detección y mitigación de amenazas con check point
DESCRIPTION
Presentación de Ignacio Berrozpe, de Check Point, durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.TRANSCRIPT
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Check Point Threat Control
2©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 Modern Malware: Risks and Challenges
Collaborative Security Intelligence: ThreatCloud™2
Anti-Bot Software Blade3
Unified Threat Prevention Solution5
Antivirus Software Blade4
3©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Today’s Threat Landscape
Organizations believe they have been the target of an APT attack159%
1 ESG APT Survey October 20112 Ponemon 2nd annual cost of cybercrime study Aug 2011
3 Kaspersky research labs 2011
4 Sophos Security Threat Report 2011
Experienced a Bot attack in the past year282%
Known attacks per day310 Million
A new malware is created4Every Second
With today’s multiple vectors of attacks Multi-layer Real-time Solution Needed
4©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
ThreatCloud™ First Collaborative Networkto Fight Cybercrime
Check Point ThreatCloud™
Over 250 Million Addresses
Analyzed for Bot Discovery
Over 4.5 Million Malware
Signatures
Over 300,000 Malware-Infested
SitesUp-to-the-Minute
Security Intelligence
5©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
ThreatCloud™ -Dynamically Updated Intelligence
Industry-best malware feeds
MalwareSites Signatures
Bot addresses
Collect attack information from
gateways
Global network of sensors to identify emerging threats
Check Point ThreatCloud™
SensorNET
6©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
The SensorNET System
SensorNET provides a global set of observation points in the network feeding threat observations back to a central analysis point.
Check Point’s position enables wide access to data points in the network.
7©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
SensorNET Collects Attack Information
Attack Name: Web Client Enforcement Violation; Protection name: Microsoft IE argument handling memory corruption vulnerability (MS08-045) Protection Type: signature; rule: 3; Destination: 81.0.0.41Source: N1.H291; proto: tcp; product: IPS SW blade; service: http; s_port: 5707;Severity: High; Confidence: High
The Attack
Sensitivecustomer data is
hidden
Probe identifies an attack
Attack information sent to ThreatCloud™
8©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
SensorNET Analyzes Attack Information
Analyzes threat landscape
Multiple attacks
Same IP address identified
9©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
New protections sent to Check Point gateways
Identify Bot attackand Update Check Point gateways
Further analysis show IPs are bot C&C addresses
New bot C&C address protection sent to gateways
CheckPoint ThreatCloud™
10©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
ThreatCloud™ -Dynamically Updated Intelligence
Industry-best malware feeds
MalwareSites Signatures
Bot addresses
Collect attack information from
gateways
Global network of sensors to identify emerging threats
Check Point ThreatCloud™
SensorNET
11©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
Collect Bot Attack Info From GWs
Run classifier
Expert analysis
Identify infection and send potential C&C
address to ThreatCloud
Analyze address in Check Point Labs
Add to ThreatCloud C&C address DB – protect ALL GWs
ThreatCloud™
12©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
Collect Bot Attack Information From GWs
Map Cyber criminal network
• Gather bot security events from GWs• Analyze Bot DB data in Check Point Labs• Identify different resources (IPs) used
by the same botnet
13©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties |
Collect Bot Attack Information From GWs
Identify Trends
• Gather bot security events from GWs• Analyze Bot DB data in Check Point Labs• Identify attack trends (geography)
14©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
ThreatCloud™ -Dynamically Updated Intelligence
Industry-best malware feeds
MalwareSites Signatures
Bot addresses
Collect attack information from
gateways
Global network of sensors to identify emerging threats
Check Point ThreatCloud™
SensorNET
15©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
ThreatCloud™ Model: High Performance with Extended Protection
Threat Database is kept in the cloud
Download updates to the gateway
Gateway consults the cloud
Malicious URLs
Real time signatures
C&C IP Addresses
Binary Signatures
Heuristic Engine
Traffic Anomaly Check
Security updates normalized to the ThreatCloud
Extended Protection
High Performance
16©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
First Integrated Anti-Bot Network Solution
Discover and stopBot outbreaks and APT attacks
Check Point Anti-Bot Software Blade –Now available!
