dss itsec conference 2012 - radware_ams_tech
Post on 19-Jan-2015
441 Views
Preview:
DESCRIPTION
TRANSCRIPT
Master presentation
Radware Attack
Mitigation System
(AMS)
Igor Kontsevoy
November 2012
Agenda
• Radware Attack Mitigation System (AMS)
• AMS technology overview
• Summary
Slide 2
Introducing Radware Attack
Mitigation System
Mapping Security Protection Tools
Slide 4
DoS Protection
Behavioral Analysis
IP Rep.
IPS
WAF
Large volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
AMS Protection Set
Slide 5
NBA
• Prevent application
resource misuse
• Prevent zero-minute
malware spread
DoS Protection
• Prevent all type of
network DDoS attacks
IPS
• Prevent application
vulnerability exploits
WAF
• Mitigating Web
application attacks
• PCI compliance
Reputation Engine
• Financial fraud
protection
• Anti Trojan & Phishing
Technology Overview
Network based DoS Protections
Network-based DoS Protections
Slide 8
– TCP SYN floods
– TCP SYN+ACK floods
– TCP FIN floods
– TCP RESET floods
– TCP Out of state floods
– TCP Fragment floods
– UDP floods
– ICMP floods
– IGMP floods
– Packet Anomalies
– Known DoS tools
– Custom DoS signatures
Real Time Protections Against:
Network Behavior Analysis & RT Signature Technology
Public Network
Blocking
Rules Statistics
Detection
Engine
Learning
RT
Signatures
Signature parameters
• Source/Destination IP
• Source/Destination Port
• Packet size
• TTL (Time To Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Initial filter is generated: Packet ID
Degree of Attack = Low (Positive Feedback)
Filter Optimization: Packet ID AND Source IP Filter Optimization: Packet ID AND Source IP
AND Packet size
Degree of Attack = High (Negative Feedback)
Filter Optimization: Packet ID AND Source IP
AND Packet size AND TTL
Degree of Attack = High Degree of Attack = Low
Narrowest filters
• Packet ID
• Source IP Address
• Packet size
• TTL (Time To Live)
1 2
3
4
5
Inbound Traffic
Outbound Traffic
Protected Network
Up to 10 0 10+X
Final Filter Start
mitigation
Closed feedback Initial Filter
Time [sec]
Mitigation optimization process
Filte
red
Tra
ffic
Traffic characteristics Real-Time Signature
Slide 9
Attack Degree = 10
(Attack)
Abnormal rate
of packets,…
Attack Case
Y-axis X-axis
Z-axis A
tta
ck D
eg
ree
axi
s
Attack area
Suspicious
area
Normal
adapted area
Decision Making - Attack
Slide 10
Abnormal protocol
distribution [%]
Slide 10
Adaptive Detection Engine
Rate parameter input Rate-invariant input
parameter
Degree of Attack
(DoA) Attack area
Suspicious
area
Normal
adapted area
Low DoA
Flash crowd scenario
Slide 11
Application based DoS
Protections
Real-time protection against:
– Bot originated and direct application attacks
– HTTP GET page floods
– HTTP POST floods
– HTTP uplink bandwidth consumption attacks
– DNS query floods (A, MX, PTR,…)
Advanced behavioral application monitoring:
– HTTP servers real time statistics and baselines
– DNS server real time statistics and baselines
Application-based DoS Protections
Slide 13
HTTP Mitigator
TCP Challenge
Challenge/Response & Action Escalation System
Slide 15
Behavioral Real-time
Signature Technology
Real-Time
Signature Created
Challenge/Response
Technology
“Light”
Challenge Actions
“Strong”
Challenge Action
X
?
Selective
Rate-limit
X
?
Attack
Detection
302 Redirect
Challenge
Java Script
Challenge
RT Signature
blocking
Real-time Signature
Blocking
Closed Feedback & Action Escalation
Botnet is identified
(suspicious sources are
marked)
AMS protections: unique value proposition
Slide 16
Attack
detection
Strong
challenge
Light
challenge Real-time
signature
Selective
rate-limit
• Best security coverage
– Prevent all type of network and application attacks
– Complementing technologies fighting known and zero-day attacks
– Complete removal of non-browser rogue traffic
• Best user quality of experience (QoE)
– Reaching the lowest false-positive rate in the industry
– Advanced capabilities are exposed only when needed
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
DNS Mitigator
Behavioral DNS Application Monitoring
Slide 18
„A‟ records base line
„MX‟ records base line
„PTR‟ records…
„AAAA‟ records…
DNS QPS
Time
Rate Analysis per DNS Query Type
A records
MX
records
PTR
records
AAAA
records
TEXT
records
Other
records
DNS Query Distribution Analysis
Associated
threat
vectors
Challenge/Response & Action Escalation System
Slide 19
Closed Feedback & Action Escalation
Slide 19
Behavioral RT signature
technology
Real-Time signature
created
RT signature scope protection
per query type
DNS query
challenge
Query rate
limit
X
?
