• Save
Is Firewall/IPS enough for DDoS Mitigation and Web Protection
Upcoming SlideShare
Loading in...5

Is Firewall/IPS enough for DDoS Mitigation and Web Protection






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • FortiGuard Labs threat researchers use different techniques to identify malicious sources and continuously compile new updates.FortiWeb appliances download the update and web applications are immediately protected from malicious sources that take activity in:DDoSPhishingBotnetsAnonymous Proxy accessInfected sourcesSpam Hosts
  • The key consideration for sizing the FortiDDoS is the throughput and max HTTP trans/secFWB-3000D replaces the FWB-3000CFWV-4000D replaces the FWB-4000C
  • It is cheaper to buy bundle than individual FortiGuard services (similar to FortiGate)
  • It is cheaper to buy bundle than individual FortiGuard services (similar to FortiGate)
  • Points to highlight1. Even though the FWB-400C, we need to size the FWB-1000D because of SSL accceleration2. It is cheaper to buy Bundle (BDL)
  • Points to highlight1. Even though the FWB-400C, we need to size the FWB-1000D because of SSL accceleration2. It is cheaper to buy Bundle (BDL)
  • The key consideration for sizing the FortiDDoS is the throughput (both normal and under attack).
  • - The deployment positions are also different: FortiDDoS is normally before a firewall such as FortiGate, and aimed not only protect the network infrastructure but also the security infrastructure. FortiWeb is deployed before servers and aimed to protect against malicious access to the servers and spreading malwares onto the servers. FortiDDOS covers for all possible 256 protocols, and track up to 1million source and destination IP addresses simultaneously.FortiDDoS:=======Dedicated DDoS DeviceInline, transparent and bidirectional specially designed for DDoS protectionBased on patented technology of automatic traffic modeling and rate limiting FortiDDoS allows the partition of your entire network based on differences between business segments. This allows DDoS security policies to be different depending on the network segment.Across All Layer Detection, Mitigation and ReportingTraditional flood attacks (SYN, ICMP and TCP/UDP port and HTTP GET floods etc.)Application layer evasive attacks Top attack reports, and attack comprehensive traffic activity graphing and loggingFortiOSDoS sensors protect networks against DoS attacks by limiting anomalous traffic to thresholds that can be customized for any traffic flow on any network. FortiOSDoS protection keeps the FortiGate unit and the networks, including the network servers that it is protecting, operating while under attack. DoS sensors can contain a variety of different attack patterns, providing a greater range of detection for DoS attacks. When the packet rate for an anomaly exceeds its threshold, the FortiOSDoS protection system considers the packets to be part of an attack. FortiOSDoS protection then blocks all packets causing the attack or, if configured, only blocks the packets that exceed the threshold.The thresholds are set in the DoS sensor along with the action to take when a threshold is exceeded. DoS sensors are added to DoS policies matching traffic according to source interface, source and destination address, and service. DoS policies can be used to apply DoS protection to all traffic or just traffic to or from specific IP addresses. The thresholds can be customized in each sensor to fine tune DoS performance for the traffic being analyzed by the sensorFortiGate unit processes DoS policies first, before any other firewall policiesFortiWeb:======FortiWeb aims to providing application firewalling protection, application delivery control (ADC) – LB, SSL and compression etc.. The DDoS protection is very Web app layer focused. For example: HTTP request limits from L4 from given IP address,L4 connection flood (limit TCP connection from given IP), HTTP flood prevention (Cookie approach)Active script method
  • DOS started with BW attackMoving towards application attack.Webserver, most of the company information, some offering online purchase SQL database, authentication information will be lost. Billing will have problemDNS, domain mapping is impossible. No internet access.Mail system, no email and everyone need email system to work today.Objective is to Bring down your serviceFirewall block the wrong portIPS detect signature but valid traffic
  • Small SMC – considering getting clean pipe from the Service Provider.Enterprise – IT team to maintain security protection. Web services/ Mail/ DNS are too important to them. Need instantaneous mitigation.Service Provider – protect single customer from impacting Premier customer
  • ISPs do not provide dynamic routing to all customers
  • Host based IPS ???software running on general purpose computing platforms These packages rely on the CPU power of the host system to analyze traffic as it comes into the server. General purpose computers often lack the performance required to monitor real-time network traffic and perform their primary functions. End-systems provide the best environment for signature recognition because packets are fully reassembled and any necessary decryption has been performed. However, signature based intrusion detection has its limitations, as described below.
