Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard. January 2009. Cristian Velciov. ceo@andrisoft.com (+40) 721 250246



Similar documents
Cheap and efficient anti-ddos solution

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Introducing FortiDDoS. Mar, 2013

FortiDDos Size isn t everything

Radware s Attack Mitigation Solution On-line Business Protection

Introduction of Intrusion Detection Systems

PROFESSIONAL SECURITY SYSTEMS

Security Toolsets for ISP Defense

Automated Mitigation of the Largest and Smartest DDoS Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks

Chapter 8 Security Pt 2

Network Security Platform 7.5

INTRODUCTION TO FIREWALL SECURITY

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

CS 356 Lecture 16 Denial of Service. Spring 2013

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Securing Business-Critical Network and Application Infrastructure NET&COM Feb 2006 Gopala Tumuluri Foundry Networks

Data Sheet. DPtech Anti-DDoS Series. Overview

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Security Technology White Paper

TDC s perspective on DDoS threats

Architecture Overview

A Primer for Distributed Denial of Service (DDoS) Attacks

Application Security Backgrounder

On-Premises DDoS Mitigation for the Enterprise

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Securing Cisco Network Devices (SND)

The ntop Project: Open Source Network Monitoring

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Technical Note. ForeScout CounterACT: Virtual Firewall

Firewalls. Chapter 3

IDS / IPS. James E. Thiel S.W.A.T.

Introduction TELE 301. Routers. Firewalls

A Network Design Primer

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Cisco Application Networking Manager Version 2.0

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

How Cisco IT Uses Firewalls to Protect Cisco Internet Access Locations

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Chapter 8 Network Security

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Modern Denial of Service Protection

Chapter 8 Router and Network Management

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Automated Mitigation of the Largest and Smartest DDoS Attacks

Firewalls. Ahmad Almulhem March 10, 2012

WATCHGUARD FIREBOX VCLASS

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

How To Protect A Dns Authority Server From A Flood Attack

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Distributed Denial of Service protection

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Gateway Security at Stateful Inspection/Application Proxy

Take the NetFlow Challenge!

Huawei Eudemon200E-N Next-Generation Firewall

Complete Protection against Evolving DDoS Threats

FortiWeb 5.0, Web Application Firewall Course #251

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Columbia - Verizon Research Securing SIP: Scalable Mechanisms For Protecting SIP-Based Systems

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

SecurityDAM On-demand, Cloud-based DDoS Mitigation

FIREWALLS & CBAC. philip.heimer@hh.se

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

AntiDDoS1000 DDoS Protection Systems

DDoS Overview and Incident Response Guide. July 2014

How To Block A Ddos Attack On A Network With A Firewall

Intrusion Detection and Prevention System (IDPS) Technology- Network Behavior Analysis System (NBAS)

Network Monitoring Comparison

Frequently Asked Questions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

About Firewall Protection

DDoS Mitigation. Maintaining Business Continuity in the Face of Malicious Attacks. Technical Note

Firewalls & Intrusion Detection

CaptIO Policy-Based Security Device

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Outline (Network Security Challenge)

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

TABLE OF CONTENTS NETWORK SECURITY 1...1

Improving Network Efficiency for SMB Through Intelligent Load Balancing

Gigabit SSL VPN Security Router

First Line of Defense

NIP6300/6600 Next-Generation Intrusion Prevention System

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Edge Configuration Series Reporting Overview

How To Build A Network Security Firewall

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

CISCO GUARD XT 5650 PRODUCT OVERVIEW

Content Distribution Networks (CDN)

Transcription:

Analyzed compe.tors Cisco RadWare Top Layer RioRey IntruGuard January 2009 Cristian Velciov ceo@andrisoft.com (+40) 721 250246

