Security of Data Center Michael Soukonnik

2.12.2010 Vilnius

Radware – what is it about?

• Availability

– How do you ensure business applications are

delivered under attacks?

• Performance

– How do you ensure consistent user experience when

your network is under attack?

• Security

– What is the cost of data loss or abuse of your

resources?

• Scalability

– How do you ensure future growth while minimizing

initial spending?

• Cost reduction

– How to address all the above while reducing costs?

Slide 2

We focus on data center application delivery and security

Protection tools

Intrusion Prevention

Security : Network & Data Center Threats

Slide 3

Threats

Application vulnerability

Information theft

Authentication defeat

Malware spread

Network anomalies

Application downtime

Network downtime

Behavioral Analysis

DoS Protection

Google / Twitter

Attacks

2009

Hackers’ Change in Motivation

2001 2010

Vandalism and publicity “Hacktivism” Financially motivated

Blaster

(Attacking Microsoft web site)

2003

Storm

(Botnet)

2007

CodeRed

(Defacing IIS web servers)

2001

Nimda

(Installed Trojan)

2001 Slammer

(Attacking SQL websites)

2003

Agobot

(DoS Botnet)

2005

Republican

website DoS

2004

Estonia’s Web Sites

DoS

2007

Attack

Risk

Time

Georgia Web sites

DoS

2008

Srizbi

(Botnet)

2007 Rustock

(Botnet)

2007

Kracken

(Botnet)

2009

July 2009

Cyber Attacks

US & Korea

Slide 4

IMDDOS

(Botnet)

2010

July 2009 Cyber Attacks – From The News

Slide 5

Slide 7

July 2009 Cyber Attacks: Mapping The Attacks

Internet

Public Web Servers

Bot

(Infected host)

Bot

(Infected host)

Attacker

BOT Command

C&C Server

Bot

(Infected host)

Bot

(Infected host)

Legitimate User

Mydoom.EA Botnet Characteristics • ~50,000 zombie computers

• Diversified attacks:

• HTTP page flood

• SYN flood with packet anomalies

• UDP flood

• ICMP flood

• Destinations in US and S/Korea

• ~ 6-7 Gbps inbound traffic (>2 Million PPS)

July 2009 Cyber Attacks: Fighting Back

Slide 8

Attack Vector Solution

Bot malware spread IPS or

Network Behavior

Analysis

Bot Command & Control messages IPS

Application flooding

- HTTP page flood attack

Network Behavior

Analysis

Network flooding

- SYN/UDP/ICMP flood attack

DoS Protection

No single protection tool can handle

today’s data center threats

The Solution

Network & Data Center security: Mapping The Solutions

Slide 10

Internet

Access

Router Web Servers

Application Servers

Firewall DoS

Protection

IPS

NBA

Anti Trojan /

phishing

IPS DoS

Protection

NBA

DefensePro

IPS

DoS Protection

NBA

APSolute attack prevention

for data centers

DefensePro

IPS

DoS Protection

NBA

Network & Data center Security: Mapping The Technologies

Slide 11

IPS DoS Protection NBA

Signature

Detection

Rate-based

Rate-based

Behavioral

Analysis

Signature

Detection

Behavioral

Analysis Stateful

Inspection

SYN Cookies

Slide 12

Introducing DefensePro

DefensePro is a real-time attack prevention device that protects

your application infrastructure against network and application

downtime, application vulnerability exploitation, malware spread,

network anomalies and information theft

DefensePro Building Blocks

Slide 13

DefensePro: Protection Set

Slide 14

IPS: Static Signature Protection

• Signature protection

– Leading security research team

– Protection against known

application vulnerability exploits

– Weekly and emergency signature

updates

• Enables protection against

– Worms, Bots, Trojans, Phishing,

Spyware

– Web, Mail, SQL, VoIP (SIP), DNS

vulnerabilities

– Anonymizers, IPv6 attacks

– Microsoft vulnerabilities

– Protocol anomalies

Slide 15

DoS Protection: Real-time Signatures Protection

• Automatic real-time signature protection against network DDoS attacks:

