Radware as the leader of application delivery acceleration and load balancing, has also very unique and important security solutions - Intrusion Prevention with real time DoS/ DDoS protection and Web Application Firewalls.

1. Security of Data Center
Michael Soukonnik
2.12.2010 Vilnius

2. Radware – what is it about?
We focus on data center application delivery and security
• Availability
– How do you ensure business applications are
delivered under attacks?
• Performance
– How do you ensure consistent user experience when
your network is under attack?
• Security
– What is the cost of data loss or abuse of your
resources?
• Scalability
– How do you ensure future growth while minimizing
initial spending?
• Cost reduction
– How to address all the above while reducing costs?
Slide 2

3. Security : Network & Data Center Threats
Threats Protection tools
Application vulnerability
Information theft Intrusion Prevention
Authentication defeat
Malware spread Behavioral Analysis
Network anomalies
Application downtime DoS Protection
Network downtime
Slide 3

4. Hackers’ Change in Motivation
Vandalism and publicity “Hacktivism” Financially motivated
IMDDOS
(Botnet)
Attack 2010
Kracken July 2009
Risk
Srizbi (Botnet) Cyber Attacks
(Botnet) 2009 US & Korea
Rustock 2007
(Botnet)
2007
CodeRed Storm
(Defacing IIS web servers) (Botnet)
Blaster 2007
2001 (Attacking Microsoft web site) Google / Twitter
2003 Attacks
Nimda
(Installed Trojan) Estonia’s Web Sites 2009
2001 Agobot DoS
Slammer (DoS Botnet) 2007
(Attacking SQL websites)
2003
Georgia Web sites
Republican DoS
website DoS 2008
2004
Time
2001 2005 2010
Slide 4

5. July 2009 Cyber Attacks – From The News
Slide 5

6. July 2009 Cyber Attacks: Mapping The Attacks
Mydoom.EA Botnet Characteristics
• ~50,000 zombie computers
• Diversified attacks: Bot
C&C Server
• HTTP page flood
(Infected host)
• SYN flood with packet anomalies
• UDP flood
• ICMP flood
• Destinations in US and S/Korea
BOT Command
• ~ 6-7 Gbps inbound traffic (>2 Million PPS)
Bot
(Infected host)
Internet
Attacker
Public Web Servers
Bot
(Infected host)
Bot Legitimate User
(Infected host)
Slide 7

7. July 2009 Cyber Attacks: Fighting Back
Attack Vector Solution
Bot malware spread IPS or
Network Behavior
Analysis
Bot Command & Control messages IPS
Application flooding Network Behavior
- HTTP page flood attack Analysis
Network flooding DoS Protection
- SYN/UDP/ICMP flood attack
No single protection tool can handle
today’s data center threats
Slide 8

8. The Solution

9. Network & Data Center security: Mapping The Solutions
NBA
DefensePro
Internet
 IPS Access DoS IPS Anti Trojan /
 DoS Protection
Router Protection phishing Firewall Web Servers
Application Servers
 NBA
IPS DoS NBA
Protection
APSolute attack prevention
for data centers
Slide 10

10. Network & Data center Security: Mapping The Technologies
DefensePro
 IPS 
 DoS Protection
 NBA
IPS DoS Protection NBA
Signature

Signature
Detection
Detection
Analysis 
Behavioral Behavioral

Stateful Analysis
Inspection Rate-based


Rate-based
SYN Cookies
Slide 11

11. Introducing DefensePro
DefensePro is a real-time attack prevention device that protects
your application infrastructure against network and application
downtime, application vulnerability exploitation, malware spread,
network anomalies and information theft
Slide 12

12. DefensePro Building Blocks
Slide 13

13. DefensePro: Protection Set
Slide 14

14. IPS: Static Signature Protection
• Signature protection
– Leading security research team
– Protection against known
application vulnerability exploits
– Weekly and emergency signature
updates
• Enables protection against
– Worms, Bots, Trojans, Phishing,
Spyware
– Web, Mail, SQL, VoIP (SIP), DNS
vulnerabilities
– Anonymizers, IPv6 attacks
– Microsoft vulnerabilities
– Protocol anomalies
Slide 15