  • FortiDDoS is a Rate-Based Intrusion Prevention System (NBA) device that detects and block network attacks which are characterized by excessive use of network resources. It uses a variety of schemes, including anomaly detection and statistical techniques, to detect and block malicious network traffic. Immediately upon detecting an intrusion, the FortiDDoS blocks traffic, thus protecting the systems it is defending from being flooded. Uses Network Behaviour Analysis. Rate-based systems must provide detailed analysis and/or control of traffic flow. A baseline of traffic patterns is established. rate-based systems watch for deviations from the known traffic patterns to detect anomalies. TP stands for Traffic Processor. We are at version 1.0 of this ASIC, so we call it FortiASIC-TP1.Intent based, compared to usual FortiGate IPS/AV which are content based – no signatures with FortiDDOSCover ASIC in detail in the future slideRate Based Detection– various counter from layer 3 to layer 7. traffic is detect and maintain, monitor by each counter, with the ability to be rated and discard.No Mac – Easy and fast deployment. No redesign of networkNo signature – zero day protection, eliminate false positiveHardware based – low latency, line rate detection and mitigation
  • For SP, differentiate Gold and Silver cusotmers
  • - Create a Baseline - FortiDDoS creates a forecast for the next period of traffic traffic is nondeterministic, the forecast cannot be exact. - Creating an Estimated threshold for forecasted traffic.The algorithms is designed to distinguish attack-traffic from legitimate users accessing the protected system.
  • Talk about our existing FortiDDoS Customers in each space:SMB, Enterprises, E-Commerce: The Walking Company, Jazz Pharma, Vail School DistrictWebhosting: Planetta.net, BlackLotus.netMetanet AG in Switzerlandhttp://www.tophosts.com/intruguard-ig2000-selected-by-swiss-web-host-for-protectionBlacklotus in US Abaton, Vienna in Austria Softcom in CanadaOnseTel in Korea (Internet and telephone call Provider) GigeNet in Korea (Cloud, Colocation Provider, DDoS Protection Service)Cable and Wireless in Seychelles (Mobile, Fixed Line and Internet Provider)http://www.cwseychelles.com/
  • FortiWeb provides multiple layers of protection for web applications. The product arrives with predefined policies and can be tuned according to customer needs.

Is Firewall/IPS enough for DDoS Mitigation and Web Protection Is Firewall/IPS enough for DDoS Mitigation and Web Protection Presentation Transcript

  • 1 Fortinet Confidential September 17, 2013 Is FW/IPS Enough for DDoS Mitigation and Web Protection?
  • 2 Fortinet Confidential 1. Security trends 2. Different threat mitigation technologies 3. Fortinet solutions for handling latest threats 4. How FortiDDoS & FortiWeb can safeguard web services & assets • FortiDDoS • FortiWeb 5. Summary Agenda
  • 3 Fortinet Confidential September 17, 2013 Security Trends View slide
  • 4 Fortinet Confidential S E C U R I T Y T R E N D S Security Trends • External threats or disgruntled employees? • Politics and Money… *Verizon 2012 Data Breach report View slide
  • 5 Fortinet Confidential S E C U R I T Y T R E N D S Security Trends • Attack automation • Utilization of mass hoards of bots • Off the shelf attack tool kits (HOIC / LOIC) • Malware infected Sources • SQL Injection/XSS dominate • Website Tampering • Rise and changing trends of DDoS Web Application Servers
  • 6 Fortinet Confidential S E C U R I T Y T R E N D S Denial of Service • Attack Volumes based on data per attack are decreasing • Historical Layer 3 and Layer 4 detection methods are becoming less effective • Mobile Vulnerabilities and 4G networks are changing source potentials • Layer 7 attacks are the fastest growing source of DDoS
  • 8 Fortinet Confidential S E C U R I T Y T R E N D S Net Result • Loss of business • Loss of reputation
  • 9 Fortinet Confidential S E C U R I T Y T R E N D S New Approach Needed! • Network firewalls are about IP/Port • How effective is my IPS/UTM? • What about DDoS and Botnet? Network Firewall IPS/Deep Packet Inspection Firewalls FortiWeb Web Application Firewall Network layer (OSI 1-3) New threats need new ways to detect and mitigate Only Web Application Firewall and DDoS Mitigation Appliance can effectively mitigate against these threats Application layer (OSI 4-7) FortiDDoS DDoS Mitigation