– SYN floods

– TCP floods

– UDP/ICMP floods

• Value proposition

– Maintain critical application availability even under attack

– Block attacks without blocking legitimate user traffic

– Automatic, real-time protection against network flooding with no need for

human intervention

Slide 16

Network Behavioral Analysis: Real-time Signatures Protection

• NBA (Network behavioral analysis) detects abnormal user and

application transactions

• Automatic real-time signature protection against :

– Zero-minute Malware spread

– Application resource misuse such as:

• Brute force attacks

• Web application scanning

• HTTP page floods

• SIP Scans

• SIP Floods

• Value proposition

– Maintain critical application availability even under attack

– Block attacks without blocking legitimate user traffic

– Automatic, real-time protection against user and application resource

misuse with no need for human intervention

Slide 17

The Secret Sauce – Real-time Signatures

Public Network

Inbound Traffic

Outbound Traffic

Behavioral

Analysis

Abnormal

Activity

Detection

Inspection

Module

Real-Time

Signature

Inputs - Network

- Servers

- Clients

Real-Time

Signature

Generation

Closed

Feedback

Enterprise

Network

Optimize Signature

Remove when attack

is over

Slide 18

DoS & DDoS

Application level threats

Zero-Minute

malware propagation

Standard Security Tools: HTTP Flood Example

Internet

Public Web Servers

HTTP Bot

(Infected host)

HTTP Bot

(Infected host)

Attacker

BOT Command

IRC Server

Misuse of Service

Resources

HTTP Bot

(Infected host)

HTTP Bot

(Infected host)

Static Signatures Approach

- No solution for low-volume attacks as requests

are legitimate

- Connection limit against high volume attacks

Agnostic to the attacked page

Blocks legitimate traffic

High false-positives

Slide 19

Real-Time Signatures: Accurate Mitigation

Case: HTTP Page Flood Attack

Internet

Public Web Servers

HTTP Bot

(Infected host)

HTTP Bot

(Infected host)

Attacker

BOT Command

IRC Server

Misuse of Service

Resources

HTTP Bot

(Infected host)

HTTP Bot

(Infected host)

Behavioral Pattern Detection (1) Based on probability analysis identify which Web page

(or pages) has higher than normal hits

Behavioral Pattern Detection (2) Identify abnormal user activity

For example:

- Normal users download few pages per connection

- Abnormal users download many pages per connection

Real Time Signature: Block abnormal users’ access to the specific

page(s) under attack

Slide 20

Real-Time Signatures: Resistance to False Positive

Case: Flash Crowd Access

Internet

Public Web Servers

Legitimate User

Legitimate User

Legitimate User

Legitimate User

Behavioral Pattern Detection (1) Based on probability analysis identify which web page

(or pages) has higher than normal hits

Behavioral Pattern Detection (2) No detection of abnormal user activity

Attack not detected No real time signature is generated

No user is blocked

Slide 21

DefensePro: OnDemand Switch

Slide 22

OnDemand Switch: Architecture Designed for Attacks Prevention

Slide 23

OnDemand Switch Platform Capacity up to

12Gbps

DoS Mitigation Engine

• ASIC based

• Prevent high volume

attacks

• Up to 10 Million PPS of

attack protection

NBA Protections

• Prevent application

resource misuse

• Prevent zero-minute

malware

IPS

• ASIC based String Match

Engine performing deep

packet inspection

• Prevent application

vulnerability exploits

Slide 24

The Competitive Advantage: Performance Under Attack

Multi-Gbps

Capacity

Legitimate

Traffic

10 Million

PPS

Attack

Traffic

Other Network Security Solutions

Multi-Gbps

Capacity

Legitimate

Traffic

+ Attack

Attack Attack

Attack

Traffic

DefensePro

Device handles attack

traffic at the expense of

legitimate traffic!

