DSS ITSEC CONFERENCE - Radware - Attack Mitigation System (AMS) - Riga NOV2011
-
Upload
andris-soroka -
Category
Technology
-
view
777 -
download
0
description
Transcript of DSS ITSEC CONFERENCE - Radware - Attack Mitigation System (AMS) - Riga NOV2011
Beyond Today’s Perimeter Defense:
Radware Attack
Mitigation System
(AMS)
Michael Soukonnik
24.11.2012
Imagine That You Could…
Slide 2
Eliminate Costs of Downtime
Improve your Customer Experience
& Employee Productivity
Cut Application Infrastructure Cost by 20-50%
Enhance your Business Agility
1 1 3
Over 10,000 Radware Customers Can…
Slide 3
About Radware
Slide 4
Over 10,000 Customers
Global Technology Partners
1998 2000 2002 2004 2006 2008 2010
4.9 14.1
38.4 43.3 43.7 54.8
68.4 77.6 81.4
88.6 94.6
108.9
144.1 Company Growth
ADC Magic Quadrant 2010
Recognized ADC Market Leader
“Radware has a strong vision of how ADCs fit into a
seamless virtualized and cloud-based architecture”
Online Business Security Threats
Security Threat Vectors
Slide 6
Large volume network flood attacks
High and slow Application DoS attacks
SYN flood attack
Brute force attack
Web application attacks (e.g.
XSS, Injections, CSRF)
Port scan
“Low & Slow” DoS attacks (e.g., Sockstress)
Network scan
Intrusion
Intrusion, malware
Network and Data Security Attacks: from the News
Slide 7
Multi-Vulnerability Attack Campaigns
Slide 8
Business
Large volume network flood attacks
Application flood attack (Slowloris,
Port 443 data flood,…)
Large volume SYN flood
Web application attacks (e.g.
XSS, Injections, CSRF)
Low & Slow connection DoS attacks
Network scan
Web application vulnerability scan
Conclusions
• Attackers use multi-vulnerability attack campaigns
making mitigation nearly impossible
• DoS & DDoS tools are preferred weapon of mass
disruption
Mapping Security Protection Tools
Slide 9
Large volume network flood attacks
High & Low rate application DoS attacks
“Low & Slow” DoS attacks
Brute force attack
Web application attacks
(e.g. XSS, Injections, CSRF)
SYN flood
Port scan
Network scan
Intrusion
Intrusion, Malware
DoS Protection
Behavioral Analysis
IP Reputation
IPS
WAF
Introducing Radware Attack Mitigation System (AMS)
Slide 10
AMS Protection Set
Slide 11
NBA
• Prevent application
resource misuse
• Prevent zero-minute
malware
DoS Protection
• Prevent all type of
network DDoS attacks
IPS
• Prevent application
vulnerability exploits
Reputation Engine
• Financial fraud
protection
• Anti Trojan & Phishing
WAF
• Mitigating Web
application threats
and zero-day attacks
OnDemand Switch: Designed for Attacks Mitigation
Slide 12
OnDemand Switch
Platform Capacity up to
14Gbps
DoS Mitigation Engine
• ASIC based
• Prevent high volume attacks
• Up to 12 Million PPS of attack protection
NBA Protections & WAF
IPS & Reputation Engine
• ASIC based String Match
& RegEx Engine
• Performs deep
packet inspection
DefensePro Architecture – Threat Mitigation
Behavioral-based protections
DME DDoS Mitigation Engine
(12 M PPS)
L7 Regex
Acceleration ASIC Multi Purpose Multi Cores CPU’s
(14 Gbps)
& Reputation Engine
Hardware Architecture That Was Tailored for Attack Mitigation
Slide 13
Mobile
Infrastructure
DDoS
Critical
Infrastructure
DDoS Malware Propagation
Malware
Intrusions
Behavioral analysis & Real Time Signatures
Slide 14
Public Network
Inbound Traffic
Outbound Traffic
Behavioral
Analysis
Abnormal
Activity
Detection
Inspection
Module
Real-Time
Signature
Inputs - Network
- Servers
- Clients
Real-Time
Signature
Generation
Closed
Feedback
Enterprise
Network
Optimize Signature
Remove when attack
is over
DoS & DDoS
Application level threats
Zero-Minute
malware propagation
DDoS Protection: Radware Coverage
Slide 15
Radware DDoS Protections
