DSS ITSEC Conference 2012 - Radware_AMS_Tech


Published on

Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

DSS ITSEC Conference 2012 - Radware_AMS_Tech

  1. 1. Master presentationRadware AttackMitigation System(AMS) Igor Kontsevoy November 2012
  2. 2. Agenda• Radware Attack Mitigation System (AMS)• AMS technology overview• Summary Slide 2
  3. 3. Introducing Radware Attack Mitigation System
  4. 4. Mapping Security Protection ToolsDoS ProtectionBehavioral Analysis Large volume network flood attacksIPSIP Rep. Network scanWAF Intrusion Port scan SYN flood attack “Low & Slow” DoS attacks (e.g.Sockstress) Application vulnerability, malware High and slow Application DoS attacks Web attacks: XSS, Brute force Web attacks: SQL Injection Slide 4
  5. 5. AMS Protection SetDoS Protection Reputation Engine• Prevent all type of • Financial fraud network DDoS attacks protection • Anti Trojan & PhishingIPS• Prevent application vulnerability exploits NBAWAF • Prevent application• Mitigating Web resource misuse application attacks • Prevent zero-minute• PCI compliance malware spread Slide 5
  6. 6. Technology Overview
  7. 7. Network based DoS Protections
  8. 8. Network-based DoS ProtectionsReal Time Protections Against:– TCP SYN floods – UDP floods– TCP SYN+ACK floods – ICMP floods– TCP FIN floods – IGMP floods– TCP RESET floods – Packet Anomalies– TCP Out of state floods – Known DoS tools– TCP Fragment floods – Custom DoS signatures Slide 8
  9. 9. Network Behavior Analysis & RT Signature Technology Mitigation optimization process Public Network Initial Filter Closed feedback Inbound Traffic 3 Final Filter Start Learning Traffic characteristics mitigation Real-Time Signature 0 Up to 10 10+X Time [sec] Degree of Attack = High LowInitial filter is generated: Filter Optimization: Filter Optimization: 5 1 2Packet ID Optimization: Filter Packet ID AND Source IP Packet ID AND Source IP Packet ID AND Source IP Blocking Detection AND Packet size AND TTL AND Packet size Statistics Rules Engine Filtered Traffic Degree of Attack = Low Degree of Attack = High (Negative Feedback) (Positive Feedback) Signature parameters Narrowest filters • Source/Destination IP RT Outbound Traffic • Source/Destination Port Signatures • Packet ID • Packet size 4 • Source To Live) • TTL (TimeIP Address • Packet size • DNS Query • TTL ID • Packet (Time To Live) • TCP sequence number Protected Network • More … (up to 20) Slide 9
  10. 10. Decision Making - Attack Attack Case Attack Degree = 10 Z-axis (Attack) Attack area Attack Degree axis Suspicious area X-axis Y-axis Normal adapted areaAbnormal protocoldistribution [%] Abnormal rate of packets,… Slide 10 10 Slide
  11. 11. Adaptive Detection Engine Flash crowd scenarioDegree of Attack(DoA) Attack area Low DoA Suspicious area Normal adapted area Rate parameter inputRate-invariant inputparameter Slide 11
  12. 12. Application based DoS Protections
  13. 13. Application-based DoS ProtectionsReal-time protection against: – Bot originated and direct application attacks – HTTP GET page floods – HTTP POST floods – HTTP uplink bandwidth consumption attacks – DNS query floods (A, MX, PTR,…)Advanced behavioral application monitoring: – HTTP servers real time statistics and baselines – DNS server real time statistics and baselines Slide 13
  14. 14. HTTP Mitigator
  15. 15. Challenge/Response & Action Escalation System Botnet is identified Attack Real-Time “Light” “Strong” Selective(suspicious sources are Detection Signature Created Challenge Actions Challenge Action Rate-limit marked) ? ? X X TCP Challenge 302 Redirect Challenge Java Script Challenge RT Signature blocking Behavioral Real-time Challenge/Response Real-time Signature Signature Technology Technology Blocking Closed Feedback & Action Escalation Slide 15
  16. 16. AMS protections: unique value proposition Attack Real-time Light Strong Selectivedetection signature challenge challenge rate-limit• Best security coverage – Prevent all type of network and application attacks – Complementing technologies fighting known and zero-day attacks – Complete removal of non-browser rogue traffic• Best user quality of experience (QoE) – Reaching the lowest false-positive rate in the industry – Advanced capabilities are exposed only when needed• Reduced Cost of Ownership – Automatic real-time attack mitigation with no need for human intervention Slide 16
  17. 17. DNS Mitigator
  18. 18. Behavioral DNS Application Monitoring Associated threat vectorsDNS Query Distribution Analysis Rate Analysis per DNS Query Type DNS QPS MX records „A‟ records base line A records TEXT „MX‟ records base line records „PTR‟ records… PTR records „AAAA‟ records… Other records AAAA records Time Slide 18
  19. 19. Challenge/Response & Action Escalation System Botnet is identified Attack Real-Time signature DNS query Query rate Collective query Collective query (suspicious traffic is Detection created challenge limit challenge rate limitdetected per query type) ? ? ? X X X Behavioral RT signature RT signature scope protection Collective scope protection per query technology per query type Type Closed Feedback & Action Escalation Slide 19
  20. 20. Service Cracking Behavioral Protections