Andrisoft Solution WANGuard Platform is an enterprise-grade Linux-based software solution that delivers the functionality NOC, IT & Security teams need to effectively monitor and protect their network through a single, integrated package. WANGuard Platform is designed to protect organizations from inbound and outbound DoS, DDoS and DrDoS (such as TCP SYN flood, UDP flood, ICMP flood), but it can also be used for traffic monitoring and accounting, reacting to traffic anomalies and more. WANGuard Platform has three main components: WANGuard Sensor is an advanced Linux-based software created for both incoming and outgoing traffic monitoring, accounting and analysis. The supported traffic capturing methods are: Port Mirroring ( SPAN ), Cisco NetFlow, Huawei NetStream and In-line Deployment. At it's core, WANGuard Sensor has a highly scalable traffic correlation engine capable of continuously monitoring hundred of thousands of IP addresses. Complex statistical algorithms integrate traffic data to build accurate and detailed picture of real-time and historical traffic flows across the network. WANGuard Filter is an advanced Linux-based software designed to protect organizations from internal and external threats ( availability attacks on DNS, VoIP, Mail and similar services, unauthorized traffic resulting in network congestion ), botnet-based attacks, zero-day worm and virus outbreaks. WANGuard Filter includes sophisticated algorithms that are able to detect, divert and drop the malicious traffic. WANGuard Console provides the user with a tightly integrated and highly graphical, interactive web interface for all aspects of network protection and IP traffic monitoring, accounting and analysis. Included with WANGuard Console is the advanced graphing engine that provides quick and easy ad-hoc graphing functionality. WANGuard Console offers singlepoint management and reporting, by consolidating data received from all WANGuard Sensor and WANGuard Filter systems deployed within the network.

WANGuard Filter specifications Quickly see detailed live and historical information about traffic anomalies in your network from any location by accessing WANGuard Console with your web browser Defends against known, unknown and evolving attack patterns Recognizes and drops malicious traffic in under 5 seconds Does not block/blacklist valid customer traffic WANGuard Filter can be deployed in-line or out-of-line by diverting the malicious traffic towards the server running it. The cleaned traffic can be re-injected back to the network using Static Routing or GRE / IPIP tunneling Per endpoint flexible threat management tools and an easy to use API for scripting the reaction to attack patterns: alert the NOC staff by email using user-defined email templates alert the ISPs of the attackers via email using user-defined email templates send custom syslog messages to remote log servers execute custom scripts that extend the built-in capabilities, such as: configure ACLs or execute PIX "shun" command to filter attack patterns filter attacking IP addresses by executing route blackhole commands send SNMP TRAP messages to SNMP monitoring stations Does not require network baseline training and operator intervention Easy and non-disruptive installation on common server hardware The most cost-effective DoS, DDoS and DrDoS mitigation and traffic policy enforcement solution on the market

WANGuard Platform deployment To deploy WANGuard Platform in your organization you must install WANGuard Sensor server(s) near your upstream provider edges and one or more WANGuard Filter servers. You may install both components together if you have powerful servers with 3 ore more NICs. A simple deployment scenario involving two dedicated servers:

DoS, DDoS and DrDoS detection requirements for analyzing 1 Gbit NI WANGuard Sensor Type: WANGuard Sniff WANGuard Flow Traffic Capturing Technology: Port Mirroring, Network TAP, In-line Deployment NetFlow or NetStream v.5 enabled network devices Maximum Traffic Capacity: 10 GigE, > 150,000 endpoints 10 GigE, < 100,000 endpoints Traffic Parameters Accuracy: Highest ( 5 seconds averages ) High Traffic Anomalies Detection Time: < 5 seconds < flow export time + 5 seconds Traffic Validation Options: IP Subnets, MAC addresses, VLANs IP Subnets, Interfaces, AS Number Architecture: x86 ( 32 or 64 bit ) x86 ( 32 or 64 bit ) CPU: 1 x Pentium IV 2.0 GHz 1 x Pentium IV 1.6 GHz RAM: 500 Mbytes 3 GBytes Network Cards: 1 x Gigabit Ethernet ( with NAPI Support ) 1 x Fast Ethernet 1 x Fast Ethernet Operating System: Installed Packages: Red Hat Enterprise 5, CentOS 4, CentOS 5, OpenSuSE 10, SUSE Linux Enterprise 10, Debian Linux 4, Ubuntu Linux Server 8 tcpdump, WANGuard-Sensor 3.0, WANGuard-Controller 3.0 Red Hat Enterprise 5, CentOS 4, CentOS 5, OpenSuSE 10, SUSE Linux Enterprise 10, Debian Linux 4, Ubuntu Linux Server 8 WANGuard-Sensor 3.0, WANGuard- Controller 3.0 Disk Space: 5 GB ( including OS ) 5 GB ( including OS )

