S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional...
Transcript of S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional...
![Page 1: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/1.jpg)
S W G IT P
Security Functional Requirements
StandardWins Global IT Power
Security Functional Requirements
for Anti-DDoS Products
Jun Woo Park
TTA, Korea
Global Leader of ICT Standardization & Certification
TTA, Korea
![Page 2: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/2.jpg)
Introduction about DDoSⅠ
Security Functional RequirementsⅡ
![Page 3: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/3.jpg)
I. Introduction about DDoS
StandardWins Global IT Power
I. Introduction about DDoS
01 Introduction about DDoS
02 DDoS Attack Process
03 Methods of DDoS Attack
04 Operating Environment 04 Operating Environment
![Page 4: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/4.jpg)
StandardWins Global IT Power01. Introduction about DDoS
� DDoS(Distributed Denial of Service)
• Multiple systems flood the bandwidth or resources of a • Multiple systems flood the bandwidth or resources of a
target system
�Multiple systems(computers) attempt to access a particular �Multiple systems(computers) attempt to access a particular
server a lot at the same time
�The attack depletes resources of a target server or floods �The attack depletes resources of a target server or floods
the network bandwidth
• Symptoms• Symptoms
�Unusually slow network performance
– Opening files or accessing web sites– Opening files or accessing web sites
�Unavailability of particular web site
4267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 5: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/5.jpg)
StandardWins Global IT Power02. DDoS Attack Process
5267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 6: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/6.jpg)
StandardWins Global IT Power03. Methods of DDoS Attack
� The attacks are generally classified into flood and
application level.
Method DDoS AttackMethod DDoS Attack
Single
- TCP Syn Flood
- TCP Ack Flood
- ICMP Flood
- TCP Syn-Ack Flood
- TCP Fin Flood
Flood
Single- ICMP Flood
- TCP Multi-connection
- TCP Fin Flood
- UDP Flood
- ICMP+UDP Flood - ICMP+TCP Flood
Mixture - UDP+TCP Flood
- ICMP+UDP+TCP Flood
6267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 7: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/7.jpg)
StandardWins Global IT Power03. Methods of DDoS Attack
Method DDoS Attack
Single
- TCP Syn Flood
- TCP Ack Flood
- ICMP Flood
-TCP Syn-Ack Flood
- TCP Fin Flood
- UDP Flood
Flood- TCP Multi-connection
- UDP Flood
- ICMP+UDP Flood
- UDP+TCP FloodMixture
- UDP+TCP Flood
- ICMP+UDP+TCP
Flood
- ICMP+TCP Flood
- Valid HTTP GET Flood
Application Level
Single
- Valid HTTP GET Flood
- Invalid HTTP GET Flood
- CC(Cache Control)
- DNS Query FloodApplication Level - DNS Query Flood
- Low bandwidth HTTP DoS
Mixture - CC+TCP Flood
7267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
Mixture - CC+TCP Flood
![Page 8: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/8.jpg)
StandardWins Global IT Power04. Operating Environment
� Inline(In-Path) Configuration
• Inline appliances are Generally deployed near the • Inline appliances are Generally deployed near the
network firewall and in the direct flow of network traffic.
• And also have the beneficial property of viewing all
inbound traffic perspective.inbound traffic perspective.
8267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 9: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/9.jpg)
StandardWins Global IT Power04. Operating Environment
� Out-of-Path Configuration
• Anti-DDoS is not in the direct path of the network traffic.• Anti-DDoS is not in the direct path of the network traffic.
• A network traffic redirection technique is used to forward
traffic to the appliance.
• Consist of mirroring device, detection sense, and
blocking device
9267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 10: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/10.jpg)
II. Security Functional Requirements
StandardWins Global IT Power
II. Security Functional Requirements
01 Security Functional Requirements
02 Testing Anti-DDoS Products
03 Certified Products
![Page 11: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/11.jpg)
StandardWins Global IT Power01. Security Functional Requirements
� Security Functions against DDoS attack
Security Functions ContentsSecurity Functions Contents
Detection/Block
- Countermeasure against the DDoS
attacks such as Flood , Fragmentation, Detection/Block attacks such as Flood , Fragmentation,
Application Level
- Audit generation of the detected and
blocked trafficTrace
blocked traffic
- Alarm
- Traffic monitoring
Identification & - Identification and authentication for an Identification &
Authentication
- Identification and authentication for an
administrator
Security Management - Policy setting and audit viewSecurity Management - Policy setting and audit view
11267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 12: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/12.jpg)
StandardWins Global IT Power02. Testing Anti-DDoS Products
� The throughput capacity should be considered unlike
other network security products.
• DDoS attack has properties of flooding network
bandwidth and depleting resources of a target system.
� The throughput capacity of the products has to be verified.
• Security functions are affected by the throughput.• Security functions are affected by the throughput.
� And also, security functions(Detecting and Blocking) have
to be tested.
12267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 13: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/13.jpg)
StandardWins Global IT Power02. Testing Anti-DDoS Products
� Testing traffic for throughput capacity of the product
Method Target Traffic LoadMethod Target Traffic Load
Normal Traffic Sever Fragmented UDP100% of the throughput
capacity
� Testing traffic for security functions(Detecting & Blocking)
Method Target Traffic LoadMethod Target Traffic Load
Attack Traffic VictimAll methods of DDoS
attack
90% of the throughput
capacityattack capacity
Checking
VictimVictim HTTP 1 tps
5~10% of the
Normal Traffic Server HTTP
5~10% of the
throughput capacity
13267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 14: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/14.jpg)
StandardWins Global IT Power02. Testing Anti-DDoS Products
� Test cases
Test Test Items
- Throughput
- Packet LatencyVerification of throughput
- Packet Latency
- Max Connection
- Packet Loss
- Detection time of attack packet
- Blocking time of attack packet
Detection / Block
- Blocking time of attack packet
- Blocking rate of attack packet
- Success rate of normal packet
- Connection with victim server
- Audit generation of detection & blocking
14267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 15: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/15.jpg)
StandardWins Global IT Power03. Certified Products
� Certified Products (Domestic)
Company Product EAL
Secui.com SECUI NXG D V1.0 EAL4Secui.com SECUI NXG D V1.0 EAL4
Nowcom
SNIPER DDX V5.0.xg EAL3
Nowcom
SNIPER DDX V5.1 EAL4
COMTRUE DDoSCop-v2.0 EAL2
COMTRUE
TechnologiesDDoSCop-v2.0 EAL2
15267-2 Seohyeon-dong, Bundang-gu, Seongnam-city, Gyeonggi-do, 463-824, Korea TEL) +82-31-724-0238
Copyright 2010 TTA All Rights Reserved.
![Page 16: S W G IT P tandard ins lobal ower Security Functional ... · S W G IT P Security Functional Requirements tandard ins lobal ower for Anti-DDoS Products Jun Woo Park (junusee@tta.or.kr)](https://reader034.fdocuments.in/reader034/viewer/2022050313/5f75c8474ec09d087244f788/html5/thumbnails/16.jpg)
StandardWins Global IT Power
Thank You
Global Leader of ICT Standardization & Certification
Thank You