  • 10 Fortinet Confidential September 17, 2013 Threat Mitigation Methods
  • 11 Fortinet Confidential • Software or hardware-based network security system • Rule-based control of incoming and outgoing network traffic »analyzing the data packets and determining whether they should be allowed through or not • Operates up to Layer 4 by learning the individual sessions (connections) transiting through it Focus on allowing/denying traffic based on set of rules T H R E A T M I T I G A T I O N Traditional Network Firewalls
  • 12 Fortinet Confidential • System for detecting known attacks »Detect known signatures only »Signature evasion is possible, or if traffic is encrypted • No deep HTTP understanding (headers, parameters, etc) • No application/user awareness Focus on detecting exploits based on traffic content T H R E A T M I T I G A T I O N Intrusion Prevention System (IPS)
  • 13 Fortinet Confidential • An appliance, server plugin, or filter that applies a set of rules to an HTTP conversation (OWASP) »Customizing rules to your application to identify and block attacks »Significant effort required to maintain customization as application is modified throughout lifecycle • Modern application firewalls may include »offload encryption from servers »block application input/output from detected intrusions or malformed communication »manage or consolidate authentication »block content which violates policies Focus on protecting against exploits on Web Application T H R E A T M I T I G A T I O N Web Application Firewall
  • 14 Fortinet Confidential • Hosted (DDoS mitigation service) or on-premise appliance • Traditionally based on sampled flow »Up to layer 4 at best • Next generation DDoS mitigation appliances to handle latest DDoS attacks Focus on detecting DDoS attack traffic and mitigating the attack T H R E A T M I T I G A T I O N DDoS Mitigation
  • 15 Fortinet Confidential September 17, 2013 Fortinet Solutions For Handling Latest Threats
  • 16 Fortinet Confidential Web Application Firewall - WAF Secures web applications to help customers meet compliance requirements Secures Web Applications Scans and Detects Web Vulnerabilities Optimizes Application Delivery Web Vulnerability Scanner Scans, analyzes and detects web application vulnerabilities Application Delivery Assures availability and accelerates performance of critical web applications WAF FortiWeb Web Application FirewallF O R T I N E T S O L U T I O N S
  • 17 Fortinet Confidential SignaturesSecurity Service • Application layer signatures • Malicious bots • Suspicious URL pattern • Web vulnerability scanner updates IP Reputation • Protection for automated attacks and malicious sources • DDoS, Phishing, Botnet, Spam, Anonymous proxies and infected sources Antivirus • Scan file uploads • Regular and extended AV databases FortiGuard Services FortiGuard® Security Subscription Services deliver dynamic, automated updates for Fortinet products. The Fortinet Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats F O R T I N E T S O L U T I O N S
  • 22 Fortinet Confidential FWB- 400C FWB- 1000C FWB- 3000D/ 3000DFsx FWB- 4000D FWB- VM02 FWB-VM04 FWB- VM08 Throughput (HTTP) 100Mbps 500Mbps 1.5Gbps 4Gbps 100Mbps 500Mbps 1Gbps Max HTTP Trans/sec 10k 27k 60k 100k 8k 24k 36k ASIC-based Acceleration - CP7 2xCP8 2xCP8 - - - Hardware based DLP Acceleration - - - Yes - - - Total Interfaces 4xGE 2xGE Cu 2xGE Bypass 6xGE Cu 2xGE Cu/FO Bypass 6xGE Cu 2xGE Cu + 2xGE FO Bypass Min. 2 Max. 4virtual NIC’s Min. 2 Max. 4virtual NIC’s Min. 2 Max. 4virtual NIC’s Min vCPU - - - - 2 4 8 Storage Capacity 1x1TB 1x1TB 2x2TB (4TB Total) 2x2TB (4TB Total) 40GB Min 40GB Min 40GB Min FortiWeb Product FamilyF O R T I N E T S O L U T I O N S
  • 23 Fortinet Confidential • FortiWeb hardware/VM » WAF Performance requirement » Interface type • FortiCare maintenance (8x5 or 24x7) • FortiGuard subscription services » Anti-virus » FortiWeb security services » IP reputation service (IRIS) For added hardware redundancy to maintain service uptime • FortiBridge hardware » Bypass requirement to maintain service uptime during loss of FortiWeb » Interfaces • FortiCare maintenance (8x5 or 24x7) Building BOM for FortiWebF O R T I N E T S O L U T I O N S
