Availability
How do you ensure business applications are delivered under attacks?
Performance
How do you ensure consistent user experience when your network is under attack?
Security
What is the cost of data loss or abuse of your resources?
Scalability
How do you ensure future growth while minimizing initial spending?
Cost reduction
How to address all the above while reducing costs?
2. Agenda
• Data center security challenges and threats
• The solution: APSolute attack prevention with DefensePro
• Introducing DefensePro building blocks
– Protections set
– OnDemand switch platform
– APSolute Vision
• Emergency Response Team
• Customer success
• Summary
Slide 2
3. Network & Data Center Security Challenges
• Availability
– How do you ensure business applications are
delivered under attacks?
• Performance
– How do you ensure consistent user experience when
your network is under attack?
• Security
– What is the cost of data loss or abuse of your
resources?
• Scalability
– How do you ensure future growth while minimizing
initial spending?
• Cost reduction
– How to address all the above while reducing costs?
Slide 3
We focus on data center application delivery and security
4. Protection tools
Intrusion Prevention
Network & Data Center Threats
Slide 4
Threats
Application vulnerability
Information theft
Authentication defeat
Malware spread
Network anomalies
Application downtime
Network downtime
Phishing, Trojans,
Spam, Botnets
Behavioral Analysis
DoS Protection
Reputation Services
9. Network & data center security: mapping the solutions
Slide 9
IPS DoS
Protection
NBA Reputation
Engine
APSolute attack prevention
for data centers
Internet
Access
Router
Web Servers
Application Servers
FirewallDoS
Protection
IPS
NBA
Anti Trojan /
phishing
DefensePro
IPS
DoS Protection
NBA
Anti Trojan, Anti Phishing
10. DefensePro
IPS
DoS Protection
NBA
Anti Trojan, Anti Phishing
Network & data center security: mapping the technologies
Slide 10
IPS DoS Protection NBA Reputation
Engine
Signature
Detection
Rate-based
Rate-based
Behavioral
Analysis
Signature
Detection
Anti Trojan,
Anti PhishingStateful
Inspection
SYN Cookies
User
Behavioral
Analysis
Application
Behavioral
Analysis
11. Slide 11
Introducing DefensePro
DefensePro is a real-time attack prevention device that protects
your application infrastructure against network and application
downtime, application vulnerability exploitation, malware spread,
network anomalies and information theft
14. IPS: Static Signature Protection
• Signature protection
– Leading security research team
– Protection against known
application vulnerability exploits
– Weekly and emergency signature
updates
• Enables protection against
– Worms, Bots, Trojans, Phishing,
Spyware
– Web, Mail, SQL, VoIP (SIP), DNS
vulnerabilities
– Anonymizers, IPv6 attacks
– Microsoft vulnerabilities
– Protocol anomalies
Slide 14
15. DoS Protection: Real-time Signatures Protection
• Automatic real-time signature protection against network DDoS attacks:
– SYN floods
– TCP floods
– UDP/ICMP floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against network flooding with no need for
human intervention
Slide 15
16. Network Behavioral Analysis: Real-time Signatures Protection
• NBA (Network behavioral analysis) detects abnormal user and
application transactions
• Automatic real-time signature protection against :
– Zero-minute Malware spread
– Application resource misuse such as:
• Brute force attacks
• Web application scanning
• HTTP page floods
• SIP Scans
• SIP Floods
• Value proposition
– Maintain critical application availability even under attack
– Block attacks without blocking legitimate user traffic
– Automatic, real-time protection against user and application resource
misuse with no need for human intervention
Slide 16
17. The Secret Sauce – Real-time Signatures
Public Network
Inbound Traffic
Outbound Traffic
Behavioral
Analysis
Abnormal
Activity
Detection
Inspection
Module
Real-Time
Signature
Inputs
- Network
- Servers
- Clients
Real-Time
Signature
Generation
Closed
Feedback
Enterprise
Network
Optimize Signature
Remove when attack
is over
Slide 17
DoS & DDoS
Application level threats
Zero-Minute
malware propagation
18. Standard Security Tools: HTTP Flood Example
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Static Signatures Approach
- No solution for low-volume attacks as requests
are legitimate
- Connection limit against high volume attacks
Agnostic to the attacked page
Blocks legitimate traffic
High false-positives
Slide 18
19. Real-Time Signatures: Accurate Mitigation
Case: HTTP Page Flood Attack
Internet
Public Web Servers
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Attacker
BOT Command
IRC Server
Misuse of Service
Resources
HTTP Bot
(Infected host)
HTTP Bot
(Infected host)
Behavioral Pattern Detection (1)
Based on probability analysis identify which Web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2)
Identify abnormal user activity
For example:
- Normal users download few pages per connection
- Abnormal users download many pages per connection
Real Time Signature:
Block abnormal users’ access to the specific
page(s) under attack
Slide 19
20. Real-Time Signatures: Resistance to False Positive
Case: Flash Crowd Access
Internet
Public Web Servers
Legitimate User
Legitimate User
Legitimate User
Legitimate User
Behavioral Pattern Detection (1)
Based on probability analysis identify which web page
(or pages) has higher than normal hits
Behavioral Pattern Detection (2)
No detection of abnormal user activity
Attack not detected
No real time signature is generated
No user is blocked
Slide 20
21. Reputation Engine: real time feeds
• Protect network users from:
– Financial fraud
– Information theft
– Known & zero-minute malware spread
• Real time feeds from RSA Anti Fraud Command Center (AFCC)
– The industry’s largest, and most experienced anti-fraud team
• Preventing:
– Trojan installs & remote communications
– Communication with drop point (leak of user privileged information)
– Phishing attempts
• Availability: version 5.10 / October 2010
Slide 21
23. OnDemand Switch: Architecture Designed for Attacks Prevention
Slide 23
OnDemand Switch
Platform Capacity up to
12Gbps
DoS Mitigation Engine
• ASIC based
• Prevent high volume
attacks
• Up to 10 Million PPS of
attack protection
NBA Protections
• Prevent application
resource misuse
• Prevent zero-minute
malware
Reputation Engine
• Anti Trojan & Phishing
IPS
• ASIC based String Match
Engine performing deep
packet inspection
• Prevent application
vulnerability exploits
24. Slide 24
The Competitive Advantage: Performance Under Attack
Multi-Gbps
Capacity
Legitimate
Traffic
10 Million
PPS
Attack
Traffic
Other Network Security Solutions
Multi-Gbps
Capacity
Legitimate
Traffic
+ Attack
Attack
Attack
Attack
Traffic
DefensePro
Device handles attack
traffic at the expense of
legitimate traffic!
