Transcript netZentry Presentation

Network Anomaly
Detection and
Mitigation
the next step in
your security strategy
Peter Long, Vice President, Marketing
[email protected]
netZentry, Inc.
2
Who We Are
•Founded July 2003
–First Product Shipped – 2004
•Located in Palo Alto, California
•Experienced Management and
Engineering Teams
–Network and Network Security
Backgrounds
•Venture-Funded
–US Venture Partners, Alloy Ventures
3
What We Do
Offers network security solutions that
uniquely utilize a scalable and
collaborative approach to
instantly detect and
precisely track anomalous traffic to
efficiently mitigate its harmful effects
4
The Problem
• Anomalous traffic floods can severely
disrupt enterprise and provider networks
and services
• Different types of anomalous traffic floods
– External DDoS Attacks
– Internal DDoS Attacks
– Zero-day Worms
• Current security solutions (firewalls,
IDS/IPS) are often incapable of stopping
such attacks
5
Today’s Network Security Offerings
Limitations: Firewalls, IDS, IPS
•
Typical solutions cannot easily pick out good
versus bad traffic
– Victim centric versus origin centric
– Protection is too close to endpoint
– False positives are extremely high
•
Humans must verify the attack is real before
coordinating mitigation
– Lack of Scalability
– Increased organizational costs
6
Typical Network
FloodGuard Solution
•Detect attacks to or from endpoints
•Track attacks on specific links
Peering Providers
•Mitigate attacks on specific links
•Manage attack detection, tracking, mitigation
Management
Tracking
Management
Mitigation
Edge
Layer
Detection
Distribution
Layer
Detection
Aggrregation
Layer
Mitigation
Tracking
Servers
And
Endpoints
Outside-In
DDoS Attack
Track attack
to
specific links
Mitigate attack
on
specific links
Management
Tracking
Management
Mitigation
Edge
Layer
Detect attack
at
specific target
Detection
Distribution
Layer
Detection
Aggrregation
Layer
Mitigation
Tracking
Servers
And
Endpoints
Detect attack
on
specific target
Mitigate attack
on
Management
specific links
Inside-Out
DDoS Attack
Tracking
Management
Mitigation
Edge
Layer
Detection
Track attack
to
specific links
Distribution
Layer
Detection
Aggrregation
Layer
Mitigation
Tracking
Servers
And
Endpoints
Inside
Worm Attack
Mitigate attack
on
specific link
Track attack
Management
on
specific link
Tracking
Management
Mitigation
Edge
Layer
Detection
Detect attack
from
specific source
Distribution
Layer
Detection
Aggrregation
Layer
Mitigation
Tracking
Servers
And
Endpoints
FloodGuard Highlights
• Next step in solving network availability attack
• Components
–
–
–
–
Detection (Sideline)
Tracking (Sideline)
Mitigation (Inline or Sideline)
Management (Sideline)
• Millisecond response
• Traffic Capture
– NetFlow
– cFlow
11
– Gigabit packet capture
Detection:
Anomaly versus Signature
• Signature-based schemes ascertain
specific patterns in packet
properties/content or in packet
sequences
• Anomaly-based schemes differentiate
attack traffic from normal traffic by
using a statistically derived baseline
• Signature-based detection schemes
are quite precise for known attacks
12
Detection:
Sophisticated traffic algorithms
• Traffic Analysis
– Analyzes traffic close to the destinations
– Protection domains created based on network
requirements
– Traffic patterns capable of being base lined to individual
endpoints or broader IP blocks
• Anomalous behavior identified relative to established
traffic patterns
– Packet rate, Bandwidth, Destination and more
• Continuous Learning Technology:
– Traffic patterns once initially baseline will be continuously
updated as necessary with optional user intervention
– Protection Domains or granularity of endpoint monitoring
can be automatically detected and added
• Detects multiple attacks occurring simultaneously
13
FloodGuard Tracking
• Attacks are often spoofed
– Cannot tell where a packet comes from just by
looking at a packet’s source address
• Tracking identifies where attack packets
are coming from
– Attacks often come on some of the ingress
links, not all
• Only traffic on tracked links need to be
subjected to mitigation
– Not all traffic to a target needs to be mitigated
– Frees up other links from any mitigation
• The further the mitigation is from the
victim, the more effective it is
• Tracking crucial to identifying remote
14
botnets in real time
FloodGuard Mitigation
• Mitigation using dynamic filtering
– Allow good traffic while blocking attack
traffic
– Good traffic determined historically and
behaviorally
• Per protection domain mitigation
– Simultaneous filtering of attacks on
multiple PDs
• Per tracked link mitigation
– Mitigation only links on which attack
traffic is successfully tracked
15
FloodGuard Management
• Multiple functions
– Live Attack management
– Real-time Traffic monitoring
– Continuous anomaly and traffic analysis
• Multiple attack management modes
– Manual
– Interactive
– Automatic
• Flexible Real time Reporting
•
•
•
•
•
•
– graphical reports
– per PD detail reports
HTTP, Syslog, Email export
Role based management
Multi-tiered user access levels
Integrated with detection, tracking and mitigation
Integrated with customer support systems
Remote secure access
– Java-based UI
16
FloodGuard Solution Architecture
packets/flows
rerouted attack traffic
FloodGuard
Appliance
scrubbing
switch
re-injected scrubbed traffic
packets/flows
Servers
And
Endpoints
17
FloodGuard Deployment
• Multiple Traffic Capture Methods
– Packet capture (tapped or spanned)
– Flow capture (netflow, cflow, sflow)
• Different Footprints
– Single appliance or multiple appliances
– Choice of Footprint depends on
• Traffic capture rate and
• Number of independent protection domains
• Alternate Mitigation Techniques
– Inline using existing routers (Cisco, Juniper, Others)
– Sideline using FloodGuard-controlled scrubbing switch
• Remote Management
– Java-based “Live” UI
– HTTP-based Plots and Reports
18
Real Results – NDS Live
HSP #1
• 16 Gbps of Ingress
Traffic
• Offered FloodGuard™
as a revenue
generating service
• Example of Results
– During July/August
– 97% of the servers
attacked functioned
100%
– Remaining 3% were
75% responsive
HSP #2
• 1 Gbps of Ingress Traffic
• Granularity set at /48
• Completely automated
detection, tracking, and
mitigation – no manual
intervention required
• Example attacks being
addressed: 154K pkts/s
@ 140mbit/sec
19
Demo
Jagan Jagannathan
[email protected]
VP, engineering
20
FloodGuard Summary
• Instant detection of intense and unknown anomalous
traffic
– DDoS attacks
– 0-day worm or virus attacks
– Botnet traffic
• Rapid tracking of anomalous traffic origins
• Precise mitigation response
• Comprehensive real-time attack monitoring,
management and reporting
• Powerful real-time and historical traffic analysis
• Granular protection domains
– Per-service address
– Department/dorm etc address block
– Datacenter-wide address block
• Scales effectively with
– With large numbers of endpoints
– With increasing aggregate traffic
21
The Benefit of netZentry to OAR
members
• Proven technology
• Next step in security strategy
• Easily deployable solution
• Immediately starts protecting
22
Thank-you
Peter Long, Vice President, Marketing
[email protected]
netZentry, Inc.
23