16©2011 Check Point Software Technologies Ltd. | [PROTECTED] – All rights reserved |
17©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Botnet Operation: The Infection
Infection
Social engineering Exploiting vulnerability Drive-by downloads
Download Egg
Small payload Contains initial
activation sequence Egg downloaded
directly from infection source or source, such as Command & Control server
C&C Server
18©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Botnet Operation: Self -Defense
Self Defense
Stop Anti-Virus service
Change “hosts” file Disable Windows
Automatic Updates Reset system
restore points
Command
& Control
Server
19©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Botnet Operation: The Damages
Payload Pull
Command
& Control
Server
Spam Denial of Service Identity Theft Propagation Click fraud
20©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
PreventBot damage
Stop traffic toremote operators
DiscoverBot infections
Multi-tier discovery
Anti-Bot Software Blade
Extensiveforensics tools
InvestigateBot infections
DISCOVER and STOP Bot Attacks
21©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
ThreatSpect™ Engine
Reputation Detect Command & Control sites and drop zones Over 250 millions addresses in ThreatCloud™ Real time updates
Network Signatures
Over 2000 bots’ family unique communication patterns
Dozen of behavioral patterns
Suspicious Email Activity
Over 2 million outbreaks
ThreatSpect™ EngineMaximum security with multi-gig performance
22©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Anatomy of Discovering a Bot (ThreatSpect™ Engine)
ThreatCloud™
Reputation Enginein the cloud
Using smart caching to minimize number of queries to the cloud
Resource(IP/URL/DNS)
C&C
23©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Anatomy of Discovering a Bot (ThreatSpect™ Engine)
ThreatCloud™
Check for Signaturesin the gateway
Multi-connection communication patterns (unique per botnet family)
Bot behavioral patterns
24©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Anatomy of Discovering a Bot (ThreatSpect™ Engine)
ThreatCloud™
Check suspicious Email activity
Mail params (obfuscated)
Bot-based spam Outbound mail analysis to identify Spam sent from the organization
Mails normalized, parameters extracted
All customer data is obfuscated
25©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Bot Damage Prevention
Bot remoteoperator
Stop Traffic between Infected Hosts and Remote Operator
StopData Theft
Enable User Work Continuity
Performance Over 40Gbps*
26©2012 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals |
Enhanced NetworkAntivirus Software Blade
Up-to-the-minute protectionusing ThreatCloud™
26
Providing extended malware protection
27©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Antivirus Software Blade
Constantly updated
Security intelligence with ThreatCloud™
Prevent Access to
Malicious SitesOver 300,000 sites!
Stop Incoming Malware Attacks
R
75
.40
Sig
nat
ure
s [M
illio
n]
300xProtect with 300xmore signatures!
R75.20
4.5-
0-
Extended Protection using ThreatCloud™
28©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Antivirus Software Blade Architecture - Prevent Access to Malware-infested Resources
ThreatCloud™Check Connection – Reputation Engine: IP/DNS/URLs with
malware
Prevent connections to resources that contain malware
Prevent drive-by-downloads attacks
Hundred of thousands of addresses
Address Malwarecontaining site
29©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Antivirus Software Blade Architecture – Stop Incoming Malicious Files
ThreatCloud™
Check Signatures in the gateway
Files analyzed against a set of signatures downloaded in the gateway
Limited number of signatures compared to the cloud
30©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Antivirus Software Blade Architecture – Stop Incoming Malicious Files
ThreatCloud™
File uniqueidentifier (MD5)
File ismalicious
Check Signatures in the cloud
Real time update and availability of new malware signature
Granular signature database
Only MD5 Checksum is sent to the cloud – high performance
31©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Antivirus Software Blade Architecture – Stop Incoming Malicious Files
ThreatCloud™
Check for unknown malware –
Heuristic Engine in the gateway
4
Utilizes Sandbox to detect unknown ‘zero day’ infections
Check for archive files only
Buffers entire file
Easily configurable to ensure optimal user experience
Registry
OS files
32©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 Modern Malware: Risks and Challenges
Collaborative Security Intelligence: ThreatCloud™2
Anti-Bot Software Blade3
Unified Threat Prevention Solution5
Antivirus Software Blade4
33©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Unified Anti-Bot and AntivirusThreat Prevention
Antivirus + Anti-Bot
Unified Policy Settings
Unified Malware Analysis
34©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Policy Model – The Rule Base
Scope: contains network objects to be
protected by the rule in question
Action:Indicates which Profile
to activate
35©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Unified Malware Report
