Embed Size (px)
Citation preview
DefensePro x420 Page 1
DefensePro x420
Technical Note
DefensePro Product Management
DefensePro x420 Page 2
Table of Contents
1 The Urging Need for High Performance............................................................................................ 2
2 DefensePro x420 ............................................................................................................................... 3
2 DefensePro x420 Layers of Defense ................................................................................................. 4
3 Hardware Platform Designed For Attack Mitigation ........................................................................ 5
4 Multi-Tenancy ................................................................................................................................... 6
The Urgent Need for High Performance The current natural growth of the Internet and the forecasted staggering increase in traffic calls for
infrastructure to support robust, high-throughput attack-mitigation capabilities. Now, more than ever,
organizations are obliged to support highly available, secure services and meet rising throughput
demands.
The requirement to support highly available, secure services and meet rising throughput demands is
manifested in the following main scenarios:
Carriers—Carriers are required to provide their customers reliable and secure services while being
able to scale easily to meet demands.
MSSPs—MSSPs are required to process more simultaneous attacks, which are higher in volume as
attackers’ capabilities improve.
Online Businesses—Online Businesses are required to provide available service for more users while
ensuring that high-volume attacks do not significantly reduce the availability of their main income
source.
The requirements arising from these scenarios raise the following considerations for the design of an
attack-mitigation hardware platform:
Scalability—Scalability must be achieved through an easy procedure, because today’s requirements
are bound to grow relative to many parameters. Any platform design must meet today’s
requirements while allowing scaling when requirements change.
Attack mitigation capacity—Attack mitigation capacity must meet the attackers’ growing
capabilities—today’s and tomorrow’s. Attack mitigation must allow legitimate traffic to continue to
flow uninterrupted.
Multi-tenancy—Multi-tenancy must be considered, because providers are required to serve an
increasing number of customers, and because the network architectures continue to become more
complex.
DefensePro x420 Page 3
Figure 1: Key Design Considerations
DefensePro x420 The DefensePro x420 platform is designed to meet high-throughput requirements stemming from
increased volumes of legitimate traffic as well as attacks.
With an industry-leading 25-MPPS attack-mitigation capacity, the x420 platform is designed for high-
throughput processing and high-volume attack mitigation.
Table 1 Main Performance Metrics
Metric X412 X420
Capacity 14 Gbps 40 Gbps
Throughput 12 Gbps 36 Gbps
Maximum attack mitigation capacity 10 MPPS 25 MPPS
HTTP challenges/second 520 K 1,040 K
DNS challenges/second 2.2 M 4.4 M
The DefensePro x420 platform uses Radware’s software throughput-license model. Available licenses
range from 10G – 40G in 10G steps. This successful model provides customers a gradual scaling process
without the requirement for costly and operationally complicated hardware changes.
DefensePro x420 Page 4
DefensePro x420 Layers of Defense Threats can be categorized into different layers that typify different “natures” of attack behavior.
Therefore, the protection strategy must also be constructed with multiple layers of security
technologies, which effectively analyze and repel each of the threats.
DefensePro APSolute Attack Prevention includes the following layers of defense:
First layer: Network-based Protection—protects against DoS/DDoS flood attacks.
Second layer: Application-based Protection—protects against server-resource misuse and server
cracking.
Third layer: User-based Protection—detects infected clients and prevents the spread of the client
malware.
Fourth layer: Stateful Signature-based Protection—protects against known attack vulnerabilities.
The DefensePro x420 hardware platform design is specifically suited to the layered approach. Each layer
is handled by a suitable hardware component.
The following diagram illustrates the layered hardware design.
Figure 2: Hardware Platform Designed for Attack Mitigation
DefensePro x420 Page 5
Hardware Platform Designed for Attack Mitigation The DefensePro x420 platform retains, and even improves upon, the benefits of previous DefensePro
platforms. The DefensePro x420 platform houses an industry-leading DoS Mitigation Engine, capable of
25-MPPS attack mitigation. Compared with other security solutions, what is different about this engine
is the fact it is facilitated by a dedicated ASIC; the attack-mitigation capacity does not affect the capacity
for the processing of legitimate traffic.
Figure 3: Attack size does not affect legitimate traffic processing
For the more deterministic types of threats—such as known application-vulnerability–exploitation
attacks in which a signature is already available, DefensePro provides a proactive security-update
service, which automatically downloads recent attack signatures to the system’s attack database.
DefensePro inspects incoming and outgoing traffic and compares each packet in real-time to the
signatures in the database, while adding minimal latency.
Radware’s hardware accelerated String Match Engine is used for this purpose.
The String Match Engine is a ASIC-based solution capable of multi-gigabit L7 (application layer), deep-
packet, full-content inspection. This includes inspection for attack signatures that span across multiple
packets (that is, supporting cross-packet inspection) or attack signatures that can only be written
through regular expressions to avoid false positives or false negatives.
DefensePro x420 Page 6
Multi-Tenancy Along with the increase in traffic is the requirement to enable shared tenancy, both in the service
provider scenario and in the carrier scenario. This has been considered in the hardware design.
DefensePro x420 supports a set of increased capabilities, allowing for multiple tenants to share a single
platform, as follows:
From policies to specific protection profiles, x420 supports increased capacity and is equipped with
separate processing capabilities per tenant.
The DefensePro management system has added role-based access-control capabilities to enable
view permissions and management permissions per policy. This lets providers limit customer access
(for monitoring and management) only to resources relevant to the relevant customer.
Monitoring capabilities have been enhanced to support traffic monitoring at the network policy
level.
Historical reporting and event management systems support user-based access control,
personalized dashboards, reports, and monitors.
