Radware as the leader of application delivery acceleration and load balancing, has also very unique and important security solutions - Intrusion Prevention with real time DoS/ DDoS protection and Web Application Firewalls.
2. Radware – what is it about?
We focus on data center application delivery and security
• Availability
– How do you ensure business applications are
delivered under attacks?
• Performance
– How do you ensure consistent user experience when
your network is under attack?
• Security
– What is the cost of data loss or abuse of your
resources?
• Scalability
– How do you ensure future growth while minimizing
initial spending?
• Cost reduction
– How to address all the above while reducing costs?
Slide 2
3. Security : Network & Data Center Threats
Threats Protection tools
Application vulnerability
Information theft Intrusion Prevention
Authentication defeat
Malware spread Behavioral Analysis
Network anomalies
Application downtime DoS Protection
Network downtime
Slide 3
4. Hackers’ Change in Motivation
Vandalism and publicity “Hacktivism” Financially motivated
IMDDOS
(Botnet)
Attack 2010
Kracken July 2009
Risk
Srizbi (Botnet) Cyber Attacks
(Botnet) 2009 US & Korea
Rustock 2007
(Botnet)
2007
CodeRed Storm
(Defacing IIS web servers) (Botnet)
Blaster 2007
2001 (Attacking Microsoft web site) Google / Twitter
2003 Attacks
Nimda
(Installed Trojan) Estonia’s Web Sites 2009
2001 Agobot DoS
Slammer (DoS Botnet) 2007
(Attacking SQL websites)
2003
Georgia Web sites
Republican DoS
website DoS 2008
2004
Time
2001 2005 2010
Slide 4
9. Network & Data Center security: Mapping The Solutions
NBA
DefensePro
Internet
IPS Access DoS IPS Anti Trojan /
DoS Protection
Router Protection phishing Firewall Web Servers
Application Servers
NBA
IPS DoS NBA
Protection
APSolute attack prevention
for data centers
Slide 10
10. Network & Data center Security: Mapping The Technologies
DefensePro
IPS
DoS Protection
NBA
IPS DoS Protection NBA
Signature
Signature
Detection
Detection
Analysis
Behavioral Behavioral
Stateful Analysis
Inspection Rate-based
Rate-based
SYN Cookies
Slide 11
11. Introducing DefensePro
DefensePro is a real-time attack prevention device that protects
your application infrastructure against network and application
downtime, application vulnerability exploitation, malware spread,
network anomalies and information theft
Slide 12
14. IPS: Static Signature Protection
• Signature protection
– Leading security research team
– Protection against known
application vulnerability exploits
– Weekly and emergency signature
updates
• Enables protection against
– Worms, Bots, Trojans, Phishing,
Spyware
– Web, Mail, SQL, VoIP (SIP), DNS
vulnerabilities
– Anonymizers, IPv6 attacks
– Microsoft vulnerabilities
– Protocol anomalies
Slide 15
15. DoS Protection: Real-time Signatures Protection
• Automatic real-time signature protection against network DDoS attacks:
– SYN floods
– TCP floods
– UDP/ICMP floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against network flooding with no need for
human intervention
Slide 16
16. Network Behavioral Analysis: Real-time Signatures Protection
• NBA (Network behavioral analysis) detects abnormal user and
application transactions
• Automatic real-time signature protection against :
– Zero-minute Malware spread
– Application resource misuse such as:
• Brute force attacks
• Web application scanning
• HTTP page floods
• SIP Scans
• SIP Floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against user and application resource
misuse with no need for human intervention
Slide 17
17. The Secret Sauce – Real-time Signatures
DoS & DDoS
Inputs
Application level threats
Public Network - Network
- Servers
- Clients Zero-Minute
Inbound Traffic malware propagation
Behavioral
Real-Time Analysis
Signature
Inspection Closed Abnormal
Module Feedback Activity
Detection
Real-Time
Signature
Outbound Traffic Generation Optimize Signature
Remove when attack
Enterprise is over
Network
Slide 18
18. Standard Security Tools: HTTP Flood Example
IRC Server
Static Signatures Approach
HTTP Bot
(Infected host)
- No solution for low-volume attacks as requests
are legitimate
- Connection limit against high volume attacks
BOT Command
Agnostic to the attacked page Misuse of Service
Blocks legitimate traffic Resources
High false-positives
HTTP Bot
(Infected host)
Internet
Attacker
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Slide 19
19. Real-Time Signatures: Accurate Mitigation
Case: HTTP Page Flood Attack
Behavioral Pattern Detection (1)
Based on probability analysis identify which Web page
IRC Server HTTP Bot
(Infected host)
(or pages) has higher than normal hits
BOT Command
Real Time Signature: Misuse of Service
Block abnormal users’ access to the specific Resources
page(s) under attack Bot
HTTP
(Infected host)
Internet
Attacker
Behavioral Pattern Detection (2)
Identify abnormal user activity Public Web Servers
For example: HTTP Bot
- Normal users download few pages per connection
(Infected host)
- Abnormal users download many pages per connection
HTTP Bot
(Infected host)
Slide 20
20. Real-Time Signatures: Resistance to False Positive
Case: Flash Crowd Access
Behavioral Pattern Detection (1)