  • 24 Fortinet Confidential Hardware (FortiWeb) FortiWeb HW + Services Bundle Support (FortiCare) A la Carte Service(s) (FortiGuard) FortiWeb Services Bundle Building BOM for FortiWebF O R T I N E T S O L U T I O N S Hardware (FortiBridge) Support (FortiCare) FortiBridge HW + Services to maintain uptime FortiWeb Solution
  • 25 Fortinet Confidential • Inline mode (Transparent Inspection or True transparent proxy) • 1Gbps HTTP throughput • 50k HTTP transactions/sec • 2 x GE to Internet copper • 2 x GE to servers copper • 24x7 hardware support • FortiWeb Security Service, AV & IRIS Example 1F O R T I N E T S O L U T I O N S Web Application Servers FortiWeb
  • 26 Fortinet Confidential Example 1 BOMF O R T I N E T S O L U T I O N S SKU Description Qty FWB-3000D-BDL FortiWeb-3000D Hardware plus 1 year 8x5 Forticare and FortiGuard Bundle 1 FC-10-V3004-274-01-12 1 Year Hardware Premium Bundle Upgrade to 24x7 Comprehensive Support 1 SKU Description Qty FWB-3000D FortiWeb-3000D, 6 x 10/100/1000 RJ45 Ports, 2 x 10/100/1000 RJ45 Bypass Ports, 2 x 2TB HDD Storage 1 FC-10-V3004-140-02-DD IP Reputation Service for FortiWeb-3000D 1 FC-10-V3004-100-02-DD AV Service 1 FC-10-V3004-137-02-DD FortiWeb Security Service for FortiWeb-3000C-FSX 1 FC-10-V3004-247-02-DD 24x7 Comprehensive FortiCare 1 Bundled SKU
  • 27 Fortinet Confidential • Reverse Proxy with SSL offload • 100Mbps HTTP throughput • 5k HTTP transactions/sec • 1 x GE to Internet copper • 1 x GE to servers copper • 24x7 hardware support • FortiWeb Security Service & IRIS only Example 2F O R T I N E T S O L U T I O N S Web Application Servers FortiWeb SKU Description Qty FWB-1000D-BDL Hardware plus 1 year 8x5 Forticare and FortiGuard Bundle 1 FC-10-V1004-274-01-12 1 Year Hardware Premium Bundle Upgrade to 24x7 Comprehensive Support 1
  • 28 Fortinet Confidential Example 2 BOMF O R T I N E T S O L U T I O N S SKU Description Qty FWB-1000D-BDL Hardware plus 1 year 8x5 Forticare and FortiGuard Bundle 1 FC-10-V1004-274-01-12 1 Year Hardware Premium Bundle Upgrade to 24x7 Comprehensive Support 1 SKU Description Qty FWB-1000D FortiWeb-1000D, 6 x 10/100/1000 RJ45 ports(2 pair bypass), 2 x SFP GbE ports, 32GB RAM, 2 x 2TB Storage 1 FC-10-V1004-140-02-DD IP Reputation Service for FortiWeb-1000C 1 FC-10-V1004-137-02-DD FortiWeb Security Service for FortiWeb-1000C 1 FC-10-V1004-247-02-DD 24x7 Comprehensive FortiCare 1 Bundled SKU
  • 29 Fortinet Confidential Virtual Partitioning Geo-Location ACL Protocol Anomaly Prevention Packet Flood Mitigation Stateful Inspection Out of State Filtering Granular Layer 3 and 4 Filtering Application Layer Filtering Algorithmic Filtering Heuristic Filtering Bogon Filtering AttackTraffic LegitimateTraffic How it works Detection is performed in hardware • No sampling • Low latency ~ 26µs • Fast detection Mitigation occurs inline • Fast mitigation ~ 2s FortiDDoS DDoS Mitigation ApplianceFortiDDoS DDoS Mitigation ApplianceF O R T I N E T S O L U T I O N S
  • 30 Fortinet Confidential Flexible protection Global triggers Flexible service definitions Hardware-based monitoring and mitigation FortiDDoS DDoS Mitigation ApplianceF O R T I N E T S O L U T I O N S
  • 31 Fortinet Confidential FortiDDoS-100A FortiDDoS-200A FortiDDoS-300A Throughput 1Gbps Full Duplex 2Gbps Full Duplex 3Gbps Full Duplex LAN 2 x 1G (copper and optical) 4 x 1G (copper and optical) 6 x 1G (copper and optical) WAN 2 x 1G (copper and optical) 4 x 1G (copper and optical) 6 x 1G (copper and optical) FortiASIC 2 x FortiASIC-TP1 4 x FortiASIC-TP1 6 x FortiASIC-TP1 RAM 4G 8G 8G Storage 1TB HDD 2 x 1TB HDD RAID 2 x 1TB HDD RAID Management 1 x RJ45 10/100/1000 1 x RJ45 10/100/1000 1 x RJ45 10/100/1000 Power Single AC Dual Redundant AC Dual Redundant AC Protection 1Gbps full duplex Up to 1 million simulations connections/sec 2Gbps full duplex Up to 2 million simulations connections/sec 3Gbps full duplex Up to 3 million simulations connections/sec FortiDDoS Product FamilyF O R T I N E T S O L U T I O N S
  • 32 Fortinet Confidential • FortiDDoS hardware »Performance requirement »Interface type • FortiCare maintenance (8x5 or 24x7) • FortiGuard subscription services »IP reputation service (IRIS) For added hardware redundancy to maintain service uptime • FortiBridge hardware »Bypass requirement to maintain service uptime during loss of FortiDDoS »Interfaces Building BOM for FortiDDoSF O R T I N E T S O L U T I O N S
