Beruflich Dokumente
Kultur Dokumente
July 2016
Cisco Firepower – Radware DDoS Mitigation Module
Virtual DefensePro
2
Firepower 9300/4100 - DDoS protection Use Case
Web
Portals
Mail
Firepower 9300/4100 ADC
3
Protection Modules Overview
Anomalies – RFC based Protection rules – Globally Applicable to vDP no policy association required
Signatures – DosShield Module – Profiles are Reusable Policy Objects
- used to identify and remove traffic from known Bots
Behavioral DoS Module – Profiles are Reusable Policy Objects
- baselines generated per Network Protection Policy for TCP, UDP, ICMP and IGMP
- attack detection is based on both rate and ratio anomalies
- generates Real-Time Signatures for surgically blocking attacks
SYN Protection Module – Profiles are Reusable Policy Objects
- Challenge and Response engine distinguishing legitimate from illegitimate clients
- supports both TCP Challenges for numerous protocols
- when HTTP is present application Challenges are used in an action escalation process
- challenges are transparent to end users
DNS Protection Module – Profiles are Reusable Policy Objects but likely more specific to DNS Platforms
- attack detection uses query types, query rate and additional rate invariant parameters
- generates Real-Time Signatures with the ability to leverage an action escalation process
- action escalation include rate limiting and blocking
4
Rate vs. Rate-Invariant Behavioral Analysis
0.0%
SYN SYN-ACK ACK Data RST FIN-ACK
5
Network Behavior Analysis & RT Signature Technology
Signature
Narrowestparameters
filters
•Source/Destination
• Packet ID IP
Outbound
•• Source/Destination
Source IP Address Port
Traffic
•• Packet
Packet size
•• TTL
size RT Signatures
TTL (Time
(Time To
To Live)
Live)
• DNS Query
• Packet ID
• TCP sequence number
• More … (up to 20)
Protected Network
Network Behavior Analysis & RT Signature Technology
Mitigation optimization process
Closed feedback
8
DDoS Failure Points within the Network
Defense
Radware Messaging
Cloud
Scrubbing
Traffic
Attack
Attack
isbaseline
diverted
isVolumetric
immediately
is and
synchronized
scrubbed
detected
DDoS to
in the
attack Radware’s
and cloud
mitigated
saturatesfreeing
Cloud
at Scrubbing
the
the
internet Perimeter
internet
pipe Center
pipe
10
Global Infrastructure for Cloud Services
Coming soon
11
Vision – Device to Cloud Service Management
Multi-Tenant Portal Admin UI E-mail/SysLog User Repository
(RADIUS, Diameter, TACACS+, LDAP)
MSSP
Legit Users
Attackers
“We've been fortunate to be able to work with the ERT to help us deploy custom signatures that are very
specific, reactive approaches to a customized attack, which has been a fantastic thing.”
Ron Winward, Director of Network Engineering, ServerCentral
13