See the BIG malware picture
36©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
The Threat WikiSearch the ThreatCloud™ repository for a malware
Filter by Category or malware family
Learn more about a malware
37©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Check Point Multi-layer Threat Prevention
Keep Your Edge Against Advanced ThreatsKeep Your Edge Against Advanced Threats
Check Point Integrated Threat Prevention Solution Powered by ThreatCloud™
Antivirus Software Blade prevents incoming malware infectionsand access to malware containing sites
ThreatCloud™ provides security gateways with real-time security intelligence
IPS Software Blade Prevents Attacks using Known and Unknown Vulnerabilities
Anti-Bot Software Blade Detects bots and stops bot damage
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Closing the Gap: Threat Emulation
39©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 The contemporary world of exploits
2 Introduction to threat emulation
3 Check Point Threat Emulation Solution
4 Summary
40©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Exploits are here to stay
Number of critical exploits which allow the attacker to execute arbitrary code, published in 2011 alone
– 5 JRE exploits– 10 Chrome exploits– 26 Office exploits– 27 Internet Explorer exploits– 60 Firefox exploits– 48 Acrobat reader exploits– 56 Flash player exploits
On average, every 1.5 days– Previously unknown (and thus, unprotected against) exploit is published– Targeting software installed virtually on every PC
We have no reason to believe that the upcoming years will be different
Source: www.cvedetails.com
Anyone with decent technical capabilities who knows about the exploit before it is published, have a ‘zero-day’ attack which can be used in order to run arbitrary code on your network.
41©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Signature based tools are not enough
IPS/ Anti Virus work by – Looking into specific patterns– Enforce compliance of protocols to standards– Detect variations from the protocols
They are limited in protecting from:
Unknown (zero day) attacks
Attack variations / obfuscated attacks
An updated IPS is a very good tool against known attacks and some of the unknown attacks.
Not enough to protect from unknown attacks.
– We need a different approach!
Attack obfuscation is a commodity nowadays; for example, at styx-crypt.com you can create an obfuscated version of a
malicious PDF for 25$ per file, quantity discounts apply
Another example – the Zeus malware isn’t sold directly. A ‘Zeus Builder’ is sold,
allowing to generate another malware variant in a click
42©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
CVE-2008-2641 as an example
JavaScript vulnerability in Acrobat Reader
Heap Spray attack – Java Script code which ‘fills’ the heap with shell code, and allows arbitrary code execution when Acrobat ‘crashes into it’
How can you sign it?– There are infinite ways to implement the attack (using
recursion, loops, whiles, divisions to functions, etc.)– Writing code that understand code (without running it) is hard– PDF document can contain sections which are
encoded/compressed in various algorithms– Engines must be constantly updated to support new acrobat
features.
Actual code that performs get to fdf.p-.kkk.xgx78i6p6rlv0.
readnotify.com
Bottom line:
Signature based tools are not enough against advanced attacks
43©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Gartner, Aug 2011 - Strategies for Dealing With APT - Quotes
“Through year-end 2015, financially motivated attacks will continue to be the source of more than 70% of the most damaging cyberthreats”
“…these are not noisy, mass attacks that are easily handled by simple, signature-dependent security approaches.”
“Targeted attacks often use custom-created executables that are rarely detected by signature based techniques”
“Gartner estimates that, for the average enterprise, 4% to 8% of executables that pass through antivirus and other defenses are malicious”
Key Finding – “Simply adding more layers of defense does not necessarily increase security against targeted threats — security controls need to evolve”
44©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 The contemporary world of exploits
2 Introduction to threat emulation
3 Check Point Threat Emulation Solution
4 Summary
45©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Threat emulation – malicious attachment example
Email with malicious
attachment
46©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Threat emulation – malicious attachment example
Email with malicious
attachmentExtracting attachments
Emulation
During the emulation, the attachment is opened on several emulated machines – from XP to Windows 7, and the entire system activity is monitored for unexpected behavior. We monitor network activity, file system & registry changes, process activity and more.
Clean
Malware detected
We know what should happen on the machines when opening a legitimate document (‘White List’), thus we can safely consider any document which causes the machine to do something else as malicious.