Attack traffic does

not impact legitimate

traffic

Static Signature

Engine (DPI)

Real-time

Signatures Engine

(Multi CPU Cores)

DefensePro On-Demand Switch 3:

• Up to 12Gbps of network traffic inspection

• 4,000,000 concurrent sessions

• Latency < 100 micro seconds

Next Generation DefensePro: IPS+DoS Architecture

Page 25

APSolute Immunity

Engines

Standard IPS

Solution

Real-time

signature

APSolute Immunity

booster:

• Prevent high volume

attacks

• Up to 10 Million PPS of

attack

ASIC-Based

DoS Mitigator

Engines

Real-time

signature

injection

APSolute Immunity

with Booster Shot

Reputation Services

• IP Reputation Service

– External real time feeds from 3rd party reputation based services

– Instant blocking of attacks using real-time signatures

– Value proposition

• Protects against

– Botnets (Source IP reputation)

– Zero-minute malware (Web site reputation)

– Social engineering attacks (Web site reputation , e.g., Phishing, drop points)

– Spam (Source IP reputation)

• Easy integration through Reputation Engine

Slide 26

Summary: APSolute Attack Prevention

• APSolute Attack Prevention offers synergy of complementing protection

technologies

– IPS: static signatures

– NBA: real-time signatures

– DoS Protection: real-time signatures

– Reputation Engine: real-time feeds

• Resulting in

– Proactive best of breed network security solution for networks and data

centers

Slide 27

OnDemand Attack Prevention: Models up to 12Gbps

• DefensePro x412 Behavioral Protection

– Models: • DefensePro 4412 (4Gbps)

• DefensePro 8412 (8Gbps)

• DefensePro 12412 (12Gbps)

• DefensePro x412 IPS & Behavioral Protection

– Models: • DefensePro 4412 (4Gbps)

• DefensePro 8412 (8Gbps)

• DefensePro x016 IPS & Behavioral Protection

– Models: • DefensePro 1016 (1Gbps)

• DefensePro 2016 (2Gbps)

• DefensePro 3016 (3Gbps)

License Key Upgrade

Slide 28

On-Demand Attack Prevention: Value Proposition

• Unmatched Performance – Leading industry performance up to 12Gbps with active

network security profiles

• OnDemand Scalability – Scale up performance by increasing throughput using a

simple license upgrade

– No hardware replacement needed

• Investment Protection – Buy what you need – prevent overspending for capacity

you don’t need now

– Pay-as-you-grow and only for the added throughput license

• No Upgrade Projects – No hardware replacement, staging and network downtime

– Huge cost saving and best TCO

• Operational Simplicity and Standardization – A standard, unified platform suitable for all throughput levels

– Savings on training, spares and maintenance

Slide 29

“Radware offers

low product and

maintenance

costs, as

compared with

most competitors.”

Greg Young & John Pescatore,

Gartner, April 2009

DefensePro: Monitoring and Reporting

Slide 30

APSolute Vision: Advanced Monitoring and Reporting

Slide 31

• Real-time monitoring

– Active attack details

• Historical reporting

– Per customer dashboards

– Custom reports

APSolute Vision: The Value Proposition

Slide 32

APSolute Vision helps Data Center IT managers improve business:

• Resilience

– Real-time identification, prioritization, and response to policy breaches,

cyber attacks and insider threats

• Agility

– Per user customization of real-time dashboards and historical reports.

• Efficiency

Simplifies data center management

– Improves IT productivity

Summary

DefensePro Differentiators

• Best security solution for data centers

in a single box:

– Intrusion prevention (IPS)

– DoS protection

– Network behavioral analysis (NBA)

– IP reputation service

• Best performing solution

– DoS Mitigator Engine - maintain throughput

when under attack

• Best in class unified monitoring and reporting

• Lowest CapEx

– Multitude of security tools in a single box

– Pay-As-You-Grow – scalable platform selection

with license upgrade for throughput

• Lowest OpEx

– Automatic real-time signatures protection with no

need for human intervention

– Unified management

Slide 34

“Radware focus on

behavioral assessment

is unique in the IPS

market. When

combined with

traditional detection

mechanisms, this puts

radware in a strong

position to emerging

threats.”

Greg Young & John Pescatore,

Gartner, April 2009

Thank You