Based on probability analysis identify which web page
(or pages) has higher than normal hits
Legitimate User
Attack not detected
No real time signature is generated
No user is blocked
Legitimate User
Internet
Behavioral Pattern Detection (2) Public Web Servers
No detection of abnormal user activity
Legitimate User
Legitimate User
Slide 21
22. OnDemand Switch: Architecture Designed for Attacks Prevention
DoS Mitigation Engine
• ASIC based
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack protection
IPS NBA Protections
• ASIC based String Match • Prevent application
Engine performing deep resource misuse
packet inspection • Prevent zero-minute
• Prevent application malware
vulnerability exploits
OnDemand Switch
Platform Capacity up to
12Gbps
Slide 23
23. The Competitive Advantage: Performance Under Attack
Attack traffic does Device handles attack
not impact legitimate traffic at the expense of
10 Million traffic legitimate traffic!
PPS
Attack
Traffic
Attack
Attack
Multi-Gbps Multi-Gbps
Capacity Capacity
Attack
Legitimate Legitimate
Traffic
Traffic Traffic
+ Attack
DefensePro Other Network Security Solutions
Slide 24
24. ot
Next Generation DefensePro: IPS+DoS Architecture
Standard IPS
Solution
Real-time
Signatures Engine Static Signature
(Multi CPU Cores) Engine (DPI)
Real-time
Real-time
signature
signature
injection
APSolute Immunity DefensePro On-Demand Switch 3:
APSolute Immunity
booster: • Up to 12Gbps of network traffic inspection
Engines
• Prevent high volume • 4,000,000 concurrent sessions
attacks • Latency < 100 micro seconds
• Up to 10 Million PPS of
attack
Page 25
25. Reputation Services
• IP Reputation Service
– External real time feeds from 3rd party reputation based services
– Instant blocking of attacks using real-time signatures
– Value proposition
• Protects against
– Botnets (Source IP reputation)
– Zero-minute malware (Web site reputation)
– Social engineering attacks (Web site reputation , e.g., Phishing, drop points)
– Spam (Source IP reputation)
• Easy integration through Reputation Engine
Slide 26
26. Summary: APSolute Attack Prevention
• APSolute Attack Prevention offers synergy of complementing protection
technologies
– IPS: static signatures
– NBA: real-time signatures
– DoS Protection: real-time signatures
– Reputation Engine: real-time feeds
• Resulting in
– Proactive best of breed network security solution for networks and data
centers
Slide 27
28. On-Demand Attack Prevention: Value Proposition
• Unmatched Performance
– Leading industry performance up to 12Gbps with active
network security profiles
• OnDemand Scalability
– Scale up performance by increasing throughput using a “Radware offers
simple license upgrade low product and
– No hardware replacement needed
maintenance
• Investment Protection
costs, as
– Buy what you need – prevent overspending for capacity
you don’t need now compared with
– Pay-as-you-grow and only for the added throughput license most competitors.”
• No Upgrade Projects
Greg Young & John Pescatore,
– No hardware replacement, staging and network downtime Gartner, April 2009
– Huge cost saving and best TCO
• Operational Simplicity and Standardization
– A standard, unified platform suitable for all throughput levels
– Savings on training, spares and maintenance
Slide 29
30. APSolute Vision: Advanced Monitoring and Reporting
• Real-time monitoring
– Active attack details
• Historical reporting
– Per customer dashboards
– Custom reports
Slide 31
31. APSolute Vision: The Value Proposition
APSolute Vision helps Data Center IT managers improve business:
• Resilience
– Real-time identification, prioritization, and response to policy breaches,
cyber attacks and insider threats
• Agility
– Per user customization of real-time dashboards and historical reports.
• Efficiency
Simplifies data center management
– Improves IT productivity
Slide 32
33. DefensePro Differentiators
• Best security solution for data centers
in a single box:
– Intrusion prevention (IPS) “Radware focus on
– DoS protection behavioral assessment
– Network behavioral analysis (NBA) is unique in the IPS
– IP reputation service
market. When
• Best performing solution combined with
– DoS Mitigator Engine - maintain throughput traditional detection
when under attack
mechanisms, this puts
• Best in class unified monitoring and reporting
radware in a strong
• Lowest CapEx position to emerging
– Multitude of security tools in a single box threats.”
– Pay-As-You-Grow – scalable platform selection
with license upgrade for throughput Greg Young & John Pescatore,
Gartner, April 2009
• Lowest OpEx
– Automatic real-time signatures protection with no
need for human intervention
– Unified management
Slide 34