Upload
andris-soroka
View
416
Download
0
Embed Size (px)
DESCRIPTION
Radware as the leader of application delivery acceleration and load balancing, has also very unique and important security solutions - Intrusion Prevention with real time DoS/ DDoS protection and Web Application Firewalls.
Citation preview
Security of Data Center Michael Soukonnik
2.12.2010 Vilnius
Radware – what is it about?
• Availability
– How do you ensure business applications are
delivered under attacks?
• Performance
– How do you ensure consistent user experience when
your network is under attack?
• Security
– What is the cost of data loss or abuse of your
resources?
• Scalability
– How do you ensure future growth while minimizing
initial spending?
• Cost reduction
– How to address all the above while reducing costs?
Slide 2
We focus on data center application delivery and security
Protection tools
Intrusion Prevention
Security : Network & Data Center Threats
Slide 3
Threats
Application vulnerability
Information theft
Authentication defeat
Malware spread
Network anomalies
Application downtime
Network downtime
Behavioral Analysis
DoS Protection
Google / Twitter
Attacks
2009
Hackers’ Change in Motivation
2001 2010
Vandalism and publicity “Hacktivism” Financially motivated
Blaster
(Attacking Microsoft web site)
2003
Storm
(Botnet)
2007
CodeRed
(Defacing IIS web servers)
2001
Nimda
(Installed Trojan)
2001 Slammer
(Attacking SQL websites)
2003
Agobot
(DoS Botnet)
2005
Republican
website DoS
2004
Estonia’s Web Sites
DoS
2007
Attack
Risk
Time
Georgia Web sites
DoS
2008
Srizbi
(Botnet)
2007 Rustock
(Botnet)
2007
Kracken
(Botnet)
2009
July 2009
Cyber Attacks
US & Korea
Slide 4
IMDDOS
(Botnet)
2010
July 2009 Cyber Attacks – From The News
Slide 5
Slide 7
July 2009 Cyber Attacks: Mapping The Attacks
Internet
Public Web Servers
Bot
(Infected host)
Bot
(Infected host)
Attacker
BOT Command
C&C Server
Bot
(Infected host)
Bot
(Infected host)
Legitimate User
Mydoom.EA Botnet Characteristics • ~50,000 zombie computers
• Diversified attacks:
• HTTP page flood
• SYN flood with packet anomalies
• UDP flood
• ICMP flood
• Destinations in US and S/Korea
• ~ 6-7 Gbps inbound traffic (>2 Million PPS)
July 2009 Cyber Attacks: Fighting Back
Slide 8
Attack Vector Solution
Bot malware spread IPS or
Network Behavior
Analysis
Bot Command & Control messages IPS
Application flooding
- HTTP page flood attack
Network Behavior
Analysis
Network flooding
- SYN/UDP/ICMP flood attack
DoS Protection
No single protection tool can handle
today’s data center threats
The Solution
Network & Data Center security: Mapping The Solutions
Slide 10
Internet
Access
Router Web Servers
Application Servers
Firewall DoS
Protection
IPS
NBA
Anti Trojan /
phishing
IPS DoS
Protection
NBA
DefensePro
IPS
DoS Protection
NBA
APSolute attack prevention
for data centers
DefensePro
IPS
DoS Protection
NBA
Network & Data center Security: Mapping The Technologies
Slide 11
IPS DoS Protection NBA
Signature
Detection
Rate-based
Rate-based
Behavioral
Analysis
Signature
Detection
Behavioral
Analysis Stateful
Inspection
SYN Cookies
Slide 12
Introducing DefensePro
DefensePro is a real-time attack prevention device that protects
your application infrastructure against network and application
downtime, application vulnerability exploitation, malware spread,
network anomalies and information theft
DefensePro Building Blocks
Slide 13
DefensePro: Protection Set
Slide 14
IPS: Static Signature Protection
• Signature protection
– Leading security research team
– Protection against known
application vulnerability exploits
– Weekly and emergency signature
updates
• Enables protection against
– Worms, Bots, Trojans, Phishing,
Spyware
– Web, Mail, SQL, VoIP (SIP), DNS
vulnerabilities
– Anonymizers, IPv6 attacks
– Microsoft vulnerabilities
– Protocol anomalies
Slide 15
DoS Protection: Real-time Signatures Protection
• Automatic real-time signature protection against network DDoS attacks:
– SYN floods
– TCP floods
– UDP/ICMP floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against network flooding with no need for
human intervention
Slide 16
Network Behavioral Analysis: Real-time Signatures Protection
• NBA (Network behavioral analysis) detects abnormal user and
application transactions
• Automatic real-time signature protection against :
– Zero-minute Malware spread
– Application resource misuse such as:
• Brute force attacks
• Web application scanning
• HTTP page floods
• SIP Scans
• SIP Floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against user and application resource
misuse with no need for human intervention
Slide 17
The Secret Sauce – Real-time Signatures
Public Network
Inbound Traffic
Outbound Traffic
Behavioral
Analysis
Abnormal
Activity
Detection
Inspection
Module
Real-Time
Signature
Inputs - Network
- Servers
- Clients
Real-Time
Signature
Generation
Closed
Feedback
Enterprise
Network
Optimize Signature
Remove when attack
is over
Slide 18
DoS & DDoS
Application level threats
Zero-Minute
malware propagation
Standard Security Tools: HTTP Flood Example
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Static Signatures Approach
- No solution for low-volume attacks as requests
are legitimate
- Connection limit against high volume attacks
Agnostic to the attacked page
Blocks legitimate traffic
High false-positives
Slide 19
Real-Time Signatures: Accurate Mitigation
Case: HTTP Page Flood Attack
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Behavioral Pattern Detection (1) Based on probability analysis identify which Web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2) Identify abnormal user activity
For example:
- Normal users download few pages per connection
- Abnormal users download many pages per connection
Real Time Signature: Block abnormal users’ access to the specific
page(s) under attack
Slide 20
Real-Time Signatures: Resistance to False Positive
Case: Flash Crowd Access
Internet
Public Web Servers
Legitimate User
Legitimate User
Legitimate User
Legitimate User
Behavioral Pattern Detection (1) Based on probability analysis identify which web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2) No detection of abnormal user activity
Attack not detected No real time signature is generated
No user is blocked
Slide 21
DefensePro: OnDemand Switch
Slide 22
OnDemand Switch: Architecture Designed for Attacks Prevention
Slide 23
OnDemand Switch Platform Capacity up to
12Gbps
DoS Mitigation Engine
• ASIC based
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack protection
NBA Protections
• Prevent application
resource misuse
• Prevent zero-minute
malware
IPS
• ASIC based String Match
Engine performing deep
packet inspection
• Prevent application
vulnerability exploits
Slide 24
The Competitive Advantage: Performance Under Attack
Multi-Gbps
Capacity
Legitimate
Traffic
10 Million
PPS
Attack
Traffic
Other Network Security Solutions
Multi-Gbps
Capacity
Legitimate
Traffic
+ Attack
Attack Attack
Attack
Traffic
DefensePro
Device handles attack
traffic at the expense of
legitimate traffic!