  21. 21. Service Cracking Behavioral ProtectionsReal-time protections against information stealth:– HTTP servers – Web vulnerability scans – Bruteforce– SIP servers (TCP & UDP) – SIP spoofed floods – Pre-SPIT activities – SIP scanning– SMTP/IMAP/POP3,FTP,… – Application Bruteforce – Application scans Slide 21
  22. 22. Network scanning and malware propagation Protections
  23. 23. Source-based Behavioral Analysis• Behavioral Real-time protection against Zero- Minute Malware Propagation and network scans: – UDP spreading worms detection – TCP spreading worms detection – High and low rate network scans – Scanning/spreading pattern identification – Infected source identification Slide 23
  24. 24. IPS & Reputation Services
  25. 25. IPS & Radware‟s SOC Signatures Protection against: • Application Vulnerabilities and exploits – Web, Mail, DNS, databases, VoIP • OS Vulnerabilities and exploits – Microsoft, Apple, Unix based • Network Infrastructure Vulnerabilities – Switches, routers and other network elements vulnerabilities • Malware – Worms, Bots, Trojans and Drop-points, Spyware& Reputation Engine • Anonymizers • IPv6 attacks • Protocol Anomalies Security Operation Center – Leading vulnerability security research team –Weekly and emergency signature updates Slide 25
  26. 26. WAF
  27. 27. The Secret Sauce – Adaptive Policy Creation (1 of 3) App Threat Mapping AnalysisReservations.com /config/ Risk analysis per “ application-path” Spoof identity, steal user information, data tampering /admin/ SQL Injection /register/ CCN breach Information leakage /hotels/ Gain root access control /info/ Directory Traversal /reserve/ Buffer Overflow Unexpected application behavior, system crash, full system compromise Slide 27
  28. 28. The Secret Sauce – Adaptive Policy Creation (2 of 3) App Threat Policy Mapping Analysis GenerationReservations.com /config/ Prevent access to /admin/ SQL Injection sensitive app sections /register/ CCN breach Mask CCN, SSN, etc. in ***********9459 responses. /hotels/ Traffic normalization & /info/ Directory Traversal HTTP RFC validation /reserve/ Buffer Overflow P Parameters inspection Slide 28
  29. 29. The Secret Sauce – Adaptive Policy Creation (3 of 3) App Threat Policy Policy Mapping Analysis Generation ActivationReservations.com Time to protect Virtually zero false positive /config/ /admin/ SQL Injection Known vulnerabilities protections: /register/ CCN breach Optimization of ***********9459 negative rules for best /hotels/ accuracy /info/ Directory Traversal Add tailored /reserve/ Buffer Overflow P application behavioral rules for “Zero day” protection Best coverage Slide 29
  30. 30. The Secret Sauce – Unique Value Proposition App Threat Policy Policy Mapping Analysis Generation ActivationReservations.com • Best security coverage – Auto detection of potential threats – Other WAFs require admins intervention and knowledge to protect • Lowest false-positives – Adaptive security protections optimized per application resource (“app- path”) – Other WAFs auto generate global policies • Shortest time to protect – Highly granular policy creation and activation (“app-path”) – Immediate policy modification upon application change – Other WAFs wait upon global policy activation • Reduced Cost of Ownership – Automatic real-time attack mitigation with no need for human intervention Slide 30
  31. 31. Radware’s SIEM
  32. 32. Radware‟s built-in SIEM engineBuilt-in SEM• Historical Reporting Engine• Customizable Dashboards• Event Correlation Engine• Advanced Forensics Reports• Compliance Reports• Ticket Work Flow Management• 3rd Party Event Notifications• Role/User Based Access Control• Works with all Radware‟s Security Modules Slide 32
  33. 33. Radware‟s built-in SEM engine – Unified Reports Threat analysisTarget service Trend analysis Slide 33
  34. 34. Radware‟s built-in SEM engine - Dashboards Per user dashboard Slide 34
  35. 35. Radware‟s built-in SEM engine – Event Correlation Event Correlation Rules by: • Attack duration & time interval • Managed devices • Attack ID , Attack type • Destination IP • Protected Web Application • Event description • Source IP • Action • Risk weight definition… Slide 35
  36. 36. Summary
  37. 37. Summary: Radware AMS Differentiators• Best security solution for online businesses: – DoS protection – Network behavioral analysis (NBA) – Intrusion prevention (IPS) – Reputation Engine service – Web application firewall (WAF)• Built-in SEM engine• Emergency Response Team (ERT) – 24x7 Service for immediate response – Neutralize DoS/DDoS attacks and malware outbreaks• Lowest CapEx & OpEx “Radware offers low product – Multitude of security tools in a single solution and maintenance cost, as – Unified management and reporting compared with most competitors.” Greg Young & John Pescatore, Gartner, December 2010 Slide 37
  38. 38. Summary• Attackers deploy multi-vulnerability attack campaigns – Organizations deploy point security solutions – Attackers seek blind spots• Radware offers Attack Mitigation System (AMS): – The only solution that can defend against emerging cyber-attack campaigns – No blind spots in perimeter security• The only attack mitigation solution that keeps your business up! – Online business protection – Data center protection – MSSP Slide 38
  39. 39. Thank Youwww.radware.com