Beyond Today’s Perimeter Defense:

Radware Attack

Mitigation System

(AMS)

Michael Soukonnik

24.11.2012

Imagine That You Could…

Slide 2

Eliminate Costs of Downtime

Improve your Customer Experience

& Employee Productivity

Cut Application Infrastructure Cost by 20-50%

Enhance your Business Agility

1 1 3

Over 10,000 Radware Customers Can…

Slide 3

About Radware

Slide 4

Over 10,000 Customers

Global Technology Partners

1998 2000 2002 2004 2006 2008 2010

4.9 14.1

38.4 43.3 43.7 54.8

68.4 77.6 81.4

88.6 94.6

108.9

144.1 Company Growth

ADC Magic Quadrant 2010

Recognized ADC Market Leader

“Radware has a strong vision of how ADCs fit into a

seamless virtualized and cloud-based architecture”

Online Business Security Threats

Security Threat Vectors

Slide 6

Large volume network flood attacks

High and slow Application DoS attacks

SYN flood attack

Brute force attack

Web application attacks (e.g.

XSS, Injections, CSRF)

Port scan

“Low & Slow” DoS attacks (e.g., Sockstress)

Network scan

Intrusion

Intrusion, malware

Network and Data Security Attacks: from the News

Slide 7

Multi-Vulnerability Attack Campaigns

Slide 8

Business

Large volume network flood attacks

Application flood attack (Slowloris,

Port 443 data flood,…)

Large volume SYN flood

Web application attacks (e.g.

XSS, Injections, CSRF)

Low & Slow connection DoS attacks

Network scan

Web application vulnerability scan

Conclusions

• Attackers use multi-vulnerability attack campaigns

making mitigation nearly impossible

• DoS & DDoS tools are preferred weapon of mass

disruption

Mapping Security Protection Tools

Slide 9

Large volume network flood attacks

High & Low rate application DoS attacks

“Low & Slow” DoS attacks

Brute force attack

Web application attacks

(e.g. XSS, Injections, CSRF)

SYN flood

Port scan

Network scan

Intrusion

Intrusion, Malware

DoS Protection

Behavioral Analysis

IP Reputation

IPS

WAF

Introducing Radware Attack Mitigation System (AMS)

Slide 10

AMS Protection Set

Slide 11

NBA

• Prevent application

resource misuse

• Prevent zero-minute

malware

DoS Protection

• Prevent all type of

network DDoS attacks

IPS

• Prevent application

vulnerability exploits

Reputation Engine

• Financial fraud

protection

• Anti Trojan & Phishing

WAF

• Mitigating Web

application threats

and zero-day attacks

OnDemand Switch: Designed for Attacks Mitigation

Slide 12

OnDemand Switch

Platform Capacity up to

14Gbps

DoS Mitigation Engine

• ASIC based

• Prevent high volume attacks

• Up to 12 Million PPS of attack protection

NBA Protections & WAF

IPS & Reputation Engine

• ASIC based String Match

& RegEx Engine

• Performs deep

packet inspection

DefensePro Architecture – Threat Mitigation

Behavioral-based protections

DME DDoS Mitigation Engine

(12 M PPS)

L7 Regex

Acceleration ASIC Multi Purpose Multi Cores CPU’s

(14 Gbps)

& Reputation Engine

Hardware Architecture That Was Tailored for Attack Mitigation

Slide 13

Mobile

Infrastructure

DDoS

Critical

Infrastructure

DDoS Malware Propagation

Malware

Intrusions

Behavioral analysis & Real Time Signatures

Slide 14

Public Network

Inbound Traffic

Outbound Traffic

Behavioral

Analysis

Abnormal

Activity

Detection

Inspection

Module

Real-Time

Signature

Inputs - Network

- Servers

- Clients

Real-Time

Signature

Generation

Closed

Feedback

Enterprise

Network

Optimize Signature

Remove when attack

is over

DoS & DDoS

Application level threats

Zero-Minute

malware propagation

DDoS Protection: Radware Coverage

Slide 15

Radware DDoS Protections

Up to 12MPPS of attack

prevention

Up to 800K new TPS of

HTTP Challenge-Response

PPS & Bandwidth

flood attacks

Connection & application

flood attacks

Directed application

DoS attacks

Full 10Gbps DPI

(RegEx) processing

StringMatch

Engine (SME)