Attack traffic does
not impact legitimate
traffic
Static Signature
Engine (DPI)
Real-time
Signatures Engine
(Multi CPU Cores)
DefensePro On-Demand Switch 3:
• Up to 12Gbps of network traffic inspection
• 4,000,000 concurrent sessions
• Latency < 100 micro seconds
Next Generation DefensePro: IPS+DoS Architecture
Page 25
APSolute Immunity
Engines
Standard IPS
Solution
Real-time
signature
APSolute Immunity
booster:
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack
ASIC-Based
DoS Mitigator
Engines
Real-time
signature
injection
APSolute Immunity
with Booster Shot
Reputation Services
• IP Reputation Service
– External real time feeds from 3rd party reputation based services
– Instant blocking of attacks using real-time signatures
– Value proposition
• Protects against
– Botnets (Source IP reputation)
– Zero-minute malware (Web site reputation)
– Social engineering attacks (Web site reputation , e.g., Phishing, drop points)
– Spam (Source IP reputation)
• Easy integration through Reputation Engine
Slide 26
Summary: APSolute Attack Prevention
• APSolute Attack Prevention offers synergy of complementing protection
technologies
– IPS: static signatures
– NBA: real-time signatures
– DoS Protection: real-time signatures
– Reputation Engine: real-time feeds
• Resulting in
– Proactive best of breed network security solution for networks and data
centers
Slide 27
OnDemand Attack Prevention: Models up to 12Gbps
• DefensePro x412 Behavioral Protection
– Models: • DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro 12412 (12Gbps)
• DefensePro x412 IPS & Behavioral Protection
– Models: • DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro x016 IPS & Behavioral Protection
– Models: • DefensePro 1016 (1Gbps)
• DefensePro 2016 (2Gbps)
• DefensePro 3016 (3Gbps)
License Key Upgrade
Slide 28
On-Demand Attack Prevention: Value Proposition
• Unmatched Performance – Leading industry performance up to 12Gbps with active
network security profiles
• OnDemand Scalability – Scale up performance by increasing throughput using a
simple license upgrade
– No hardware replacement needed
• Investment Protection – Buy what you need – prevent overspending for capacity
you don’t need now
– Pay-as-you-grow and only for the added throughput license
• No Upgrade Projects – No hardware replacement, staging and network downtime
– Huge cost saving and best TCO
• Operational Simplicity and Standardization – A standard, unified platform suitable for all throughput levels
– Savings on training, spares and maintenance
Slide 29
“Radware offers
low product and
maintenance
costs, as
compared with
most competitors.”
Greg Young & John Pescatore,
Gartner, April 2009
DefensePro: Monitoring and Reporting
Slide 30
APSolute Vision: Advanced Monitoring and Reporting
Slide 31
• Real-time monitoring
– Active attack details
• Historical reporting
– Per customer dashboards
– Custom reports
APSolute Vision: The Value Proposition
Slide 32
APSolute Vision helps Data Center IT managers improve business:
• Resilience
– Real-time identification, prioritization, and response to policy breaches,
cyber attacks and insider threats
• Agility
– Per user customization of real-time dashboards and historical reports.
• Efficiency
Simplifies data center management
– Improves IT productivity
Summary
DefensePro Differentiators
• Best security solution for data centers
in a single box:
– Intrusion prevention (IPS)
– DoS protection
– Network behavioral analysis (NBA)
– IP reputation service
• Best performing solution
– DoS Mitigator Engine - maintain throughput
when under attack
• Best in class unified monitoring and reporting
• Lowest CapEx
– Multitude of security tools in a single box
– Pay-As-You-Grow – scalable platform selection
with license upgrade for throughput
• Lowest OpEx
– Automatic real-time signatures protection with no
need for human intervention
– Unified management
Slide 34
“Radware focus on
behavioral assessment
is unique in the IPS
market. When
combined with
traditional detection
mechanisms, this puts
radware in a strong
position to emerging
threats.”
Greg Young & John Pescatore,
Gartner, April 2009
Thank You