Attack traffic does
not impact legitimate
traffic
26. On-Demand Attack Prevention: Value Proposition
• Unmatched Performance
– Leading industry performance up to 12Gbps with active
network security profiles
• OnDemand Scalability
– Scale up performance by increasing throughput using a
simple license upgrade
– No hardware replacement needed
• Investment Protection
– Buy what you need – prevent overspending for capacity
you don’t need now
– Pay-as-you-grow and only for the added throughput license
• No Upgrade Projects
– No hardware replacement, staging and network downtime
– Huge cost saving and best TCO
• Operational Simplicity and Standardization
– A standard, unified platform suitable for all throughput levels
– Savings on training, spares and maintenance
Slide 26
“Radware offers
low product and
maintenance
costs, as
compared with
most competitors.”
Greg Young & John Pescatore,
Gartner, April 2009
28. APSolute Vision: Advanced Monitoring and Reporting
Slide 28
• Real-time monitoring
– Active attack details
• Historical reporting
– Per customer dashboards
– Custom reports
29. APSolute Vision: The Value Proposition
Slide 29
APSolute Vision helps Data Center IT managers improve business:
• Resilience
– Real-time identification, prioritization, and response to policy breaches,
cyber attacks and insider threats
• Agility
– Per user customization of real-time dashboards and historical reports.
• Efficiency
– Simplifies data center management
– Improves IT productivity
32. ERT – Emergency Response Team
• Background: July 2009
– Massive DDoS Incidents in USA and Korea
– A new level of attacks both in terms of quality and quantity
– Radware decided to address such cases and to provide help for customers
under attack
• ERT’s Goal
– To provide swift and professional response that allows customers to
neutralize attacks and to restore network and service operational status
• Characteristics
– 24x7 Service
– Immediate Response
– Neutralize DoS/DDoS attacks and malware outbreaks
Slide 32
34. Customer Case: Gmarket (1 of 2)
• About the Customer
– Gmarket Inc. (Nasdaq: GMKT) is Korea’s leading e-
commerce marketplace
– Gmarket derives their revenues from transaction fees
on the sale of products on their website and from
advertising
• The Need
– Web service protection
• Prevent Web vulnerabilities exploitation
• Prevent Web cracking (Web Scans & Brute Force)
• Prevent HTTP Page floods misusing web servers
– Anti-DoS solution
• Protect against unexpected high volume DDoS
attack which stop all web transaction services
– Secure Firewalls, L3 switches and web servers from
high volume attacks
“Radware’s DefensePro
is the only solution that
was able to provide us
with the most complete
intelligent solution to
protect our website and
our business "
– Park Eui-Won, Security
Team Leader
Slide 34
35. Customer Case: Gmarket (2 of 2)
• The Solution
Internet
Access
Router
Web
Servers
Firewall
Switch
Multiple
DefensePro
DoS Protection:
• Prevent high volume DoS/DDoS attacks
• Infrastructure Protection: Firewalls,
Switches, etc.
NBA protections:
• Prevent HTTP Page Flood attacks
• Brute Force attacks, Web vulnerability Scans
IPS:
• Prevent Web vulnerabilities exploitations
Slide 35
37. • “DefensePro 8412 is rated at 8Gbps and offers good performance coupled
with low latency under all normal and extreme traffic conditions.”
• “Performance in the high volume detection and mitigation tests was also
impeccable across the board, with perfect detection and mitigation at all load
levels.”
• “DefensePro’s dedicated DoS Mitigation Engine ensures that it will not become
the bottleneck under high volume attacks”
• “DefensePro completed all our tests without raising a single false positive alert”
• “Brute force attacks, slow port scans, web vulnerability scans and application
scanning… Network behavioural analysis technology is used to differentiate
the low and slow attack patterns from the legitimate network traffic.
DefensePro flawlessly handled these attacks”
• NSS Labs’ Rating: Recommended
– “Only the top technical products earn a recommend rating from NSS Labs”
NSS Report 2010 Highlight
Slide 37
38. DefensePro Differentiators
• Best security solution for networks and data centers in a
single box:
– Intrusion prevention (IPS)
– DoS protection
– Network behavioral analysis (NBA)
– Reputation Engine service
• Multi-patents security technology
• Best performing solution
– DoS Mitigator Engine - maintain throughput when under attack
• Best in class unified monitoring and reporting
• Lowest CapEx
– Multitude of security tools in a single box
– Pay-As-You-Grow – scalable platform selection
with license upgrade for throughput
• Lowest OpEx
– Automatic real-time signatures protection with
no need for human intervention
Slide 38
“Radware offers low product
and maintenance cost, as
compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
April 2009