dss itsec conference 2012 - radware_ams_tech
DESCRIPTION
Presentation from Riga, Latvia. "Data Security Solutions" Ltd. ITSEC Conference.TRANSCRIPT
![Page 1: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/1.jpg)
Master presentation
Radware Attack
Mitigation System
(AMS)
Igor Kontsevoy
November 2012
![Page 2: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/2.jpg)
Agenda
• Radware Attack Mitigation System (AMS)
• AMS technology overview
• Summary
Slide 2
![Page 3: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/3.jpg)
Introducing Radware Attack
Mitigation System
![Page 4: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/4.jpg)
Mapping Security Protection Tools
Slide 4
DoS Protection
Behavioral Analysis
IP Rep.
IPS
WAF
Large volume network flood attacks
Web attacks: XSS, Brute force
SYN flood attack
Application vulnerability, malware
Web attacks: SQL Injection
Port scan
“Low & Slow” DoS attacks (e.g.Sockstress)
Network scan
Intrusion
High and slow Application DoS attacks
![Page 5: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/5.jpg)
AMS Protection Set
Slide 5
NBA
• Prevent application
resource misuse
• Prevent zero-minute
malware spread
DoS Protection
• Prevent all type of
network DDoS attacks
IPS
• Prevent application
vulnerability exploits
WAF
• Mitigating Web
application attacks
• PCI compliance
Reputation Engine
• Financial fraud
protection
• Anti Trojan & Phishing
![Page 6: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/6.jpg)
Technology Overview
![Page 7: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/7.jpg)
Network based DoS Protections
![Page 8: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/8.jpg)
Network-based DoS Protections
Slide 8
– TCP SYN floods
– TCP SYN+ACK floods
– TCP FIN floods
– TCP RESET floods
– TCP Out of state floods
– TCP Fragment floods
– UDP floods
– ICMP floods
– IGMP floods
– Packet Anomalies
– Known DoS tools
– Custom DoS signatures
Real Time Protections Against:
![Page 9: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/9.jpg)
Network Behavior Analysis & RT Signature Technology
Public Network
Blocking
Rules Statistics
Detection
Engine
Learning
RT
Signatures
Signature parameters
• Source/Destination IP
• Source/Destination Port
• Packet size
• TTL (Time To Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Initial filter is generated: Packet ID
Degree of Attack = Low (Positive Feedback)
Filter Optimization: Packet ID AND Source IP Filter Optimization: Packet ID AND Source IP
AND Packet size
Degree of Attack = High (Negative Feedback)
Filter Optimization: Packet ID AND Source IP
AND Packet size AND TTL
Degree of Attack = High Degree of Attack = Low
Narrowest filters
• Packet ID
• Source IP Address
• Packet size
• TTL (Time To Live)
1 2
3
4
5
Inbound Traffic
Outbound Traffic
Protected Network
Up to 10 0 10+X
Final Filter Start
mitigation
Closed feedback Initial Filter
Time [sec]
Mitigation optimization process
Filte
red
Tra
ffic
Traffic characteristics Real-Time Signature
Slide 9
![Page 10: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/10.jpg)
Attack Degree = 10
(Attack)
Abnormal rate
of packets,…
Attack Case
Y-axis X-axis
Z-axis A
tta
ck D
eg
ree
axi
s
Attack area
Suspicious
area
Normal
adapted area
Decision Making - Attack
Slide 10
Abnormal protocol
distribution [%]
Slide 10
![Page 11: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/11.jpg)
Adaptive Detection Engine
Rate parameter input Rate-invariant input
parameter
Degree of Attack
(DoA) Attack area
Suspicious
area
Normal
adapted area
Low DoA
Flash crowd scenario
Slide 11
![Page 12: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/12.jpg)
Application based DoS
Protections
![Page 13: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/13.jpg)
Real-time protection against:
– Bot originated and direct application attacks
– HTTP GET page floods
– HTTP POST floods
– HTTP uplink bandwidth consumption attacks
– DNS query floods (A, MX, PTR,…)
Advanced behavioral application monitoring:
– HTTP servers real time statistics and baselines
– DNS server real time statistics and baselines
Application-based DoS Protections
Slide 13
![Page 14: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/14.jpg)
HTTP Mitigator
![Page 15: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/15.jpg)
TCP Challenge
Challenge/Response & Action Escalation System
Slide 15
Behavioral Real-time
Signature Technology
Real-Time
Signature Created
Challenge/Response
Technology
“Light”
Challenge Actions
“Strong”
Challenge Action
X
?
