Radware - DSS @Vilnius 2010
-
Upload
andris-soroka -
Category
Technology
-
view
414 -
download
0
description
Transcript of Radware - DSS @Vilnius 2010
![Page 1: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/1.jpg)
Security of Data Center Michael Soukonnik
2.12.2010 Vilnius
![Page 2: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/2.jpg)
Radware – what is it about?
• Availability
– How do you ensure business applications are
delivered under attacks?
• Performance
– How do you ensure consistent user experience when
your network is under attack?
• Security
– What is the cost of data loss or abuse of your
resources?
• Scalability
– How do you ensure future growth while minimizing
initial spending?
• Cost reduction
– How to address all the above while reducing costs?
Slide 2
We focus on data center application delivery and security
![Page 3: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/3.jpg)
Protection tools
Intrusion Prevention
Security : Network & Data Center Threats
Slide 3
Threats
Application vulnerability
Information theft
Authentication defeat
Malware spread
Network anomalies
Application downtime
Network downtime
Behavioral Analysis
DoS Protection
![Page 4: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/4.jpg)
Google / Twitter
Attacks
2009
Hackers’ Change in Motivation
2001 2010
Vandalism and publicity “Hacktivism” Financially motivated
Blaster
(Attacking Microsoft web site)
2003
Storm
(Botnet)
2007
CodeRed
(Defacing IIS web servers)
2001
Nimda
(Installed Trojan)
2001 Slammer
(Attacking SQL websites)
2003
Agobot
(DoS Botnet)
2005
Republican
website DoS
2004
Estonia’s Web Sites
DoS
2007
Attack
Risk
Time
Georgia Web sites
DoS
2008
Srizbi
(Botnet)
2007 Rustock
(Botnet)
2007
Kracken
(Botnet)
2009
July 2009
Cyber Attacks
US & Korea
Slide 4
IMDDOS
(Botnet)
2010
![Page 5: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/5.jpg)
July 2009 Cyber Attacks – From The News
Slide 5
![Page 6: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/6.jpg)
Slide 7
July 2009 Cyber Attacks: Mapping The Attacks
Internet
Public Web Servers
Bot
(Infected host)
Bot
(Infected host)
Attacker
BOT Command
C&C Server
Bot
(Infected host)
Bot
(Infected host)
Legitimate User
Mydoom.EA Botnet Characteristics • ~50,000 zombie computers
• Diversified attacks:
• HTTP page flood
• SYN flood with packet anomalies
• UDP flood
• ICMP flood
• Destinations in US and S/Korea
• ~ 6-7 Gbps inbound traffic (>2 Million PPS)
![Page 7: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/7.jpg)
July 2009 Cyber Attacks: Fighting Back
Slide 8
Attack Vector Solution
Bot malware spread IPS or
Network Behavior
Analysis
Bot Command & Control messages IPS
Application flooding
- HTTP page flood attack
Network Behavior
Analysis
Network flooding
- SYN/UDP/ICMP flood attack
DoS Protection
No single protection tool can handle
today’s data center threats
![Page 8: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/8.jpg)
The Solution
![Page 9: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/9.jpg)
Network & Data Center security: Mapping The Solutions
Slide 10
Internet
Access
Router Web Servers
Application Servers
Firewall DoS
Protection
IPS
NBA
Anti Trojan /
phishing
IPS DoS
Protection
NBA
DefensePro
IPS
DoS Protection
NBA
APSolute attack prevention
for data centers
![Page 10: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/10.jpg)
DefensePro
IPS
DoS Protection
NBA
Network & Data center Security: Mapping The Technologies
Slide 11
IPS DoS Protection NBA
Signature
Detection
Rate-based
Rate-based
Behavioral
Analysis
Signature
Detection
Behavioral
Analysis Stateful
Inspection
SYN Cookies
![Page 11: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/11.jpg)
Slide 12
Introducing DefensePro
DefensePro is a real-time attack prevention device that protects
your application infrastructure against network and application
downtime, application vulnerability exploitation, malware spread,
network anomalies and information theft
![Page 12: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/12.jpg)
DefensePro Building Blocks
Slide 13
![Page 13: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/13.jpg)
DefensePro: Protection Set
Slide 14
![Page 14: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/14.jpg)