Comparing Cisco Detector + Cisco Guard and WANGuard Platform Feature Cisco Detector + Guard WANGuard Platform Packet Inspection Technology Detection and Mitigation Attack Protection Multi-verification process (MVP) Multi-verification technology using network processors. Two independent appliances (Detector and Guard). Spoofed and non-spoofed attacks: TCP (syns, syn-acks, acks, fins, fragments),udp (random port floods, fragments), ICMP (unreachable, echo, fragments), DNS, Client Attacks, Inactive and total connections, HTTP Get flood, BGP attacks. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting. Granular Packet Inspection / NetFlow, Continuous, Adaptive rate limiting, using CPUs. One or two appliances (Sensor and Filter), can be deployed inline or configured for traffic diversion. Spoofed and non-spoofed attacks: Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Source, Destination, IP options (ToS,TTL, Length), TCP ports (all 64k incl. HTTP, SSL, DNS etc.), UDP ports (all 64k incl. DNS), ICMP Type/Code (all 64k), SYN, Excessive connection/source, Excessive connections/destination, BGP blackholing. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, White/ Blacklist, Stealth Attack filtering,source Tracking, Actions per attack. Deployment Complex due to traffic diversion. From simple inline-deployment to complex traffic diversion deployment. Management Web-based GUI, CLI, SNMP, TACACS+. Web-based GUI. Baseline Self-Learning Yes. No. Throughput / Latency > 1 Gbps / Unknown. 10 Gbps / < 1 ms.

Competitive analysis with Cisco Detector + Cisco Guard High level summary: Cisco is the biggest player in the networking market and during the last years has acquired multiple small companies to keep up with the perimeter security field. The Cisco solution and WANGuard Platform are created to solve exactly the same DDoS attacks problem. Both solutions don t rely on content-based mitigation and focus on detecting behavior anomalies. Both solutions deliver multi-gigabit performance to protect the largest enterprises, and don't sit in the main datapath. Besides being multiple times more affordable, WANGuard Platform delivers increased deployment and configuration flexibility, and provides a per-ip/ subnet traffic graphing and accounting system.

Comparing RadWare Defense Pro DP-1020 and WANGuard Platform Feature RadWare Defense Pro DP-1020 WANGuard Platform Packet Inspection Technology Detection and Mitigation Attack Protection Multi-verification process (MVP) Deep packet inspection, stateful firewall, based on FPGA. DDoS shield mechanism based on sampling mechanism in CPUs. One inline deployed appliance. Source IP, Destination IP, Source Port, Destination Port, Packet ID, Packet size, TTL (Time to Live), ToS (Type of Service), IP Checksum, TCP Sequence Number, TCP Checksum, TCP Flags, ICMP Checksum, UDP Checksum, ICMP Message Type, DNS Query, DNS Query ID, HTTP request URI. Traffic Anomaly (DoS), SYN Protection, Stateful Inspection, Intrusion Detection, Bandwidth Scheduling, White/Black list, Attack Signatures, Adaptive Smart Dynamic Filters, Proxy-based SYN Cookies, TCP Connection Resetting, Connection Blocking, Dynamic Source IP Blocking, Connection Rate Limit, Actions per Attack. Baseline Self-Learning No. No. Throughput / Latency 8x1Gbps / < 200ms. 10 Gbps / < 1 ms. Granular Packet Inspection / NetFlow, Continuous, Adaptive rate limiting, using CPUs. One or two appliances (Sensor and Filter), can be deployed inline or configured for traffic diversion. Spoofed and non-spoofed attacks: Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Source, Destination, IP options (ToS,TTL, Length), TCP ports (all 64k incl. HTTP, SSL, DNS etc.), UDP ports (all 64k incl. DNS), ICMP Type/Code (all 64k), SYN, Excessive connection/source, Excessive connections/destination, BGP blackholing. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, White/Blacklist, Stealth Attack filtering,source Tracking,Actions per attack.

