volumetric attack
Internet pipe
is cleaned
CHT MSSP service
Slide 34
ElasticScale The SDN application that programs the network for
scalable L4-L7 application delivery services
Application Anti-DoS App
Application Anti-DoS App
NBAPI & Orchestration Plug-ins
SDN Drivers L4-L7 Drivers
Application Anti-DoS
App
Distributed Mitigation App
Network Anti-DoS App
Abstraction layer
ElasticScale App
36
36
Alteon VA
Application1
Application 2
Alteon Appliance
Virtualization Manager
IBM Unified SDN Controller
Elastic Scale SDN Application
DefenseFlow DDoS The SDN application that transforms the network into
a secure monitoring & attack mitigation network
Application Anti-DoS App
Application Anti-DoS App
Control “Flow diversion” and
Mitigation
Collect network stats Programmable Probes
Program Network Anti-DoS service
provisioning
vSwitch
vSwitch
Local flow counters
Edge flow counters
DefensePro
Attack Mitigation Scrubbing Center
IBM Unified SDN
Controller
NBAPI
SDN Drivers L4-L7 Drivers
Abstraction layer
Application Anti-DoS App
Network DDoS Attack
detected !!! Application
Anti-DoS App Network Anti-
DoS App
Tune the security
policy
Analyze & Decide Detection
Attack Area
Normal Adapted
Area
Traffic parameters Traffic parameters
Suspicious
Area
Adaptive Network Anomaly Decision Surface
Attack Area
SDN Controller
Slide 39
DefenseFlow Anti-DoS App
Tune the security
policy and baselines
Attack
detected !!!
Rest API
Protected Objects
Protected Link
Scrubbing Center
We want to
protect this
link to our
servers.
DefenseFlow
Application
instructs the
SDN to send
back statistics
SDN Network
sends back stats
which the
DefenseFlow
App Monitors
Attack Starts! DefenseFlow
App tunes
scrubbing center
DefenseFlow
instructs SDN to
divert attack traffic to
Scrubbing Center
DefensePro