Solution Overview

Cisco Firepower and Radware

End to End Cyber Protection

July 2016
 Cisco Firepower – Radware DDoS Mitigation Module

Virtual DefensePro

DDoS Attack Behavioral analysis Real-time attacks

Protection technology protection
Firepower NGFW 9300
Firepower NGFW 4100
Widest attack Most accurate detection Detect and mitigate
coverage and mitigation attacks in seconds

2
 Firepower 9300/4100 - DDoS protection Use Case

Internet Perimeter Data Center

UC
vDP ASA
vDP Solution Overview:
• Runs on
Network and Application DDoS protection
Security Modules SM-24 or SM-36
• Licensing available from 10Gbps or 30Gbps
Most accurate detection & mitigation
• Requires FXOS version 1.1.4
CRM
Shortest time to mitigation
• Runs together with the ASA BI

Web
Portals
Mail
Firepower 9300/4100 ADC

3
 Protection Modules Overview
Anomalies – RFC based Protection rules – Globally Applicable to vDP no policy association required
Signatures – DosShield Module – Profiles are Reusable Policy Objects
- used to identify and remove traffic from known Bots
Behavioral DoS Module – Profiles are Reusable Policy Objects
- baselines generated per Network Protection Policy for TCP, UDP, ICMP and IGMP
- attack detection is based on both rate and ratio anomalies
- generates Real-Time Signatures for surgically blocking attacks
SYN Protection Module – Profiles are Reusable Policy Objects
- Challenge and Response engine distinguishing legitimate from illegitimate clients
- supports both TCP Challenges for numerous protocols
- when HTTP is present application Challenges are used in an action escalation process
- challenges are transparent to end users
DNS Protection Module – Profiles are Reusable Policy Objects but likely more specific to DNS Platforms
- attack detection uses query types, query rate and additional rate invariant parameters
- generates Real-Time Signatures with the ability to leverage an action escalation process
- action escalation include rate limiting and blocking

4
 Rate vs. Rate-Invariant Behavioral Analysis

TCP Flag Distribution Analysis

100.0%
Rate Analysis
50.0%
Flash Crowd
0.0%
SYN SYN-ACK ACK Data RST FIN-ACK

TCP Flag Distribution Analysis

Rate Analysis
100.0%
RST Flood Attack
50.0%

0.0%
SYN SYN-ACK ACK Data RST FIN-ACK

5
Network Behavior Analysis & RT Signature Technology

Public Network Degree of

Traffic Attack =
characteristics
Learning High
Inbound
Traffic

Blocking Rules Statistics Detection Engine

Signature
Narrowestparameters
filters
•Source/Destination
• Packet ID IP
Outbound
•• Source/Destination
Source IP Address Port
Traffic
•• Packet
Packet size
•• TTL
size RT Signatures
TTL (Time
(Time To
To Live)
Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Protected Network
 Network Behavior Analysis & RT Signature Technology
Mitigation optimization process

Closed feedback

Initial Filter Public Network Degree of

Attack =
Learning Low
High
Start Final Filter
mitigation
0 Up to 10 sec 10+X sec
Blocking Rules Statistics Detection Engine

Filtered Traffic Narrowest filters

Initial filter is generated: Packet ID • Packet ID Degree of
Filter Optimization: • Source IP Address Attack =
Packet ID AND Source IP • Packet size High
Low
Packet ID AND Source IP AND • TTL (Time To Live)
(Negative
(Positive
Packet size
Feedback)
Packet
Real-TimeID AND Source IP AND
Signature
Packet size AND TTL
Protected Network
 Challenge/Response & Action Escalation System
Botnet is identified (suspicious
traffic is detected per web
Polymorphic
Attack Real-Time signature TCP spoofing HTTP 302 Collective rate
application) JavaScript
Detection created challenge response limit
Injection

Behavioral BotNet BotNet protection per web Collective protection per

flood detection application web application

Closed Feedback & Action Escalation

8
DDoS Failure Points within the Network

Internet Pipe Saturation is single greatest failure point

 On-Demand Cloud Scrubbing

Cloud Perimeter LAN

Defense
Radware Messaging
Cloud
Scrubbing

Firepower 9300/4100 ADC

Traffic
Attack
Attack
isbaseline
diverted
isVolumetric
immediately
is and
synchronized
scrubbed
detected
DDoS to
in the
attack Radware’s
and cloud
mitigated
saturatesfreeing
Cloud
at Scrubbing
the
the
internet Perimeter
internet
pipe Center
pipe

10
 Global Infrastructure for Cloud Services

Radware Cloud WAF POPs

Radware Scrubbing Centers

Coming soon

11
 Vision – Device to Cloud Service Management
Multi-Tenant Portal Admin UI E-mail/SysLog User Repository
(RADIUS, Diameter, TACACS+, LDAP)

MSSP

WAN Perimeter LAN

REST API
over HTTPS

Legit Users

Attackers

Firepower 9300/4100 ADC

Emergency Response Team (ERT)
Protecting against top
attack campaigns

Emergency Response Team

(ERT) - 24x7 dedicated team
of security experts for fast
mitigation under attack

“We've been fortunate to be able to work with the ERT to help us deploy custom signatures that are very
specific, reactive approaches to a customized attack, which has been a fantastic thing.”
Ron Winward, Director of Network Engineering, ServerCentral

13