Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Radware
Mity i fakty skutecznej ochrony aplikacji internetowych
Marek Karczewski
What do we protect ?
2
Internet
Users Protected Organization – Data CenterInternet Service ProviderServers farm and Applic...
DDoS Attacks Landscape
10%
16%
6%
18%
Network 51%
TCP- Other UDP
IPv6 1% TCP-SYN Flood
ICMP
9%
23%
16%
Application 49%
VoI...
Denial of Service
25%
SQL Injection,
24%
8.9%
4.8%
3.8%
3.7%
3%
2.8%
2.1%
1.9%
Others
Top 10 Web Attack Methods:
Denial of...
More Automated, Persistent DoS Attacks
57%
36%
4%
2% 1%
0%
20%
40%
60%
1 hour or less 1 hour to 1 day 1 day to 1 week Over...
The SSL Security Threat
Internet traffic encryption growth:
Privacy concerns
Growing usage of cloud applications
HTTP/2 ma...
2015
INTERNET PIPE
(Saturation)36%
FIREWALL
13%
IPS/IDS
8% ALANCERLOAD B
(ADC)
9%
THE SERVER
UNDER ATTACK
33%
SQL
SERVER
1...
Complexity of attacks continues to grow
IPS/IDS
“Low & Slow” DoS
attacks (e.g.Slowloris)
Large volume network
flood attack...
Multi-technology protection
Only a multi-technology solution can provide full protection from multi-vector threats
Cloud D...
Distributed deployment for the most efficient attack detection and mitigation
Server Under Attack
Attack Mitigation
Device...
Application Delivery and Security technologies
Radware
Cloud
Scrubbing
Radware
Cloud
Scrubbing
DefensePro / DDoS SSL Inspe...
SSL mitigation solution
SSL Inspection DefensePro / DDoS
SSL Inspection
Stateful SSL exposed to DDoS attacks Full protecti...
Integrated Application Delivery and Security technologies
Radware
Cloud
Scrubbing
DefensePro / DDoS SSL Inspection
SSL Ins...
From point protection… to an automated & Intelligent network defense model
14
Self Defence, Automated, Network-wide Securi...
Device-centric service Network-wide service
Network as a host… A network that is part of the service
Transformation from d...
Defense Messaging and synchronized operation
Internet Pipe Firewall Load Balancer/ADC Server Under Attack
Attack Mitigatio...
WAF out-of-path deployment
Attack Mitigation
Device
Defense Messaging
Protected
Web App
Alteon NG
WAF Out-of-path
Appwall and ADC resource utilisation
Attack Mitigation
Device
Defense Messaging
Protected
Web App
Alteon NG
Critical resou...
Entire infrastructure protection
Attack Mitigation
Device
Defense Messaging
Alteon NG
Protected OrganizationDDoS Scrubbing Center
Carrier infrastructure
Cloud protection service
Defense
Messaging
Data Center
Protected OrganizationDDoS Scrubbing Center
Carrier infrastructure
Cloud protection service
Data Center
Cloud protection service
Internet Customer Premise
Cloud Service Provider
Data Center
Data Center
Customer Premise
Cloud Service Provider
Cloud Protection
Cloud protection service
Data Center
Local Security Cloud
Scrubbi...
Radware Command and Control Center
Radware Command & Control Center
Radware Virtual & Physical
Appliances L3-4-7 Collectio...
Radware Command and Control Center
Application Template
Adding Radware to the Orchestration
Front End Back End
Orchestrator
Attack
detected !!!
L2/3 Switch
OVS
Cyber Control
Diversion to scrubbing center
Attack
detected !!!
L2/3 Switch
OVS
Cyber Control
ACL protection
Attack
detected !!!
L2/3 Switch
OVS
Cyber Control
„Smart Tap”/
Web Application Firewall
Thank you
Upcoming SlideShare
Loading in …5
×

PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe?

111 views

Published on

Na przykładzie rozwiązania AMS (Attack Mitigation System) firmy RADWARE niniejsza prezentacja przedstawi różne modele skutecznej ochrony aplikacji internetowych zarówno w modelu „chmurowym” jak również mieszanym (hybrydowym). Prezentacja przedstawi również zalety implementacji mechanizmów bezpieczeństwa w formie natywnych funkcji sieciowych oraz odpowie na pytanie w jaki sposób zapewnić najlepszą ochronę przy jednoczesnym zachowaniu najwyższego poziomu SLA aplikacji.

Published in: Technology
  • Be the first to comment

PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe?