IPS: Static Signature Protection
• Signature protection
– Leading security research team
– Protection against known
application vulnerability exploits
– Weekly and emergency signature
updates
• Enables protection against
– Worms, Bots, Trojans, Phishing,
Spyware
– Web, Mail, SQL, VoIP (SIP), DNS
vulnerabilities
– Anonymizers, IPv6 attacks
– Microsoft vulnerabilities
– Protocol anomalies
Slide 15
![Page 15: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/15.jpg)
DoS Protection: Real-time Signatures Protection
• Automatic real-time signature protection against network DDoS attacks:
– SYN floods
– TCP floods
– UDP/ICMP floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against network flooding with no need for
human intervention
Slide 16
![Page 16: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/16.jpg)
Network Behavioral Analysis: Real-time Signatures Protection
• NBA (Network behavioral analysis) detects abnormal user and
application transactions
• Automatic real-time signature protection against :
– Zero-minute Malware spread
– Application resource misuse such as:
• Brute force attacks
• Web application scanning
• HTTP page floods
• SIP Scans
• SIP Floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against user and application resource
misuse with no need for human intervention
Slide 17
![Page 17: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/17.jpg)
The Secret Sauce – Real-time Signatures
Public Network
Inbound Traffic
Outbound Traffic
Behavioral
Analysis
Abnormal
Activity
Detection
Inspection
Module
Real-Time
Signature
Inputs - Network
- Servers
- Clients
Real-Time
Signature
Generation
Closed
Feedback
Enterprise
Network
Optimize Signature
Remove when attack
is over
Slide 18
DoS & DDoS
Application level threats
Zero-Minute
malware propagation
![Page 18: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/18.jpg)
Standard Security Tools: HTTP Flood Example
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Static Signatures Approach
- No solution for low-volume attacks as requests
are legitimate
- Connection limit against high volume attacks
Agnostic to the attacked page
Blocks legitimate traffic
High false-positives
Slide 19
![Page 19: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/19.jpg)
Real-Time Signatures: Accurate Mitigation
Case: HTTP Page Flood Attack
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Behavioral Pattern Detection (1) Based on probability analysis identify which Web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2) Identify abnormal user activity
For example:
- Normal users download few pages per connection
- Abnormal users download many pages per connection
Real Time Signature: Block abnormal users’ access to the specific
page(s) under attack
Slide 20
![Page 20: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/20.jpg)
Real-Time Signatures: Resistance to False Positive
Case: Flash Crowd Access
Internet
Public Web Servers
Legitimate User
Legitimate User
Legitimate User
Legitimate User
Behavioral Pattern Detection (1) Based on probability analysis identify which web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2) No detection of abnormal user activity
Attack not detected No real time signature is generated
No user is blocked
Slide 21
![Page 21: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/21.jpg)
DefensePro: OnDemand Switch
Slide 22
![Page 22: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/22.jpg)
OnDemand Switch: Architecture Designed for Attacks Prevention
Slide 23
OnDemand Switch Platform Capacity up to
12Gbps
DoS Mitigation Engine
• ASIC based
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack protection
NBA Protections
• Prevent application
resource misuse
• Prevent zero-minute
malware
IPS
• ASIC based String Match
Engine performing deep
packet inspection
• Prevent application
vulnerability exploits
![Page 23: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/23.jpg)
Slide 24
The Competitive Advantage: Performance Under Attack
Multi-Gbps
Capacity
Legitimate
Traffic
10 Million
PPS
Attack
Traffic
Other Network Security Solutions
Multi-Gbps
Capacity
Legitimate
Traffic
+ Attack
Attack Attack
Attack
Traffic
DefensePro
Device handles attack
traffic at the expense of
legitimate traffic!