  • 33 Fortinet Confidential Hardware (FortiDDoS) FortiDDoS HW + Services Support (FortiCare) A la Carte Service(s) (FortiGuard) Building BOM for FortiDDoSF O R T I N E T S O L U T I O N S Hardware (FortiBridge) Support (FortiCare) FortiBridge HW + Services to maintain uptime FortiDDoS Solution
  • 34 Fortinet Confidential • 500Mbps throughput traffic • GE S.M. fibre to Internet • GE S.M. fibre to servers • 8x5 hardware support • IP Reputation service Example 1F O R T I N E T S O L U T I O N S 1GE F.O. 1GE F.O. SKU Description Qty FDD-100A 2U appliance, 2 x 1 GbE (copper/fiber), 1 Gbps full duplex, single power supply, 1 TB HDD 1 FG-TRAN-LX Transceiver LX module for all FortiGate models with SFP interfaces with LC connector 2 FC-10-01H00-140-02-DD IP Reputation Service for FortiDDoS-100A 1 FC-10-01H00-311-02-DD 8x5 Enhanced FortiCare (for FDD-100A) 1
  • 35 Fortinet Confidential • Mission critical system • 1Gbps throughput traffic • 2x GE copper to Internet • 2x GE copper to servers • 24x7 hardware support • IP Reputation service Example 2F O R T I N E T S O L U T I O N S 2x GE Cu. 2x GE Cu SKU Description Qty FDD-200A 4U appliance, 2 Gbps full duplex, 4 x 1 GbE (copper/fiber), dual power supply, 2 x 1 TB HDD RAID 1 FBG-2002 FortiBridge-2002, power failure bypass functionality for two network segments. 8 RJ45 10/100/1000, 2 RJ45 Management Ports, Dual Power Supply, Dual CPU 1 FC-10-02H00-140-02-DD IP Reputation Service FortiDDoS-200A 1 FC-10-02H00-247-02-DD 24x7 Comprehensive FortiCare (for FDD-200A) 1 FC-10-02001-247-02-DD 24x7 Comprehensive FortiCare (for FBG-2002) 1
  • 36 Fortinet Confidential Corporate site FortiWeb Firewall FortiGate DDOS Protection FortiDDOS Links from ISP(s) DDoS Protection – Web hosting or network AND Security Infrastructures Auto Learning accelerates deployment, with dedicated FortiASIC-TP based detection and mitigation on attacks across all layers (L3, L4 and L7) Virtualized network partitions for maximum flexibility WAF – Web and Application Servers Protection Transparent challenge/response approach to identify legitimate requests Blocks network and application-layer threats that target apps and web services infrastructure like HTTP GET/POST requests, Slowloris, SQL injection, etc Firewall – Network infrastructure Protection Traffic anomaly detection based on thresholds. Blocks network-based attacks like TCP SYN flood, UDP/ICMP floods, TCP port scans, protocol anomalies. Putting Them All TogetherF O R T I N E T S O L U T I O N S • FortiGate, FortiWeb and FortiDDoS are not substitutes »Complementary solutions to address different threats
  • 37 Fortinet Confidential September 17, 2013 How FortiDDoS & FortiWeb can Safeguard Web Services & Assets
  • 38 Fortinet Confidential Bandwidth Flood with illegitimate traffic to fill available capacity ISP 2 ISP 1 What To Attack? • Four main areas are vulnerable Web Hosting Center Firewall Back End Database Servers Server resources SQL Injection vulnerabilities Web Hosting Servers Server vulnerabilities, process and connection limits Firewall / IPS Device connection tables, forwarding and session set up processing
  • 39 Fortinet Confidential Web Application Attacks • Web applications are the interface to a wide array of confidential information stored on back-end databases »Intellectual property, social security numbers, medical records, payroll information, credit card numbers etc. • Attractive targets for hackers because they are public facing applications open to the Internet • Web application vulnerabilities may allow the attacker to gain access to server resources and back-end databases
  • 40 Fortinet Confidential W h o N e e d D D O S & W e b P r o t e c t i o n Small and mid sized enterprises are particularly vulnerable to attacks Enterprises with multiple carriers or web- centric businesses need on-premise solutions with scalable detection and mitigation capabilities Service Provider need to protect against infrastructure attacks, offer network stability and minimize disruption to their customers ISP
  • 41 Fortinet Confidential September 17, 2013 FortiDDoS Focus on detecting DDoS attack traffic and mitigating the attack