RegEx Engine

Static & user filters

Multi-core CPUs

Real-time signatures

& challenge -

response

technologies

ASIC-Based

DoS Mitigator

Engine (DME)

Real-time signatures

technology

Radware Security Event Management (SEM)

Slide 16

• Correlated reports

• Trend analysis

• Compliance management

• RT monitoring

• Advanced alerts

• Forensics

3rd Party SEM

Compliance and Standardization with AMS

Slide 17

Compliance Reports

PCI DSS

FISMA

GLBA

HIPPA

Radware Security Products Portfolio

Slide 18

AppWall

Web Application Firewall (WAF)

DefensePro

Network & Server attack prevention device

APSolute Vision

Management and security reporting &

compliance

Encrypted Attacks Mitigation

Slide 19

Traffic Anomalies

Floods

Network-Based DoS

Attacks

Application-Based DoS

Attacks (Clear and SSL)

“Directed” Application DoS

Attacks (Clear and SSL)

Packet anomalies,

Black & white lists

Behavioral DoS &

TCP cookie engines

L7 ASIC Regex

engine Application “cookie”

engines

Clear

Encrypted

Cle

ar

En

cry

pte

d

Client-side

termination point

Alteon’s SSL

Acceleration Engine

Clear

Encrypted “Authenticated”

clients

Once an attack is detected there are 3 main security actions that are done on each client who tries to connect to the protected server(s):

SYN Attack Protection – DefensePro “authenticates” the source through a “safe-reset cookie” mechanism, verifying the validity of the source IP and its TCP/IP stack.

HTTP Filters – DefensePro receives the decrypted 1st HTTP client request from the SSL engine and applies application layer filters. This is done in order to remove the “Directed HTTP DoS attacks” that can only be mitigated by pre-defined or “ad-hoc” filters.

Web Cookie Challenge – In case the client “passes” the HTTP filter check, DefensePro generates a Web cookie challenge (302 or JS challenge) that is encrypted and returned to the client by the Alteon SSL engine. Client responses are decrypted and sent to the DefensePro, which validates the response. A client that responds correctly is “authenticated” (application level “authentication”) and forced to open a new connection directly to the protected server.

Radware Security Expertise : ERT Cases (1 of 2)

Slide 20

Radware ERT helped High Council

for Telecommunications (TIB) to

achieve full protection against

Anonymous attacks • Anonymous group published a poster calling its fans to

attack Turkish government agency

– Target: High Council for Telecommunications (TIB)

– When: June 9th (Thursday) 2011 at 6PM

– Attack tool: Low Orbit Ion Canon (LOIC)

• Type of attack - Multi-vulnerability campaign

– HTTP Get flood attack

– TCP connection flood on port 80

– SYN flood attack

– UDP flood attack

Radware Security Expertise : ERT Cases (2 of 2)

Slide 21

Radware ERT helped Istanbul

police to achieve full protection

against Anonymous attacks

• Anonymous group attacks Istanbul police as revenge of

the arrest

– Target: Istanbul police site

– When: June 13th 2011

– Attack tool: Low Orbit Ion Canon (LOIC)

• Type of attack - Multi-vulnerability campaign

“We just watched the attacks and DefensePro easily eliminated

the attacks. We didn’t even see any latency during the attacks.

Istanbul Police is thankful to us and to you. While most of the

state websites gets unresponsive during the attacks, they didn’t

feel anything.” Istanbul police integrator

Summary

Summary: Radware AMS Differentiators

• Best security solution for online businesses:

– DoS protection

– Network behavioral analysis (NBA)

– Intrusion prevention (IPS)

– Reputation Engine service

– Web application firewall (WAF)

• Built-in SEM engine

• Emergency Response Team (ERT)

– 24x7 Service for immediate response

– Neutralize DoS/DDoS attacks and malware outbreaks

• Lowest CapEx & OpEx

– Multitude of security tools in a single solution

– Unified management and reporting

Slide 23

“Radware offers low product

and maintenance cost, as

compared with most

competitors.”

Greg Young & John Pescatore, Gartner,

December 2010

Thank You www.radware.com