Competitive analysis with RadWare Defense Pro DP-1020 High level summary: The DDoS mitigation solution from RadWare comes from an acquired company named V-Secure. RadWare Defense Pro DP-1020 must be deployed in the main datapath causing redundancy problems and up to 200 ms delay to the traffic. WANGuard Platform's non-distruptive and flexible installation ensures no delay to the traffic during worst attacks. WANGuard Platform can detect DDoS attacks using NetFlow, it can analyze 10 Gbps network links, and provides a per-ip/subnet traffic graphing and accounting system. By installing Snort on the WANGuard Sensor server, most of the IDS features will be supported at a fraction of the cost.

Comparing Top Layer IPS 5500-1000 and WANGuard Platform Feature Top Layer IPS 5500-1000 WANGuard Platform Packet Inspection Technology Detection and Mitigation Attack Protection Multi-verificationprocess (MVP) Deep packet inspection, stateful firewall, based on FPGA. One inline deployed appliance. Rate limiting on limited number of Dimensions, DDoS Mitigation from high rate attacks such as SYN floods and other network and application based DDoS attacks. (Limited DDoS protection). SYN Flood, SYN/Source, Normal / Suspicious / Malicious Monitor, Proxy, Drop connections. Management Java-based Web GUI, Windows App, CLI. Web-based GUI. Baseline Self-Learning No. No. Throughput / Latency 4x1Gbps / < 1ms. 10 Gbps / < 1 ms. Granular Packet Inspection / NetFlow, Continuous, Adaptive rate limiting, using CPUs. One or two appliances (Sensor and Filter), can be deployed inline or configured for traffic diversion. Spoofed and non-spoofed attacks: Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Source, Destination, IP options (ToS,TTL, Length), TCP ports (all 64k incl. HTTP, SSL, DNS etc.), UDP ports (all 64k incl. DNS), ICMP Type/Code (all 64k), SYN, Excessive connection/source, Excessive connections/destination, BGP blackholing. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, White/ Blacklist, Stealth Attack filtering,source Tracking,Actions per attack. Prevention Time N/A <10 seconds for Port Mirroring or <10 seconds + flow export time for NetFlow.

Competitive analysis with Top Layer IPS 5500-1000 High level summary: Top Layer started as a HTTP load balancer company and they extended their products with very limited DDoS mitigation capabilities. Top Layer IPS 5500-1000 must be deployed in the main datapath causing redundancy problems. WANGuard Platform's non-distruptive and flexible installation ensures no redundancy problems and no delay to the traffic during worst attacks. WANGuard Platform can detect DDoS attacks using NetFlow, it can analyze 10 Gbps network links, and provides a per-ip/subnet traffic graphing and accounting system. By installing Snort on the WANGuard Sensor server, most of the IDS features will be supported at a fraction of the cost.

