PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe?
Na przykładzie rozwiązania AMS (Attack Mitigation System) firmy RADWARE niniejsza prezentacja przedstawi różne modele skutecznej ochrony aplikacji internetowych zarówno w modelu „chmurowym” jak również mieszanym (hybrydowym). Prezentacja przedstawi również zalety implementacji mechanizmów bezpieczeństwa w formie natywnych funkcji sieciowych oraz odpowie na pytanie w jaki sposób zapewnić najlepszą ochronę przy jednoczesnym zachowaniu najwyższego poziomu SLA aplikacji.
PLNOG 17 - Tomás Strašák - Latencja jest decydentem
Ähnlich wie PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe?
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
Ähnlich wie PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe? (20)
Axa Assurance Maroc - Insurer Innovation Award 2024
PLNOG 17 - Marek Karczewski - Mity i fakty skutecznej ochrony aplikacji internetowych (DDoS, WAF, SSL) - bezpieczeństwo jako funkcja sieciowa czy rozwiązania punktowe?
4. Denial of Service
25%
SQL Injection,
24%
8.9%
4.8%
3.8%
3.7%
3%
2.8%
2.1%
1.9%
Others
Top 10 Web Attack Methods:
Denial of Service
SQL Injection
Cross Site Scripting (XSS)
Brute Force
Predictable Resource Location
Stolen Credentials
Unintentional Information Disclosure
Banking Trojan
Credential/Session Prediction
Cross Site Request Forgery (CSRF)
4
Evolving Threat Landscape
5. More Automated, Persistent DoS Attacks
57%
36%
4%
2% 1%
0%
20%
40%
60%
1 hour or less 1 hour to 1 day 1 day to 1 week Over a week Constantly
2011 2012 2013 2014 2015
6. The SSL Security Threat
Internet traffic encryption growth:
Privacy concerns
Growing usage of cloud applications
HTTP/2 mandating encryption
Over 50% of traffic in
enterprises is
encrypted
By 2017, 50%
of attacks will be
encrypted
Source: Gartner, 2015
20% of organizations
Inspect SSL
80% of organizations
don’t inspect SSL
Traffic
7. 2015
INTERNET PIPE
(Saturation)36%
FIREWALL
13%
IPS/IDS
8% ALANCERLOAD B
(ADC)
9%
THE SERVER
UNDER ATTACK
33%
SQL
SERVER
1%
INTERNET PIPE
(Saturation)36%
FIREWALL
21%
IPS/IDS
10% ALANCERLOAD B
(ADC)
3%
THE SERVER
UNDER ATTACK
28%
SQL
SERVER
2%
2014
DDoS attacks from infrastructure perspective
IPS/IDSInternet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
8. Complexity of attacks continues to grow
IPS/IDS
“Low & Slow” DoS
attacks (e.g.Slowloris)
Large volume network
flood attacks
Syn
Floods
Network
Scan
HTTP Floods
SSL Floods App Misuse
Brute Force
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
Internet Pipe Firewall Load Balancer/ADC Server Under Attack SQL Server
XSS, CSRFSQL Injections
9. Multi-technology protection
Only a multi-technology solution can provide full protection from multi-vector threats
Cloud DDoS protection DoS protection Behavioral analysis IPS WAF SSL protection
10. Distributed deployment for the most efficient attack detection and mitigation
Server Under Attack
Attack Mitigation
Device
Perimeter protects your
datacenter infrastructure
Must be Stateless
Radware
Cloud
Scrubbing
Cloud protects your
internet pipe
Load Balancer/ADC
LAN protects your
applications and data
Must be Stateful
Internet Pipe Firewall
DoS protectionCloud DDoS protection Behavioral analysis IPS WAF SSL protectionDoS protection SSL protection
12. SSL mitigation solution
SSL Inspection DefensePro / DDoS
SSL Inspection
Stateful SSL exposed to DDoS attacks Full protection coverage
DDoS protection deployed
behind SSL inspection
DDoS protection deployed
in front of SSL inspection
13. Integrated Application Delivery and Security technologies
Radware
Cloud
Scrubbing
DefensePro / DDoS SSL Inspection
SSL Inspection
AppWall WAF
Alteon: SSL Interception and InspectionAlteon: Application Delivery ControllerAppWall: Web Application Firewall
IPSFirewall
Anti
Virus
ADC
14. From point protection… to an automated & Intelligent network defense model
14
Self Defence, Automated, Network-wide Security
15. Device-centric service Network-wide service
Network as a host… A network that is part of the service
Transformation from device centric to network-wide services
16. Defense Messaging and synchronized operation
Internet Pipe Firewall Load Balancer/ADC Server Under Attack
Attack Mitigation
Device
Radware
Cloud
Scrubbing
Defense Messaging Defense Messaging
Detect where you can, mitigate where you should
Internet Pipe Firewall Server Under Attack
As attacks are getting longer, larger and more sophisticated, organizations need to be able to protect their applications from a large variety of security threats including:
Web-based attacks
Mostly known through the Open Web Application Security Project (OWASP) Top 10 which lists out the most common web-based threats.
Includes threats such as SQL Injections, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), which are typically not covered by traditional firewalls and intrusion detection systems (IDS).
Availability based attacks –
Distributed Denial of Service (DDoS) attacks at both the network and application layers.
Includes the use of automated programs (bots) as well as humans to launch attacks aimed at exhausting application resources.
At the “Service Layer” – Radware provides Apps Delivery and Security solutions. Radware offers virtual instances & HW deployments.
“vDirect” connects Radware to APIC orchestration system
“Open Daylight” connects Radware to the DC
At the “Service Layer” – Radware provides Apps Delivery and Security solutions. Radware offers virtual instances & HW deployments.
“vDirect” connects Radware to APIC orchestration system
“Open Daylight” connects Radware to the DC
At the “Service Layer” – Radware provides Apps Delivery and Security solutions. Radware offers virtual instances & HW deployments.
“vDirect” connects Radware to APIC orchestration system
“Open Daylight” connects Radware to the DC
At the “Service Layer” – Radware provides Apps Delivery and Security solutions. Radware offers virtual instances & HW deployments.
“vDirect” connects Radware to APIC orchestration system
“Open Daylight” connects Radware to the DC