  • 42 Fortinet Confidential »Detection • Samples L3/L4 traffic only • L7 may be achieved with on-premise appliance • Notifies customers in the event of suspected attack • Need customer to acknowledge attack • Mitigation is a separate service Additional appliance for L7 monitoring •Two different services »Detection »Mitigation Current Solution ISP & Cloud Based DDoS Detection and Mitigation Service
  • 43 Fortinet Confidential »Mitigation • Mitigation starts only after customer acknowledges attack (reactive) • Traffic sent to cloud scrubbing centre (time lag from point of attack to actual mitigation) » Limited scrubbing centres mean performance impact for legitimate traffic •High set up costs »One-time charge to service provider »Overhead costs in re-architecting network to accommodate service » Routing or DNS changes needed to achieve re- direction (further delay due to routing convergence or DNS propagation delays) Current Solution ISP & Cloud Based DDoS Detection and Mitigation Service
  • 44 Fortinet Confidential Host based IPS Current Solutions What’s Missing Device Switches Routers Firewall IPS Claim Rate Limiting ACL Stateful Inspection among high-end SYN Flood Prevention ACL Blackholing Stateful Inspection SYN Flood Protection Zero-day prevention Content based DoS Prevention SYN Flood prevention What’s Missing Automation, Granularity Adaptiveness Rapid Response Granular rate limiting Blackholing causes DoS Automation Statefulness Granular rate based protection Inbound is legitimate in web- applications Anti-spoofing missing Content vs. Intent Processing power under rate-floods Granular Rate-based DoS/DDoS automated Prevention Zero-day attack prevention, content vs. Intent Solution Must Be Easy to Use and Deploy
  • 45 Fortinet Confidential  Uses the newest member of the FortiASIC family, FortiASIC-TPTM  Rate Based Detection  Inline Full Transparent Mode • No MAC address changes  Signature Free Defense • Hardware based protection  Self Learning Baseline • Adapts based on behavior  Granular Protection • Multiple thresholds to detect subtle changes and provide rapid mitigation Hardware Accelerated DDoS Defense Intent Based Protection Introducing FortiDDoS FortiDDoS™ Web Hosting Center Firewall Legitimate Traffic Malicious Traffic ISP 1 ISP 2
  • 46 Fortinet Confidential Virtual Partitions • Uniquely enables up to eight segmented zones »Segmentation by server address / subnet • Consider a customer with multiple traffic types »Web Browsing »Firmware Updates »Online Ordering • Separate Policies for Unique Traffic Patterns »Connection patterns could differ from server to server • Need to protect services from each other »Mitigation could include limiting the volume of firmware downloads Corporate site Firewall FortiGate DDOS Protection FortiDDOS Links from ISP(s)
  • 47 Fortinet Confidential How Does It Work? • Packets/Source/Second • SYN Packet/Second • Connection Establishments/second • SYN Packets/Source/Second • Connections/Second • Concurrent Connections/Source • Concurrent Connections/Destination • Packets/Port/Second • Fragmented packets/second • Protocol packets/second • Same URL/second • Same User-Agent/Host/Referer/Cookie/Second • Same User-Agent, Host, Cookie, Referer/Second • Anti-Spoofing checks • Associated URLs heuristics Too many hoops to cross before a set of malicious packets can go through. Prevent Rate, Policy, State violations, Stealth, Slow, Fast Attacks Quick blocking, unblocking and revaluation (every packet) to avoid false positives Can reset server connections upon overload
  • 48 Fortinet Confidential How it works – Baseline Building
  • 49 Fortinet Confidential Protecting Against Slowloris • Most behavioral thresholds in FortiDDoS look for granular packet rates exceeding a predefined threshold. » For example a rate threshold for a single source sending too many SYN packets or sending too many concurrent TCP connections. • For Slowloris FortiDDoS looks for unusual behavior by having a reverse threshold. » Threshold is defined by min # of packets in a TCP connection within a time interval » If sufficient number of bytes sent during that interval, the connection is termed safe » If byte count is lower than the threshold, the behavior is malicious • The connection is removed from internal connection tables and the inside server is sent a RST packet to relieve it of the load of the connection. If the client continues to send the packets, the packets will be discarded as foreign packets and will be discarded by the appliance.