Up to 12MPPS of attack
prevention
Up to 800K new TPS of
HTTP Challenge-Response
PPS & Bandwidth
flood attacks
Connection & application
flood attacks
Directed application
DoS attacks
Full 10Gbps DPI
(RegEx) processing
StringMatch
Engine (SME)
RegEx Engine
Static & user filters
Multi-core CPUs
Real-time signatures
& challenge -
response
technologies
ASIC-Based
DoS Mitigator
Engine (DME)
Real-time signatures
technology
Radware Security Event Management (SEM)
Slide 16
• Correlated reports
• Trend analysis
• Compliance management
• RT monitoring
• Advanced alerts
• Forensics
3rd Party SEM
Compliance and Standardization with AMS
Slide 17
Compliance Reports
PCI DSS
FISMA
GLBA
HIPPA
Radware Security Products Portfolio
Slide 18
AppWall
Web Application Firewall (WAF)
DefensePro
Network & Server attack prevention device
APSolute Vision
Management and security reporting &
compliance
Encrypted Attacks Mitigation
Slide 19
Traffic Anomalies
Floods
Network-Based DoS
Attacks
Application-Based DoS
Attacks (Clear and SSL)
“Directed” Application DoS
Attacks (Clear and SSL)
Packet anomalies,
Black & white lists
Behavioral DoS &
TCP cookie engines
L7 ASIC Regex
engine Application “cookie”
engines
Clear
Encrypted
Cle
ar
En
cry
pte
d
Client-side
termination point
Alteon’s SSL
Acceleration Engine
Clear
Encrypted “Authenticated”
clients
Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s):
SYN Attack Protection – DefensePro “authenticates” the source through a “safe-reset cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack.
HTTP Filters – DefensePro receives the decrypted 1st HTTP client request from the SSL engine and applies application layer filters. This is done in order to remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or “ad-hoc” filters.
Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open a new connection directly to the protected server.
Radware Security Expertise : ERT Cases (1 of 2)
Slide 20
Radware ERT helped High Council
for Telecommunications (TIB) to
achieve full protection against
Anonymous attacks • Anonymous group published a poster calling its fans to
attack Turkish government agency
– Target: High Council for Telecommunications (TIB)
– When: June 9th (Thursday) 2011 at 6PM
– Attack tool: Low Orbit Ion Canon (LOIC)
• Type of attack - Multi-vulnerability campaign
– HTTP Get flood attack
– TCP connection flood on port 80
– SYN flood attack
– UDP flood attack
Radware Security Expertise : ERT Cases (2 of 2)
Slide 21
Radware ERT helped Istanbul
police to achieve full protection
against Anonymous attacks
• Anonymous group attacks Istanbul police as revenge of
the arrest
– Target: Istanbul police site
– When: June 13th 2011
– Attack tool: Low Orbit Ion Canon (LOIC)
• Type of attack - Multi-vulnerability campaign
“We just watched the attacks and DefensePro easily eliminated
the attacks. We didn’t even see any latency during the attacks.
Istanbul Police is thankful to us and to you. While most of the
state websites gets unresponsive during the attacks, they didn’t
feel anything.” Istanbul police integrator
Summary
Summary: Radware AMS Differentiators
• Best security solution for online businesses:
– DoS protection
– Network behavioral analysis (NBA)
– Intrusion prevention (IPS)
– Reputation Engine service
– Web application firewall (WAF)
• Built-in SEM engine
• Emergency Response Team (ERT)
– 24x7 Service for immediate response
– Neutralize DoS/DDoS attacks and malware outbreaks
• Lowest CapEx & OpEx
– Multitude of security tools in a single solution
– Unified management and reporting
Slide 23
“Radware offers low product
and maintenance cost, as
compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
December 2010
Thank You www.radware.com