Selective
Rate-limit
X
?
Attack
Detection
302 Redirect
Challenge
Java Script
Challenge
RT Signature
blocking
Real-time Signature
Blocking
Closed Feedback & Action Escalation
Botnet is identified
(suspicious sources are
marked)
![Page 16: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/16.jpg)
AMS protections: unique value proposition
Slide 16
Attack
detection
Strong
challenge
Light
challenge Real-time
signature
Selective
rate-limit
• Best security coverage
– Prevent all type of network and application attacks
– Complementing technologies fighting known and zero-day attacks
– Complete removal of non-browser rogue traffic
• Best user quality of experience (QoE)
– Reaching the lowest false-positive rate in the industry
– Advanced capabilities are exposed only when needed
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
![Page 17: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/17.jpg)
DNS Mitigator
![Page 18: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/18.jpg)
Behavioral DNS Application Monitoring
Slide 18
„A‟ records base line
„MX‟ records base line
„PTR‟ records…
„AAAA‟ records…
DNS QPS
Time
Rate Analysis per DNS Query Type
A records
MX
records
PTR
records
AAAA
records
TEXT
records
Other
records
DNS Query Distribution Analysis
Associated
threat
vectors
![Page 19: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/19.jpg)
Challenge/Response & Action Escalation System
Slide 19
Closed Feedback & Action Escalation
Slide 19
Behavioral RT signature
technology
Real-Time signature
created
RT signature scope protection
per query type
DNS query
challenge
Query rate
limit
X
?
Collective query
challenge
X
?
Attack
Detection
Collective scope protection per query
Type
Botnet is identified
(suspicious traffic is
detected per query type)
Collective query
rate limit
X
?
![Page 20: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/20.jpg)
Service Cracking Behavioral
Protections
![Page 21: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/21.jpg)
Service Cracking Behavioral Protections
Slide 21
Real-time protections against information stealth:
– HTTP servers
– Web vulnerability scans
– Bruteforce
– SIP servers (TCP & UDP)
– SIP spoofed floods
– Pre-SPIT activities
– SIP scanning
– SMTP/IMAP/POP3,FTP,…
– Application Bruteforce
– Application scans
![Page 22: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/22.jpg)
Network scanning and malware
propagation Protections
![Page 23: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/23.jpg)
Source-based Behavioral Analysis
Slide 23
• Behavioral Real-time protection against Zero-
Minute Malware Propagation and network scans:
– UDP spreading worms detection
– TCP spreading worms detection
– High and low rate network scans
– Scanning/spreading pattern identification
– Infected source identification
![Page 24: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/24.jpg)
IPS & Reputation Services
![Page 25: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/25.jpg)
IPS & Radware‟s SOC
Slide 25
Signatures Protection against:
• Application Vulnerabilities and exploits
– Web, Mail, DNS, databases, VoIP
• OS Vulnerabilities and exploits
– Microsoft, Apple, Unix based
• Network Infrastructure Vulnerabilities
– Switches, routers and other network elements vulnerabilities
• Malware
– Worms, Bots, Trojans and Drop-points, Spyware
• Anonymizers
• IPv6 attacks
• Protocol Anomalies
Security Operation Center
– Leading vulnerability security research team
–Weekly and emergency signature updates
& Reputation Engine
![Page 26: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/26.jpg)
WAF
![Page 27: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/27.jpg)
Reservations.com
/config/
/hotels/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
The Secret Sauce – Adaptive Policy Creation (1 of 3)
App
Mapping
Information leakage
Gain root access control
Unexpected application
behavior, system crash, full
system compromise
Threat
Analysis
Risk analysis per “ application-path”
/admin/
Spoof identity, steal user
information, data tampering
Slide 27
![Page 28: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/28.jpg)
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
***********9459
P
The Secret Sauce – Adaptive Policy Creation (2 of 3)
App
Mapping
Policy
Generation
Prevent access to
sensitive app sections
Mask CCN, SSN, etc. in
responses.