  1. 1. Radware Mity i fakty skutecznej ochrony aplikacji internetowych Marek Karczewski
  2. 2. What do we protect ? 2 Internet Users Protected Organization – Data CenterInternet Service ProviderServers farm and Applications
  3. 3. DDoS Attacks Landscape 10% 16% 6% 18% Network 51% TCP- Other UDP IPv6 1% TCP-SYN Flood ICMP 9% 23% 16% Application 49% VoIP 1% Web (HTTP/HTTPS) SMTP DNS
  4. 4. Denial of Service 25% SQL Injection, 24% 8.9% 4.8% 3.8% 3.7% 3% 2.8% 2.1% 1.9% Others Top 10 Web Attack Methods: Denial of Service SQL Injection Cross Site Scripting (XSS) Brute Force Predictable Resource Location Stolen Credentials Unintentional Information Disclosure Banking Trojan Credential/Session Prediction Cross Site Request Forgery (CSRF) 4 Evolving Threat Landscape
  5. 5. More Automated, Persistent DoS Attacks 57% 36% 4% 2% 1% 0% 20% 40% 60% 1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly 2011 2012 2013 2014 2015
  6. 6. The SSL Security Threat Internet traffic encryption growth: Privacy concerns Growing usage of cloud applications HTTP/2 mandating encryption Over 50% of traffic in enterprises is encrypted By 2017, 50% of attacks will be encrypted Source: Gartner, 2015 20% of organizations Inspect SSL 80% of organizations don’t inspect SSL Traffic
  7. 7. 2015 INTERNET PIPE (Saturation)36% FIREWALL 13% IPS/IDS 8% ALANCERLOAD B (ADC) 9% THE SERVER UNDER ATTACK 33% SQL SERVER 1% INTERNET PIPE (Saturation)36% FIREWALL 21% IPS/IDS 10% ALANCERLOAD B (ADC) 3% THE SERVER UNDER ATTACK 28% SQL SERVER 2% 2014 DDoS attacks from infrastructure perspective IPS/IDSInternet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
  8. 8. Complexity of attacks continues to grow IPS/IDS “Low & Slow” DoS attacks (e.g.Slowloris) Large volume network flood attacks Syn Floods Network Scan HTTP Floods SSL Floods App Misuse Brute Force Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server XSS, CSRFSQL Injections
  9. 9. Multi-technology protection Only a multi-technology solution can provide full protection from multi-vector threats Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
  10. 10. Distributed deployment for the most efficient attack detection and mitigation Server Under Attack Attack Mitigation Device Perimeter protects your datacenter infrastructure Must be Stateless Radware Cloud Scrubbing Cloud protects your internet pipe Load Balancer/ADC LAN protects your applications and data Must be Stateful Internet Pipe Firewall DoS protectionCloud DDoS protection Behavioral analysis IPS WAF SSL protectionDoS protection SSL protection
  11. 11. Application Delivery and Security technologies Radware Cloud Scrubbing Radware Cloud Scrubbing DefensePro / DDoS SSL Inspection SSL Inspection AppWall WAF Radware Scrubbing CenterDefensePro: DoS/DDoS SolutionAlteon: SSL solution for DDoS IPSFirewall Anti Virus ADC
  12. 12. SSL mitigation solution SSL Inspection DefensePro / DDoS SSL Inspection Stateful SSL exposed to DDoS attacks Full protection coverage DDoS protection deployed behind SSL inspection DDoS protection deployed in front of SSL inspection
  13. 13. Integrated Application Delivery and Security technologies Radware Cloud Scrubbing DefensePro / DDoS SSL Inspection SSL Inspection AppWall WAF Alteon: SSL Interception and InspectionAlteon: Application Delivery ControllerAppWall: Web Application Firewall IPSFirewall Anti Virus ADC
  14. 14. From point protection… to an automated & Intelligent network defense model 14 Self Defence, Automated, Network-wide Security
  15. 15. Device-centric service Network-wide service Network as a host… A network that is part of the service Transformation from device centric to network-wide services
  16. 16. Defense Messaging and synchronized operation Internet Pipe Firewall Load Balancer/ADC Server Under Attack Attack Mitigation Device Radware Cloud Scrubbing Defense Messaging Defense Messaging Detect where you can, mitigate where you should Internet Pipe Firewall Server Under Attack
  17. 17. WAF out-of-path deployment Attack Mitigation Device Defense Messaging Protected Web App Alteon NG WAF Out-of-path
  18. 18. Appwall and ADC resource utilisation Attack Mitigation Device Defense Messaging Protected Web App Alteon NG Critical resources utilisation
  19. 19. Entire infrastructure protection Attack Mitigation Device Defense Messaging Alteon NG
  20. 20. Protected OrganizationDDoS Scrubbing Center Carrier infrastructure Cloud protection service Defense Messaging Data Center
  21. 21. Protected OrganizationDDoS Scrubbing Center Carrier infrastructure Cloud protection service Data Center
  22. 22. Cloud protection service Internet Customer Premise Cloud Service Provider Data Center Data Center
  23. 23. Customer Premise Cloud Service Provider Cloud Protection Cloud protection service Data Center Local Security Cloud Scrubbing Cloud
  24. 24. Radware Command and Control Center Radware Command & Control Center Radware Virtual & Physical Appliances L3-4-7 Collection CheckPoint DDoS Protector 3rd Party Detection Devices (NetFlow, SIEM, …) Cisco FirePower 9300 Radware Flow Collector NetFlow SDN Enabled Devices OpenFlow / Open Daylight
  25. 25. Radware Command and Control Center
  26. 26. Application Template Adding Radware to the Orchestration Front End Back End Orchestrator
  27. 27. Attack detected !!! L2/3 Switch OVS Cyber Control Diversion to scrubbing center
  28. 28. Attack detected !!! L2/3 Switch OVS Cyber Control ACL protection
  29. 29. Attack detected !!! L2/3 Switch OVS Cyber Control „Smart Tap”/ Web Application Firewall
  30. 30. Thank you

×