15. DoS Protection: Real-time Signatures Protection
• Automatic real-time signature protection against network DDoS attacks:
– SYN floods
– TCP floods
– UDP/ICMP floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against network flooding with no need for
human intervention
Slide 16

16. Network Behavioral Analysis: Real-time Signatures Protection
• NBA (Network behavioral analysis) detects abnormal user and
application transactions
• Automatic real-time signature protection against :
– Zero-minute Malware spread
– Application resource misuse such as:
• Brute force attacks
• Web application scanning
• HTTP page floods
• SIP Scans
• SIP Floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against user and application resource
misuse with no need for human intervention
Slide 17

17. The Secret Sauce – Real-time Signatures
DoS & DDoS
Inputs
Application level threats
Public Network - Network
- Servers
- Clients Zero-Minute
Inbound Traffic malware propagation
Behavioral
Real-Time Analysis
Signature
Inspection Closed Abnormal
Module Feedback Activity
Detection
Real-Time
Signature
Outbound Traffic Generation Optimize Signature
Remove when attack
Enterprise is over
Network
Slide 18

18. Standard Security Tools: HTTP Flood Example
IRC Server
Static Signatures Approach
HTTP Bot
(Infected host)
- No solution for low-volume attacks as requests
are legitimate
- Connection limit against high volume attacks
BOT Command
 Agnostic to the attacked page Misuse of Service
 Blocks legitimate traffic Resources
 High false-positives
HTTP Bot
(Infected host)
Internet
Attacker
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Slide 19

19. Real-Time Signatures: Accurate Mitigation
Case: HTTP Page Flood Attack
Behavioral Pattern Detection (1)
 Based on probability analysis identify which Web page
IRC Server HTTP Bot
(Infected host)
(or pages) has higher than normal hits
BOT Command
Real Time Signature: Misuse of Service
 Block abnormal users’ access to the specific Resources
page(s) under attack Bot
HTTP
(Infected host)
Internet
Attacker
Behavioral Pattern Detection (2)
 Identify abnormal user activity Public Web Servers
For example: HTTP Bot
- Normal users download few pages per connection
(Infected host)
- Abnormal users download many pages per connection
HTTP Bot
(Infected host)
Slide 20

20. Real-Time Signatures: Resistance to False Positive
Case: Flash Crowd Access
Behavioral Pattern Detection (1)
 Based on probability analysis identify which web page
(or pages) has higher than normal hits
Legitimate User
Attack not detected
 No real time signature is generated
 No user is blocked
Legitimate User
Internet
Behavioral Pattern Detection (2) Public Web Servers
 No detection of abnormal user activity
Legitimate User
Legitimate User
Slide 21

21. DefensePro: OnDemand Switch
Slide 22

22. OnDemand Switch: Architecture Designed for Attacks Prevention
DoS Mitigation Engine
• ASIC based
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack protection
IPS NBA Protections
• ASIC based String Match • Prevent application
Engine performing deep resource misuse
packet inspection • Prevent zero-minute
• Prevent application malware
vulnerability exploits
OnDemand Switch
Platform Capacity up to
12Gbps
Slide 23

23. The Competitive Advantage: Performance Under Attack
Attack traffic does Device handles attack
not impact legitimate traffic at the expense of
10 Million traffic legitimate traffic!
PPS
Attack
Traffic
Attack
Attack
Multi-Gbps Multi-Gbps
Capacity Capacity
Attack
Legitimate Legitimate
Traffic
Traffic Traffic
+ Attack
DefensePro Other Network Security Solutions
Slide 24

