Key Steps of Protection for a _x0003_First Line of Defense
Download
Report
Transcript Key Steps of Protection for a _x0003_First Line of Defense
Corero Network
Security – First
Line of Defense
Name – Title
Corero First Line of Defense®
The Corero First Line of Defense® solution offers comprehensive, always on
protection, in front of the firewall, protecting against DDoS attacks and other
malicious threats.
Complementary to On-Demand cloud protection providers and traditional
firewall technologies, Corero provides the most comprehensive fail safe
solution for intelligent, real-time protection against cyber-attacks.
Our Philosophy
Change the way people think about defense-in-depth security. Period.
By developing intelligent, reliable solutions, designed to shore up your
existing security investments against the ever evolving landscape of
malicious cyber attacks. We do this by understanding the real-world
scenarios in which cyber criminals operate - day in and day out. That is
how we have engineered practical, intelligent solutions that continuously
yield proven results.
2
© 2014 Corero
www.corero.com
Humans Generate 49% of Internet Traffic
Search engines scouring the Internet -
51% Non- Human
Visitors
accounts for 20%
Harvesting competitive information accounts for 19%
Tools against vulnerable websites accounts for 5%
Unwanted Traffic
“noise on the wire”
3
Screen scrapers increasing SEO accounts for 5%
Automated content spammers accounts for 2%
© 2014 Corero
www.corero.com
http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business
Who is an attack target?
Company Size Doesn’t Matter
SMALL
LARGE
4
*Verizon 2013 Data Breach Investigations
Report www.corero.com
© 2014 Corero
Who is an attack target?
Industry Doesn’t Matter
Financial
Retail
MFG
Services
*Verizon 2013 Data Breach Investigations Report
5
© 2014 Corero
www.corero.com
Categories of Attacks and Unwanted Traffic
Unwanted Traffic comes in all Shapes and Sizes
Network
Level
DDoS
Attacks
Reflective
DDoS
Attacks
Outbound
DDoS
Attacks
Application
Layer DDoS
Attacks
Specially
Crafted
Packet
Attacks
PreAttack
Recon
(Scans)
Advanced
Evasion
Techniques
(AET)
Other
Unwanted
Traffic
Defense
Defense
Defense
Defense
Defense
Defense
Defense
Defense
IP ThreatLevel
Assessment
Stateful Flow
Awareness
Bi-Directional
Flood
Detection
Behavior
Analysis
Protocol
Analysis
Scan
Obfuscation
Advanced
Evasion
Detect
Deep Packet
Inspection
6
© 2014 Corero
www.corero.com
New Security Solutions are Required
“Firewalls don't cut it anymore as the first
line of defense”
IT Best Practices Alert
By Linda Musthaler, Network World
October 19, 2012
Among the key barriers impacting banks' ability to
deal with DDoS attacks, 50% cited insufficient
personnel and expertise and a lack of effective
security technology as the most serious concerns,
followed by insufficient budget resources.
A Study of Retail Banks & DDoS Attacks - Ponemon Institute
January, 2013
“Don't count on a firewall to prevent
or stop a DDoS attack. The first step is to
By Linda
Musthaler,
Network World January, 2013
7
recognize that your firewall is insufficient
protection against the types of DDoS attacks that
are increasingly common today. Even a nextgeneration firewall that claims to have DDoS
protection built-in cannot deal with all types of
attacks. The best protection against DDoS attacks
is a purpose-built device or service that
scrutinizes inbound traffic before it can hit your
firewall or other components of the IT
infrastructure.”
© 2014 Corero
www.corero.com
While network security devices have
matured and are extremely capable of
thwarting certain attacks, they are
insufficient when it comes to mitigating
DDoS attacks.
Distributed Denial of service (DDos) attacks:
evolution, impact & solutions - VeriSign
Firewall – Locked down: No Service Access
Internet
Unwanted Traffic
Internal Network
Buffer Overflows
Application Layer DDoS
Code Injections
Brute-Force Password
Firewall has
no inbound
holes open
Specially Crafted Packets
8
Inbound Service
Requests Blocked
by firewall
© 2014 Corero
www.corero.com
Firewall – Service Ports Open
In order to allow incoming Service Requests
inbound “holes” must be opened on the Firewalls
Unwanted Traffic
Internal Network
Buffer Overflows
Application Layer DDoS
Services
Web
TCP Port 80, 443
DNS
TCP/UDP Port 53
Code Injections
Brute-Force Password
All Firewalls
work the exact
same way!
Specially Crafted Packets
Mail
TCP Port 25
FTP/SSH
TCP Port 21, 22
All Attacks pass right through the Firewall because that is
what it thinks it is supposed to do.