Comparing RioRey NI-3000 and WANGuard Platform Feature RioRey NI-3000 WANGuard Platform Packet Inspection Technology Detection and Mitigation Attack Protection Multiverificationprocess (MVP) Packet inspection, stateful firewall, based on CPU. One inline deployed appliance. Protocol, Fragmented, TOS, IP Option, Source, Destination, TCP Option, TCP Port, UDP Port, ICMP, SYN. Traffic Anomaly (DoS), SYN Protection, Stateful Inspection, Bandwidth Scheduling, White/Black list. Management Windows-based GUI. Web-based GUI. Baseline Self-Learning Yes. No. Throughput / Latency 100 Mbps / < 1ms. 10 Gbps / < 1 ms. Granular Packet Inspection / NetFlow, Continuous, Adaptive rate limiting, using CPUs. One or two appliances (Sensor and Filter), can be deployed inline or configured for traffic diversion. Spoofed and non-spoofed attacks: Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Source, Destination, IP options (ToS,TTL, Length), TCP ports (all 64k incl. HTTP, SSL, DNS etc.), UDP ports (all 64k incl. DNS), ICMP Type/Code (all 64k), SYN, Excessive connection/source, Excessive connections/destination, BGP blackholing. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, White/ Blacklist, Stealth Attack filtering,source Tracking,Actions per attack. Prevention Time <90 seconds. <10 seconds for Port Mirroring or <10 seconds + flow export time for NetFlow.

Competitive analysis with RioRey NI-3000 High level summary: Riorey technology is based on mathematical research conducted at the University of Maryland. This research led RioRey to the development of algorithms that can distinguish traffic that communicates in a valid manner from traffic that does not. RioRey NI-3000 must be deployed in the main datapath causing redundancy problems. WANGuard Platform's non-distruptive and flexible installation ensures no redundancy problems and no delay to the traffic during the worst DDoS attacks. WANGuard Platform can detect DDoS attacks using NetFlow, it can analyze 10 Gbps network links, and provides a per-ip/subnet traffic graphing and accounting system.

Comparing IntruGuard and WANGuard Platform Feature IntruGuard WANGuard Platform Packet Inspection Technology Detection and Mitigation Attack Protection Multiverificationprocess (MVP) Granular Packet Inspection, Stateful Analysis Firewall Chip(ASIC, FPGA), Continuous, Adaptive rate limiting. One inline deployed appliance. ARP, RARP, Multicast, Broadcast, VLAN, Double Encapsulated VLAN, Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Options (32), Fragment, Source, Destination, TOS (all 256), Network Scan, Dark Address Scan, TCP Ports (all 64K including HTTP, SSL, DNS, ), UDP Ports (all 64K), ICMP Type/ Codes (all 64K), TCP Options (32), SYN, Zombie, Excessive Connection/Source, Excessive Connections/ Destination, TCP State violation. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, State Anomaly Recognition, Stealth Attack filtering, Dark address scan prevention, White/Black list, Nontracked Sources, Source Tracking, Legitimate IP address Matching (for anti-spoofing). Management SSL Management, CLI Web-based GUI. Baseline Self-Learning Yes. No. Throughput / Latency 1Gbps / < 50ms. 10 Gbps / < 1 ms. Granular Packet Inspection / NetFlow, Continuous, Adaptive rate limiting, using CPUs. One or two appliances (Sensor and Filter), can be deployed inline or configured for traffic diversion. Spoofed and non-spoofed attacks: Protocol (all 256 including TCP, UDP, ICMP, IPSec, BGP, ), Source, Destination, IP options (ToS,TTL, Length), TCP ports (all 64k incl. HTTP, SSL, DNS etc.), UDP ports (all 64k incl. DNS), ICMP Type/Code (all 64k), SYN, Excessive connection/source, Excessive connections/ destination, BGP blackholing. Dynamic Filtering, Active Verification, Anomaly Recognition, Protocol Analysis, Rate Limiting, White/Blacklist, Stealth Attack filtering,source Tracking,Actions per attack.

Competitive analysis with IntruGuard High level summary: IntruGuard is a company that actively promotes their own DDoS detection & mitigation appliance. IntruGuard must be deployed in the main datapath causing redundancy problems and up to 50 ms delay to the traffic. WANGuard Platform's nondistruptive and flexible installation ensures no delay to the traffic even during the worst DDoS attacks. IntruGuard's protection against layer 2 attacks has no relevance for IPbased, routed networks. WANGuard Platform can detect DDoS attacks using NetFlow, it can analyze 10 Gbps network links, and provides a per-ip/subnet traffic graphing and accounting system.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information