24. ot
Next Generation DefensePro: IPS+DoS Architecture
Standard IPS
Solution
Real-time
Signatures Engine Static Signature
(Multi CPU Cores) Engine (DPI)
Real-time
Real-time
signature
signature
injection
APSolute Immunity DefensePro On-Demand Switch 3:
APSolute Immunity
booster: • Up to 12Gbps of network traffic inspection
Engines
• Prevent high volume • 4,000,000 concurrent sessions
attacks • Latency < 100 micro seconds
• Up to 10 Million PPS of
attack
Page 25

25. Reputation Services
• IP Reputation Service
– External real time feeds from 3rd party reputation based services
– Instant blocking of attacks using real-time signatures
– Value proposition
• Protects against
– Botnets (Source IP reputation)
– Zero-minute malware (Web site reputation)
– Social engineering attacks (Web site reputation , e.g., Phishing, drop points)
– Spam (Source IP reputation)
• Easy integration through Reputation Engine
Slide 26

26. Summary: APSolute Attack Prevention
• APSolute Attack Prevention offers synergy of complementing protection
technologies
– IPS: static signatures
– NBA: real-time signatures
– DoS Protection: real-time signatures
– Reputation Engine: real-time feeds
• Resulting in
– Proactive best of breed network security solution for networks and data
centers
Slide 27

27. OnDemand Attack Prevention: Models up to 12Gbps
• DefensePro x412 Behavioral Protection
– Models:
• DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro 12412 (12Gbps)
• DefensePro x412 IPS & Behavioral Protection
– Models:
• DefensePro 4412 (4Gbps)
• DefensePro 8412 (8Gbps)
• DefensePro x016 IPS & Behavioral Protection
– Models:
• DefensePro 1016 (1Gbps)
• DefensePro 2016 (2Gbps)
• DefensePro 3016 (3Gbps)
License Key Upgrade
Slide 28

28. On-Demand Attack Prevention: Value Proposition
• Unmatched Performance
– Leading industry performance up to 12Gbps with active
network security profiles
• OnDemand Scalability
– Scale up performance by increasing throughput using a “Radware offers
simple license upgrade low product and
– No hardware replacement needed
maintenance
• Investment Protection
costs, as
– Buy what you need – prevent overspending for capacity
you don’t need now compared with
– Pay-as-you-grow and only for the added throughput license most competitors.”
• No Upgrade Projects
Greg Young & John Pescatore,
– No hardware replacement, staging and network downtime Gartner, April 2009
– Huge cost saving and best TCO
• Operational Simplicity and Standardization
– A standard, unified platform suitable for all throughput levels
– Savings on training, spares and maintenance
Slide 29

29. DefensePro: Monitoring and Reporting
Slide 30

30. APSolute Vision: Advanced Monitoring and Reporting
• Real-time monitoring
– Active attack details
• Historical reporting
– Per customer dashboards
– Custom reports
Slide 31

31. APSolute Vision: The Value Proposition
APSolute Vision helps Data Center IT managers improve business:
• Resilience
– Real-time identification, prioritization, and response to policy breaches,
cyber attacks and insider threats
• Agility
– Per user customization of real-time dashboards and historical reports.
• Efficiency
Simplifies data center management
– Improves IT productivity
Slide 32

32. Summary

33. DefensePro Differentiators
• Best security solution for data centers
in a single box:
– Intrusion prevention (IPS) “Radware focus on
– DoS protection behavioral assessment
– Network behavioral analysis (NBA) is unique in the IPS
– IP reputation service
market. When
• Best performing solution combined with
– DoS Mitigator Engine - maintain throughput traditional detection
when under attack
mechanisms, this puts
• Best in class unified monitoring and reporting
radware in a strong
• Lowest CapEx position to emerging
– Multitude of security tools in a single box threats.”
– Pay-As-You-Grow – scalable platform selection
with license upgrade for throughput Greg Young & John Pescatore,
Gartner, April 2009
• Lowest OpEx
– Automatic real-time signatures protection with no
need for human intervention
– Unified management
Slide 34

34. Thank You