9
© 2014 Corero
www.corero.com
Corero – Inspect Open Service Ports
Corero is located in-front of the Firewalls
and blocks unwanted traffic
Unwanted Traffic
Internal Network
Buffer Overflows
Application Layer DDoS
Services
Web
TCP Port 80, 443
DNS
TCP/UDP Port 53
Code Injections
Brute-Force Password
Good user
traffic is allowed
to pass
Specially Crafted Packets
Mail
TCP Port 25
FTP/SSH
TCP Port 21, 22
Firewalls and downstream servers are protected
and never see the unwanted traffic
10
© 2014 Corero
www.corero.com
Solution - Corero’s First Line of Defense
Corero protects your IT infrastructure by removing broad based attacks
DDoS Attacks
Undesired Users & Services
Attackers
IPS
X
X
Customer Traffic
Router
SLB
X
X
Good
Users
WAF
AETs & Protocol Abuse
Server Side Exploits
First Line Efficient
Effective IT
of Defense Firewalls Infrastructure
11
© 2014 Corero
www.corero.com
High Performing
Applications
Gartner: Best Practices - Mitigating DDoS Attacks
Ensure That Business Continuity/Disaster Recovery and Incident
Response Plans Address Planning-for and Response-to DDoS
Evaluate ISP "Clean Pipe" Services
Evaluate DDoS "Mitigation as a Service" Options
Deploy DDoS Detection and Mitigation Equipment on Premises
Why does Gartner mention on-premises defenses?
On-premises defenses can defeat the broadest spectrum of attacks 7x24!
Hybrid Anti-DDoS
Cloud + On-Prem
Makes the Most Sense
12
© 2014 Corero
www.corero.com
Only Half the Battle – Cloud anti-DDoS
On-Premises Solution
Good
Users
Always on protection
Good Traffic
Unwanted Traffic
X
Attackers
“Full Pipe” Attacks
X
X
Attack Traffic
Attack Leakage
Cloud anti-DDoS
Protected
Critical
Infrastructure
On-Demand
The Corero on-premises DDoS Defense combined with on-demand cloud based
mitigation provides comprehensive protection & visibility at the enterprise perimeter
13
© 2014 Corero
www.corero.com
Defense-in-Depth Security Solution Landscape
Corero stops more attacks and threats than competitors DDoS products
(based on customer tests conducted with Corero)
Intelligence
Cloud Security
Service
First Line
of Defense
Firewall
NGFW
IPS/APT
SLB/WAF
Service
Analytics
SIEM
Big Data
SilverTail
Trusteer
Acertify
ArcSight
Splunk
Q1 Labs
IPS/APT
Internet
Router
SLB
WAF
Webroot
McAfee
Symantec
Kaspersky
14
Neustar
Prolexic
Akamai
Arbor
Corero
Radware
Arbor
© 2014 Corero
Checkpoint
Palo Alto
Fortinet
Juniper
Cisco
www.corero.com
Sourcefire
Fortinet
IBM
HP
F5
Fireeye
Corero’s First Line of Defense
Unwanted Traffic
Undesired
Users &
Services
DDoS Attacks
& Competitive
Abuse
Key Steps of Protection
Allow only EXPECTED traffic
Block malicious IP Addresses & unwanted geolocations
Allow desired ports & services
Evaluate AMOUNT of traffic
Limit excessive requests & connections
Protocol
Violations
& AETs
Enforce CORRECTNESS of traffic
Targeted
Server
Attacks
Analyze INTEGRITY of traffic
Stop protocol abuse and RFC violations
Prevent AETs (advanced evasion techniques)
Inspect traffic and block intrusions, buffer overflows,
code injections & exploits
Provide VISIBILITY into unwanted traffic
Who is attacking, at what rate, and using what attack vectors?
15
© 2014 Corero
www.corero.com
Restrict
Access
Limit
Rates
Enforce
Protocols
Prevent
Intrusions
Increase
Visibility
Thank You
Presenter Contact Information Here
APPENDIX
Additional slides approved for use
Multi-Layer Threat Landscape
State
Exhaustion
Attacks
Application
Layer
Attacks
Pre-Attack
Recon
(Scans)
DNS
Amplified
Attacks
Specially
Crafted
Packets
Volumetric
Network
Attacks
Malware &
Targeted
Exploits
Your Web Presence
18
Advanced
Evasion
Techniques
© 2014 Corero
www.corero.com
About Corero Network Security
HQ in Hudson, MA, USA with offices globally
Publicly traded CNS:LN
2000+ customers
Across verticals in 50 countries
Patented DDoS defense technology
Up to 10 Gbps Network Performance in an inline purpose built device
Suite of Managed Security Services
“Corero is the First Line of Defense that stops unwanted traffic
before it reaches your infrastructure”
19
© 2014 Corero
www.corero.com
DDoS/Breach Risk Factors by Industry
Banking
2
4
2
5
4
2
4
2
2
eCommerce
5
1
4
4
2
2
3
2
4
Education
1
5
3
4
1
5
1
1
2
Financial Services
3
3
5
3
4
3
3
4
3
Financial Trading
5
2
2
3
4
5
2
2
3
Gaming
3
3
2
5
2
5
5
1
2
Govt/Municipal
2
4
3
1
1
5
2
2
4
Health Care
3
3
5
1
2
5
3
4
3
Hosting/Telecom
3
3
2
5
2
5
4
2
2
Legal Services
1
3
5
2
2
3
5
2
4
Manufacturing
2
4
5
2
2
4
2
1
3
Media
3
3
2
5
2
4
4
2
1
Online Gambling
5
2
3
5
1
4
2
1
2
Utilities
2
4
2
2
2
5
2
3
4
5 = most critical 1 = least critical
© 2014 Corero
www.corero.com
Financial Risks
The average annualized cost of cyber crime for 56 organizations in 2012 is
$8.9 million per year, with a range of $1.4 million to $46 million.