  • 50 Fortinet Confidential • FortiDDOS providing in front of assets to be protected • Virtual Partitions allow for multiple baselines • Protection is bi-directional in case of server compromise • Complements any existing firewall or web application firewall capabilities Inline Detection and Mitigation For Small Hosting Company or a Web Property Attacker Remote Office Internet Central Site / Data Center
  • 51 Fortinet Confidential B y p a s s O p t i o n s FortiBridge FortiDDoS FortiGate Corporate Headquarters LAN
  • 52 Fortinet Confidential • Dual links provided for business continuity • FortiDDOS appliance pair provides physical redundancy • Asymmetric Flow Synchronization »Allows FortiDDOS state machines to have complete traffic visibility »Enables handling asymmetric traffic »FortiDDOS devices are interconnected to provide the synchronization path »Mitigation occurs on both appliances »No configuration sync Asymmetric Flow Sync Redundant Solution with Multiple Links Attacker ISP-B Data / Hosting Center ISP-A
  • 53 Fortinet Confidential Corporate website Partner portals Online Services FortiDDoS Distribution Layer Access Layer Service Profiles
  • 54 Fortinet Confidential D e p l o y m e n t S c e n a r i o s
  • 55 Fortinet Confidential FortiDDOS Solutions • SMB or Mid-Range enterprises (e-commerce or online retailers) who are relying on web portal for business • Web hosting companies offering their customers value-added security services • Service providers who are sensitive about the operational continuity of their infrastructures for business and compliance reasons
  • 56 Fortinet Confidential September 17, 2013 FortiWeb Protecting against exploits on Web Application
  • 57 Fortinet Confidential HTTP Threats • Aim of attack is to compromise the target web server »Steal critical information »Post malicious files to exploit site users • Attack techniques: »Cross-site scripting (XSS) and cross-site request forgery (CSRF) »Brute force login attack »SQL injection »Credit card theft and information leakage »Bots »HTTP protocol attack
  • 58 Fortinet Confidential • Layer II - Transparent Inspection and True Transparent Proxy • Easy deployment - No need to re-architect network, full transparency • Fail Open Interface • Reverse Proxy • Supports content modification for both requests and replies from the server • Advanced URL rewriting capabilities • HTTPS offloading • Enhanced load balancing schemes • Non Inline Deployment – SPAN port • Zero network latency • Blocking capabilities using TCP resets • Ideal for initial product evaluations, non-intrusive network deployment Deployment Options Web Application Servers FortiWeb FortiWeb System Administration
  • 59 Fortinet Confidential Protection & Monitor IP Reputation and Bot Identification– Automated attacks and compromised host protection • Protection against access from Anonymous proxies, malicious hosts and sources identified in DDoS/Phishing attacks Antivirus file upload scanning and Data Leak Prevention • Scans uploaded files for viruses and malware (FortiGuard updates) • Detects Information Disclosure, credit card and PII leakage Auto Learn and Validation Rules • Deviations from normal user behavior, automated and customer rules Application Attack Signatures • Detects known application attacks • FortiGuard updates Protocol Validation • Validates HTTP RFC compliance Application and Network Denial of Service Protection (DoS/DDos protection) • Detects and aggregates DoS attacks from multiple vectors Protection at all Layers
  • 60 Fortinet Confidential FortiWeb Auto Learn Application Profiling Accurate Protection Requires: • Understanding the Protected Application • Application structure (URLs, parameters, methods) • What is expected and what is suspicious • Understanding Hackers • Popular attack methods, tools, and application vulnerabilities • Differentiate between application changes, human errors and real attacks
  • 61 Fortinet Confidential FortiWeb Auto Learn Application Profiling     Understand Application Structure • Models elements from actual traffic • Builds baseline based on URLs, parameters, HTTP methods Automatically Understands Real Behavior • Can form fields/parameters be modified by users? • What are the length and type of each form field? • What characters are acceptable (min, max, average)? • Is a form field required or optional? Provides Recommendations and Graphs
  • 62 Fortinet Confidential Vulnerability Assessment Protect your Web Applications Easily Scan your web applications • Common vulnerabilities • SQL Injection • Cross Site Scripting • Source code disclosure • OS Commanding Enhanced/Basic Mode • Crawling information • URLs accepting input • External Links Authentication Options Granular Crawling Capabilities Scheduled and on Demand Scanning FortiWeb
  • 63 Fortinet Confidential Vulnerability Reports • Scan summary • Vulnerability by severity • Vulnerability by categories • Application Vulnerabilities • Common Vulnerabilities Server Information • Crawling information • URLs accepting input • External Links Provides Recommendations and Graphs Updates via FortiGuard Complements WAF for PCI DSS Vulnerability Assessment Protect your Web Applications