Intercepted by Threat Emulation Blade
47©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Real detection of malware ‘Pdfjsc.XD’, leveraging CVE-2011-0609
Drops malware (‘rthdcpl.exe’)
Execute the dropped malware
Detected by threat emulation (alpha version)
48©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Agenda
1 The contemporary world of exploits
2 Introduction to threat emulation
3 Check Point Threat Emulation Solution
4 Summary
49©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Stop stealth malware
Detect malware based on what they do, regardless of signatures
Stop Unique exploitation
Attacks
Stop data exfiltration
Threat Emulation Software blade
DISCOVER and STOP advanced attacks
Detect unsigned zero-day and attack variants
A true ability to stop the advanced tools used for the cyber warfare
50©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
How would you like your threat emulation?
Dedicated appliance
For medium to large deployments
Existing gateway
Leveraging your existing investment, when your gateways
have enough horsepower
In the cloud
Same great capabilities without the need for local
emulation resources
It comes in different sizes and shapes
51©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Dedicated emulation gateway
Perimeter Firewall
Threat Emulation
Gateway
Data Center Firewall
DMZ
Reassembled docs
sent for emulation
Reassembled docs
sent for emulation
Small performance
impact
52©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Threat emulation is part of Check Point ThreatCloud
Check Point Threat Cloud - The Power of Collaboration
Previously unknown
attack detected by the Threat Emulation Engine
Real-time Updates
Attack Information Shared Across Organizations
Attack data
53©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Architecture
IPS AVAnti-Bot
Signature Scan by Threat prevention blades
Kernel
Reassembly ModuleCompose and reassembly
documents received
SecureXL (Multi-Core)
Policy / rulebase check
User Space
Emulation Module
ThreatCloud
Virtual Machines
• Run Emulation and check for bad behavior
• Run forensics checks
Open and Execute multiple docs in
multiple machines
Report to
ThreatCloud
Report to
SmartEvent
SmartEvent
54©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Threat Emulation Engine
High performance – supports up to 100,000 unique files per day
Support Check Point provided OS images and custom images
Emulation of documents and executable files
Deep inspection of the system – file system, API calls, network, registry, memory and more.
Anti-VM detection capabilities
55©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Pre-Emulation Static Filtering
Contemporary documents range from very simple to ultra complex
Usually, the risk factor of a document varies according to the number of advanced feature it utilize–E.g. JavaScript support in Acrobat reader
The pre-emulation static filtering process allows skipping documents which contains only safe features
– Filters are constantly updated
Filters ~70 – 80% of the documents
56©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Granular Policy
Anti Bot & Anti Virus Rule base now includes also Threat Emulation
Threat Emulation profile controls the emulation configuration:
Where to emulate – Locally, other gateway or cloud
How – which images to use, use static analysis, …
Threat Emulation allows you to define not only the inspected machines (via IPs of machines to scan),
but also scope according to email address.
Integrated with identity awareness to match the right profile according to the user identity
57©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Encrypted traffic support
Just because traffic is encrypted doesn’t mean the file transferred isn’t malicious
Integration with Check Point SSL Inspection– Visibility into encrypted web traffic
Integration with Microsoft Exchange– Allowing visibility to SMTP over TLS– Using a dedicated Agent
58©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Stop stealth malware
Detect malware based on what they do, regardless of signatures
Stop Unique exploitation
Attacks
Stop data exfiltration
Threat Emulation Software blade
DISCOVER and STOP advanced attacks
Detect unsigned zero-day and attack variants
A true ability to stop the advanced tools used for the cyber warfare
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
The DDoS phenomenon
Increasing numbers of organizations are affected by massive amounts of traffic
60©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
What is an DoS Attack?
Denial-of-Service attack (DoS attack) an attempt to make a machine or network
resource unavailable to its intended users.
Distributed Denial-of-service attack (DDoS) is coordinated and simultaneously launched
from multiple sources
61©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DoS attackers can be segmented into three
categories:
Motivations behind (D)DoS attacks?
Hacktivists
Their motive, make social and political points Primarily through public IT disruption. “Use of legal and/or illegal digital tools in
pursuit of political ends".
Nation State Driven
Presumably sanctioned by governments. Reasons, disrupting governmental operations. Stealing national secrets.
Financially Motivated Attackers
DoS attacks are merely a diversion The actual objective is to steal information Lately instances of DoS "ransom attacks"
62©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Cybercrime Trends for 2012
SQLInjections
44%
APTs
35%
Botnet
33%
DDoS
32%
Ponemon Institute, May 2012
32%
DDoS
65% of Businesses Experienced Attacks
Average $214,000 of Damage Per Attack
63©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DDoS ‘as a Service’
Pay per hour, no expertise needed!