• The most costly cyber crimes are those caused by denial of service, malicious
insiders and web-based attacks. 1
DDoS
*Ponemon 2012 US Cost of Cyber Crime Study
21
© 2014 Corero
www.corero.com
Lost Productivity
Average Days to Resolve Attacks
Weeks
*Ponemon 2012 US Cost of Cyber Crime Study
22
© 2014 Corero
www.corero.com
Anatomy of a Successful DDoS Attack
Today’s sophisticated DDoS Attackers will:
1. Footprint (profile) the Web Presence
2. Scan the infrastructure and Web resources
3. Initiate network-level volumetric attack
4. Test if Web Presence is impacted
5. Maintain Flood – spoof all source IPs
6. Initiate low-and-slow application attacks
7. Initiate specially-crafted packet attacks
8. Initiate DNS reflective/amplified attacks
9. Attempt to exploit (compromise) downstream servers
10.Simultaneously launch as many types of attacks as possible
….Not relent or subside – they stand very firm in their resolve
A combined attack simply increases the chance of success!
23
© 2014 Corero
www.corero.com
Here’s a Sample of the Tools
NMAP
Hping3
Low Orbit ION Cannon
www.yoursite.com
High Orbit ION Cannon
KillApache.pl
Slowloris
HULK
Metasploit
Dirt Jumper
24
© 2014 Corero
www.corero.com
25
Some Application Attack Examples
Home Page, Home Page, Home Page, Home Page,…
• Cached content, easiest to serve, most common “click”.
Login attempt, user=johndoe, pw=letmein
• Dynamic lookup on back-end server (encryption)
Forgot my password, [email protected]
• Backend CGI, email generation (spam)
Home Page – Search (keyword 1) (keyword 2)…
• Repeat forever, ties up site search database
Stock Quote – Lookup (quote 1) (quote 2) (quote 3)…
Request Information - Download PDF guide (repeat)
26
© 2014 Corero
www.corero.com
DDoS Defense – More than a Checkbox
Caution:
Many security devices claim to have DDoS Protection
Most have a single configuration = DDoS On/DDoS Off
Ensure that your DDoS defenses can:
•
•
•
•
•
Provide granular DDoS configurations (policies)
Defend against all known DDoS attack vectors
Handle the load while under DDoS attack
Cannot be DDoS’ed itself as part of a DDoS attack
Provide access to 24x7 DDoS defense Support Services
© 2014 Corero
www.corero.com
Top Tips for a First Line of Defense
Your First Line of Defense Solution Must:
1.
Block known malicious IP addresses through IP reputation intelligence
2.
Block all geo-locations where you do NOT do business
3.
Dynamically assess the threat level of all “unknown” IP addresses
4.
Block application abusers via request/response behavioral analysis
5.
Capable of locking-down all unnecessary ports – DPI all open ports
6.
Enforce proper protocol usage per RFC & industry standards
7.
Block advanced evasion techniques used to bypass other inspections
8.
Block targeted malware attacks on your infrastructure
9.
Detect and provide comprehensive network layer DDoS attack mitigation
10. Be deployed on-premises to protect your Email, DNS and Origin Servers
28
© 2014 Corero
www.corero.com
Corero DDS Platform
Deployment
Performance
1U Appliance
deployed in-line
Available in Copper
and Fiber
interfaces
Power
consumption
under 100 watts
Zero-Power Bypass
Built-in (copper
only)
29
Latency
< 50 µSec typical
Concurrent
Sessions
•
Up to 2 Million
Available in 300
Mbps to 10 Gbps
models
Reliability
20-30 years MTBF
Dual hotswappable power
supplies
High availability,
load balancing, and
scalability using
TM
ProtectionCluster
Corero’s SecureWatch™ PLUS service
Managed Protection Against DDoS Attacks
Corero Security Operations Center
1 - Assess
Establish baseline
performance
2 - Monitor
Watch for deviations
in traffic
3 - Respond
Mitigate Attacks and
reassess baseline
IPS
Internet
SLB
Router
WAF
30
© 2014 Corero
www.corero.com