  • 64 Fortinet Confidential FortiWeb WAF Deployment and Management Features Multiple Deployment Options Four operational modes to fit into any environment Auto-Learn Security Profiling Automatically and dynamically build a security model of protected applications by continuously monitoring real time user activity Authentication Offload Offload your web server authentication to the FortiWeb platform while supporting different authentication schemes such as Local, LDAP, NTLM and Radius High Availability Configuration synchronization and network level failover in the event of unexpected outage events. Integrated bypass interfaces provide additional fail open capability for single box deployments. Virtualization Virtual Appliance for VMware ESX and ESXi platforms mitigating blind spots in virtual environments
  • 65 Fortinet Confidential FortiWeb WAF Protection and Monitoring Features Application Layer Vulnerability Protection Out of the box protection for the most complex attacks such as SQL Injection, Cross Site Scripting, CSRF and many others Data Leak Prevention Extended monitoring and protection for data leakage and application information disclosure by tightly monitoring all outbound traffic Web Anti Defacement Unique capabilities for monitoring protected applications for any defacement and ability to automatically and quickly revert to stored version Vulnerability Assessments Automatically scans and analyzes the protected web applications and detects security vulnerabilities to complete a comprehensive solution for PCI DSS HTTP RFC Compliance Validation Capabilities to block any attack manipulating the HTTP protocol by maintaining strict RFC standards
  • 66 Fortinet Confidential FortiWeb WAF Application Delivery Features Application Aware Load Balancing Intelligent, application aware layer 7 load balancing eliminates performance bottlenecks, reduces deployment complexity and provides seamless application integration Data Compression Allows efficient bandwidth utilization and response time to users by compressing data retrieved from servers SSL Offload With the integration of award winning FortiASIC™ technology, FortiWeb is able to process tens of thousands of web transactions by providing hardware accelerated SSL offloading Anti-Virus FortiWeb includes a full AV-Client to scan file uploads. GEO-IP Full GEO-IP database for reporting and blocking
  • 67 Fortinet Confidential FortiWeb WAF Standards Compliance PCI DSS compliance FortiWeb is the only product that provides a Vulnerability Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6 Protects against OWASP Top 10 Incorporating a positive and a negative security module based on bidirectional traffic analysis and an embedded behavioral based anomaly detection engine FortiWeb fully protects against the OWASP TOP 10 FortiGuard Labs Customers get up to date dynamic protection from the Fortinet Global Security Research Team, which researches and develops protection against known and potential application security threats.
  • 68 Fortinet Confidential FortiWeb Customers Worldwide Government Telco Retail/Technology/Financial/Other
  • 69 Fortinet Confidential September 17, 2013 Summary
  • 70 Fortinet Confidential FortiDDoS Features and Benefits Feature Benefit ASIC-assisted threat detection and mitigation • High-speed processors block attacks before they can affect network availability. • No sampling, low latency, fast mitigation Network virtualization and segregation • In multi-tenant or virtual environments, prevents attack on one customer from affecting another • Provides flexible deployment options and optimal TCO for service providers and cloud environments Automatic traffic pattern learning • Achieves more accurate threat detection through multi-layer profiling • Modeling requires almost no end user intervention Rapid deployment • No network topology or configuration changes needed, integrates into existing network architecture Enforcement of network traffic on layers 3, 4 and 7 • Significantly reduces false positives • Automatically builds a complex and detailed legitimate traffic model • Facilitates detection of sophisticated attacks 70
  • 71 Fortinet Confidential FortiClient Desktop Application Security Application Delivery Vulnerability Assessment Authentication SSL Offloading and Acceleration HTTP Compliance Application Signatures Application Profiling Data Leak Prevention Compression DDoS Protection AntivirusIP Reputation Load Balancing • Dramatically reduce the risk of corporate data loss. • Accurate protection with multiple layers of defense • Integrated Web Vulnerability Scanner • Protects against the OWASP Top 10 • Positive and negative security policies • Automated management using Auto Learn Baselining • Sophisticated DoS/DDoS protection • Layer 7 focus • Botnet and malicious sources protection • Easily deploys in any environment • Multiple deployment options • Data Analytics – Geo IP data analysis and security over the world map • Accelerates applications • Application aware Load Balancing • Compression • ASIC based SSL Acceleration • Helps achieve PCI compliance FortiWeb Value AddF O R T I N E T S O L U T I O N S
  • 72 Fortinet Confidential September 17, 2013 Thank You