Collective query
challenge
X
?
Attack
Detection
Collective scope protection per query
Type
Botnet is identified
(suspicious traffic is
detected per query type)
Collective query
rate limit
X
?
Service Cracking Behavioral
Protections
Service Cracking Behavioral Protections
Slide 21
Real-time protections against information stealth:
– HTTP servers
– Web vulnerability scans
– Bruteforce
– SIP servers (TCP & UDP)
– SIP spoofed floods
– Pre-SPIT activities
– SIP scanning
– SMTP/IMAP/POP3,FTP,…
– Application Bruteforce
– Application scans
Network scanning and malware
propagation Protections
Source-based Behavioral Analysis
Slide 23
• Behavioral Real-time protection against Zero-
Minute Malware Propagation and network scans:
– UDP spreading worms detection
– TCP spreading worms detection
– High and low rate network scans
– Scanning/spreading pattern identification
– Infected source identification
IPS & Reputation Services
IPS & Radware‟s SOC
Slide 25
Signatures Protection against:
• Application Vulnerabilities and exploits
– Web, Mail, DNS, databases, VoIP
• OS Vulnerabilities and exploits
– Microsoft, Apple, Unix based
• Network Infrastructure Vulnerabilities
– Switches, routers and other network elements vulnerabilities
• Malware
– Worms, Bots, Trojans and Drop-points, Spyware
• Anonymizers
• IPv6 attacks
• Protocol Anomalies
Security Operation Center
– Leading vulnerability security research team
–Weekly and emergency signature updates
& Reputation Engine
WAF
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
The Secret Sauce – Adaptive Policy Creation (1 of 3)
App
Mapping
Information leakage
Gain root access control
Unexpected application
behavior, system crash, full
system compromise
Threat
Analysis
Risk analysis per “ application-path”
/admin/
Spoof identity, steal user
information, data tampering
Slide 27
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
***********9459
P
The Secret Sauce – Adaptive Policy Creation (2 of 3)
App
Mapping
Policy
Generation
Prevent access to
sensitive app sections
Mask CCN, SSN, etc. in
responses.
Parameters inspection
Threat
Analysis
Traffic normalization &
HTTP RFC validation
Slide 28
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
The Secret Sauce – Adaptive Policy Creation (3 of 3)
Time to protect
App
Mapping
Policy
Activation
Add tailored
application
behavioral rules
for “Zero day”
protection
Known
vulnerabilities
protections:
Optimization of
negative rules
for best
accuracy
Policy
Generation Threat
Analysis
***********9459
P
Virtually zero false positive
Best coverage
Slide 29
Reservations.com
The Secret Sauce – Unique Value Proposition
App
Mapping
Threat
Analysis
Policy
Generation
Policy
Activation
• Best security coverage
– Auto detection of potential threats
– Other WAFs require admins intervention and knowledge to protect
• Lowest false-positives
– Adaptive security protections optimized per application resource (“app- path”)
– Other WAFs auto generate global policies
• Shortest time to protect
– Highly granular policy creation and activation (“app-path”)
– Immediate policy modification upon application change
– Other WAFs wait upon global policy activation
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 30
Radware’s SIEM
Radware‟s built-in SIEM engine
Slide 32
Built-in SEM
• Historical Reporting Engine
• Customizable Dashboards
• Event Correlation Engine
• Advanced Forensics Reports
• Compliance Reports
• Ticket Work Flow Management
• 3rd Party Event Notifications
• Role/User Based Access Control
• Works with all Radware‟s Security Modules
Radware‟s built-in SEM engine – Unified Reports
Slide 33
Threat
analysis
Target service
Trend analysis
Radware‟s built-in SEM engine - Dashboards
Slide 34
Per user dashboard
Radware‟s built-in SEM engine – Event Correlation
Slide 35
Event Correlation Rules by: • Attack duration & time interval • Managed devices • Attack ID , Attack type • Destination IP • Protected Web Application • Event description • Source IP • Action • Risk weight definition…
Summary
Summary: Radware AMS Differentiators
• Best security solution for online businesses:
– DoS protection
– Network behavioral analysis (NBA)
– Intrusion prevention (IPS)
– Reputation Engine service
– Web application firewall (WAF)
• Built-in SEM engine
• Emergency Response Team (ERT)
– 24x7 Service for immediate response
– Neutralize DoS/DDoS attacks and malware outbreaks
• Lowest CapEx & OpEx
– Multitude of security tools in a single solution
– Unified management and reporting
Slide 37
“Radware offers low product
and maintenance cost, as
compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
December 2010
Summary
• Attackers deploy multi-vulnerability attack campaigns
– Organizations deploy point security solutions
– Attackers seek blind spots
• Radware offers Attack Mitigation System (AMS):
– The only solution that can defend against emerging cyber-attack campaigns
– No blind spots in perimeter security
• The only attack mitigation solution that keeps your business up!
– Online business protection
– Data center protection
– MSSP
Slide 38
Thank You www.radware.com
top related