Attack traffic does
not impact legitimate
traffic
![Page 24: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/24.jpg)
Static Signature
Engine (DPI)
Real-time
Signatures Engine
(Multi CPU Cores)
DefensePro On-Demand Switch 3:
• Up to 12Gbps of network traffic inspection
• 4,000,000 concurrent sessions
• Latency < 100 micro seconds
Next Generation DefensePro: IPS+DoS Architecture
Page 25
APSolute Immunity
Engines
Standard IPS
Solution
Real-time
signature
APSolute Immunity
booster:
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack
ASIC-Based
DoS Mitigator
Engines
Real-time
signature
injection
APSolute Immunity
with Booster Shot
![Page 25: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/25.jpg)
Reputation Services
• IP Reputation Service
– External real time feeds from 3rd party reputation based services
– Instant blocking of attacks using real-time signatures
– Value proposition
• Protects against
– Botnets (Source IP reputation)
– Zero-minute malware (Web site reputation)
– Social engineering attacks (Web site reputation , e.g., Phishing, drop points)
– Spam (Source IP reputation)
• Easy integration through Reputation Engine
Slide 26
![Page 26: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/26.jpg)
Summary: APSolute Attack Prevention
• APSolute Attack Prevention offers synergy of complementing protection
technologies
– IPS: static signatures
– NBA: real-time signatures
– DoS Protection: real-time signatures
– Reputation Engine: real-time feeds
• Resulting in
– Proactive best of breed network security solution for networks and data
centers
Slide 27
![Page 27: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/27.jpg)
OnDemand Attack Prevention: Models up to 12Gbps
• DefensePro x412 Behavioral Protection
– Models: • DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro 12412 (12Gbps)
• DefensePro x412 IPS & Behavioral Protection
– Models: • DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro x016 IPS & Behavioral Protection
– Models: • DefensePro 1016 (1Gbps)
• DefensePro 2016 (2Gbps)
• DefensePro 3016 (3Gbps)
License Key Upgrade
Slide 28
![Page 28: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/28.jpg)
On-Demand Attack Prevention: Value Proposition
• Unmatched Performance – Leading industry performance up to 12Gbps with active
network security profiles
• OnDemand Scalability – Scale up performance by increasing throughput using a
simple license upgrade
– No hardware replacement needed
• Investment Protection – Buy what you need – prevent overspending for capacity
you don’t need now
– Pay-as-you-grow and only for the added throughput license
• No Upgrade Projects – No hardware replacement, staging and network downtime
– Huge cost saving and best TCO
• Operational Simplicity and Standardization – A standard, unified platform suitable for all throughput levels
– Savings on training, spares and maintenance
Slide 29
“Radware offers
low product and
maintenance
costs, as
compared with
most competitors.”
Greg Young & John Pescatore,
Gartner, April 2009
![Page 29: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/29.jpg)
DefensePro: Monitoring and Reporting
Slide 30
![Page 30: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/30.jpg)
APSolute Vision: Advanced Monitoring and Reporting
Slide 31
• Real-time monitoring
– Active attack details
• Historical reporting
– Per customer dashboards
– Custom reports
![Page 31: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/31.jpg)
APSolute Vision: The Value Proposition
Slide 32
APSolute Vision helps Data Center IT managers improve business:
• Resilience
– Real-time identification, prioritization, and response to policy breaches,
cyber attacks and insider threats
• Agility
– Per user customization of real-time dashboards and historical reports.
• Efficiency
Simplifies data center management
– Improves IT productivity
![Page 32: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/32.jpg)
Summary
![Page 33: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/33.jpg)
DefensePro Differentiators
• Best security solution for data centers
in a single box:
– Intrusion prevention (IPS)
– DoS protection
– Network behavioral analysis (NBA)
– IP reputation service
• Best performing solution
– DoS Mitigator Engine - maintain throughput
when under attack
• Best in class unified monitoring and reporting
• Lowest CapEx
– Multitude of security tools in a single box
– Pay-As-You-Grow – scalable platform selection
with license upgrade for throughput
• Lowest OpEx
– Automatic real-time signatures protection with no
need for human intervention
– Unified management
Slide 34
“Radware focus on
behavioral assessment
is unique in the IPS
market. When
combined with
traditional detection
mechanisms, this puts
radware in a strong
position to emerging
threats.”
Greg Young & John Pescatore,
Gartner, April 2009
![Page 34: Radware - DSS @Vilnius 2010](https://reader031.fdocument.pub/reader031/viewer/2022020716/557a5a0ed8b42a6e5a8b4cf3/html5/thumbnails/34.jpg)
Thank You