64©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Victims of Recent DDoS Attacks
“DDos-attacker är nästan omöjliga att värja sig
emot” — SVD “Overload attacks are almost impossible
to protect against.” — SVT
65©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DDoS Attack Examples
Volumetric Attacks – Fill the pipe
DNS Amplification Attacks– Using critical applications
as attack source
SYN Attacks– Simple way to use
resources
Application Attack – Renegotiate SSL Key– Slow HTTP Post– DNS Query flood
66©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Volumetric Attacks
Victim
Mixture of Valid Traffic
and Spoofed Traffic
LimitedPipe
AttackTarget
67©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DNS Amplification Attack Example
Simple DNS Request Able to amplify DNS
request to victim
AttackTarget
OpenDNS Server
Attacker
Victim
68©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
SYN Attacks
Utilize State Table on Firewalls and Servers
Spoofed Traffic,Random Sources
AttackTarget
RandomSYN Packets
Victim
69©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Application Layer DDoS Attacks
Exploit application weakness with Low&Slow attacks
Undetectable by threshold ‒ or volume-based solutions
New Application Attacks Are Stealthier…
Utilize relatively low volume and fewer connections
Used in conjunction with volume-based attacks
70©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Real World of Real Attacks
US Banking attacks – Volumetric
– Application
– Continues and Dynamic
DNSSEC Attack Example– Ability to execute DDoS
Amplification attack via US Gov
Application low and slow attack– Lets hold those HTTP connections open forever
– Very hard to find
71©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
DDoS and Traditional Security
Attackers Take Advantage of Traditional Security
Firewalls track state of network connections (Can be bottleneck)
Firewalls allow legitimate traffic (e.g. port 80 to web server)
IPS allows legitimate request (e.g. get http/1.0\r\n)
Application Control allows legitimate services (DNS or HTTP)
72©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Traditional Firewalls Not Sufficient
Not Designed for Network and Application DDoS Protection
Basic rate based flood protection affects all traffic (Real users and attack traffic)
Lacks Comprehensive Layer 7 DDoS protection
– Poor detection of sneaky attacks
– No filters to block attacks and allow real traffic
– Administrators cannot create custom signatures
73©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Network Flood
Server Flood
ApplicationLow & Slow
Attacks
Layers Work Together
Protection Layers Flow
Allowed Traffic
74©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Decision Engine
Slide 74
Rate-invariant anomaly axis
Attack area
Suspicious area
Normal adapted area
Attack Degree = 5 (Normal- Suspect)
Abnormal rate of Syn packets
Normal TCP flags ratio
Flash crowd
Rate-based anomaly axis
Y-axisX-axis
Z-axisA
tta
ck
De
gre
e a
xis
Adaptive Detection Engine
75©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Attack Degree = 10 (Attack)
Abnormal high rate of SYN packets
SYN flood
Rate-invariant anomaly axis Rate-based anomaly axis
Y-axisX-axis
Z-axisA
tta
ck
De
gre
e a
xis
Attack area
Suspicious area
Normal adapted area
Abnormal TCP flags ratio
Slide 75
Adaptive Detection Engine
76©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Check Point DDoS Protector™
Customized multi-layered DDoS protection
Protects against attacks within seconds
Integrated security management and expert support
77©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
+
Where to Protect Against DDoS
On-Premise Deployment
DDoS Protector Appliance
Cloud base service
DDoS Protector in the cloud
Scenarios: 1 2
78©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Flexible Deployment Options
Ready to Protect in Minutes
Fits to Existing Network Topology
Optional Learning Mode Deployment
Low Maintenance and Support
79©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Emergency Response and Support
Emergency Response
Team
Help from security experts when under DoS attacks
Leverage experience gathered from real-life attacks
Check Point Customer Support
World-class support infrastructure Always-on support 7x24 Flexible service options
80©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved. |
Integrated with Check Point
Security Management
Customized multi-layered
DDoS protection
Ready to protect
in minutes
Blocks DDoS Attacks Within Seconds
Summary
©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.©2012 Check Point Software Technologies Ltd. [PROTECTED] — All rights reserved.
Thank You