Parameters inspection
Threat
Analysis
Traffic normalization &
HTTP RFC validation
Slide 28
![Page 29: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/29.jpg)
Reservations.com
/config/
/hotels/
/admin/
/register/
/info/
/reserve/
SQL Injection
CCN breach
Buffer Overflow
Directory Traversal
The Secret Sauce – Adaptive Policy Creation (3 of 3)
Time to protect
App
Mapping
Policy
Activation
Add tailored
application
behavioral rules
for “Zero day”
protection
Known
vulnerabilities
protections:
Optimization of
negative rules
for best
accuracy
Policy
Generation Threat
Analysis
***********9459
P
Virtually zero false positive
Best coverage
Slide 29
![Page 30: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/30.jpg)
Reservations.com
The Secret Sauce – Unique Value Proposition
App
Mapping
Threat
Analysis
Policy
Generation
Policy
Activation
• Best security coverage
– Auto detection of potential threats
– Other WAFs require admins intervention and knowledge to protect
• Lowest false-positives
– Adaptive security protections optimized per application resource (“app- path”)
– Other WAFs auto generate global policies
• Shortest time to protect
– Highly granular policy creation and activation (“app-path”)
– Immediate policy modification upon application change
– Other WAFs wait upon global policy activation
• Reduced Cost of Ownership
– Automatic real-time attack mitigation with no need for human intervention
Slide 30
![Page 31: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/31.jpg)
Radware’s SIEM
![Page 32: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/32.jpg)
Radware‟s built-in SIEM engine
Slide 32
Built-in SEM
• Historical Reporting Engine
• Customizable Dashboards
• Event Correlation Engine
• Advanced Forensics Reports
• Compliance Reports
• Ticket Work Flow Management
• 3rd Party Event Notifications
• Role/User Based Access Control
• Works with all Radware‟s Security Modules
![Page 33: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/33.jpg)
Radware‟s built-in SEM engine – Unified Reports
Slide 33
Threat
analysis
Target service
Trend analysis
![Page 34: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/34.jpg)
Radware‟s built-in SEM engine - Dashboards
Slide 34
Per user dashboard
![Page 35: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/35.jpg)
Radware‟s built-in SEM engine – Event Correlation
Slide 35
Event Correlation Rules by: • Attack duration & time interval • Managed devices • Attack ID , Attack type • Destination IP • Protected Web Application • Event description • Source IP • Action • Risk weight definition…
![Page 36: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/36.jpg)
Summary
![Page 37: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/37.jpg)
Summary: Radware AMS Differentiators
• Best security solution for online businesses:
– DoS protection
– Network behavioral analysis (NBA)
– Intrusion prevention (IPS)
– Reputation Engine service
– Web application firewall (WAF)
• Built-in SEM engine
• Emergency Response Team (ERT)
– 24x7 Service for immediate response
– Neutralize DoS/DDoS attacks and malware outbreaks
• Lowest CapEx & OpEx
– Multitude of security tools in a single solution
– Unified management and reporting
Slide 37
“Radware offers low product
and maintenance cost, as
compared with most
competitors.”
Greg Young & John Pescatore, Gartner,
December 2010
![Page 38: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/38.jpg)
Summary
• Attackers deploy multi-vulnerability attack campaigns
– Organizations deploy point security solutions
– Attackers seek blind spots
• Radware offers Attack Mitigation System (AMS):
– The only solution that can defend against emerging cyber-attack campaigns
– No blind spots in perimeter security
• The only attack mitigation solution that keeps your business up!
– Online business protection
– Data center protection
– MSSP
Slide 38
![Page 39: DSS ITSEC Conference 2012 - Radware_AMS_Tech](https://reader033.vdocuments.site/reader033/viewer/2022042606/54bcb2d14a795918308b45de/html5/thumbnails/39.jpg)
Thank You www.radware.com