Application Security Backgrounder



Similar documents
Radware s Behavioral Server Cracking Protection

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Next-Generation Firewalls: Critical to SMB Network Security

Networking for Caribbean Development

Complete Protection against Evolving DDoS Threats

LoadMaster Application Delivery Controller Security Overview

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

How To Design An Intrusion Prevention System

Radware s Attack Mitigation Solution On-line Business Protection

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Radware s Smart IDS Management. FireProof and Intrusion Detection Systems. Deployment and ROI. North America. International.

Smart Network. Smart Business. APSolute Immunity with DefensePro Brochure

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

FortiDDos Size isn t everything

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Modern Denial of Service Protection

Content Inspection Director

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Seminar Computer Security

VALIDATING DDoS THREAT PROTECTION

DDoS Overview and Incident Response Guide. July 2014

A Layperson s Guide To DoS Attacks

Firewalls, IDS and IPS

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

A Decision Maker s Guide to Securing an IT Infrastructure

SHARE THIS WHITEPAPER

Building A Secure Microsoft Exchange Continuity Appliance

Unified Threat Management: The Best Defense Against Blended Threats

DDoS Protection Technology White Paper

How Cisco IT Protects Against Distributed Denial of Service Attacks

McAfee Intrusion Prevention System

Chapter 8 Security Pt 2

Barracuda Intrusion Detection and Prevention System

Norton Personal Firewall for Macintosh

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Load Balancing Security Gateways WHITE PAPER

Intrusion Defense Firewall

Advantages of Managed Security Services

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

The Cisco ASA 5500 as a Superior Firewall Solution

Automated Mitigation of the Largest and Smartest DDoS Attacks

Firewalls. Chapter 3

Chapter 15. Firewalls, IDS and IPS

Denial of Service Attacks, What They are and How to Combat Them

How To Block A Ddos Attack On A Network With A Firewall

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

Data Centers Protection from DoS attacks. Trends and solutions. Michael Soukonnik, Radware Ltd Riga. Baltic IT&T

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

SOLUTION GUIDE. Radware & CyberGuard Complete Security Solutions offering Load Balancing, High Availability and Bandwidth Management.

Deploying Firewalls Throughout Your Organization

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Virus Protection Across The Enterprise

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Cisco Intrusion Prevention System Advanced Integration Module for Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers

How To Stop A Ddos Attack On A Website From Being Successful

Protecting against DoS Attacks

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

Firewalls and Intrusion Detection

Firewall and UTM Solutions Guide

On-Premises DDoS Mitigation for the Enterprise

CS5008: Internet Computing

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Architecture Overview

Internet Content Provider Safeguards Customer Networks and Services

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

How To Prevent Hacker Attacks With Network Behavior Analysis

Intro to Firewalls. Summary

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Chapter 9 Firewalls and Intrusion Prevention Systems

SECURING APACHE : DOS & DDOS ATTACKS - II

Yahoo Attack. Is DDoS a Real Problem?

Internet Security Systems

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

IDS 4.0 Roadshow. Module 1- IDS Technology Overview. 2003, Cisco Systems, Inc. All rights reserved. IDS Roadshow

Protection against DDoS and WEB attacks. Michael Soukonnik Radware Ltd

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

New possibilities in latest OfficeScan and OfficeScan plug-in architecture

WHITE PAPER. Understanding How File Size Affects Malware Detection

Achieve Deeper Network Security

WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

SonicWALL Unified Threat Management. Alvin Mann April 2009

Introducing FortiDDoS. Mar, 2013

The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know

Second-generation (GenII) honeypots

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Transcription:

Essential Intrusion Prevention System (IPS) & DoS Protection Knowledge for IT Managers October 2006 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666 www.radware.com

According to a recent IDC report 1, over the next decade the explosion of network touch points coupled with a move into the era of invisible computing will result in a challenging array of emerging security threats for IT managers. Rapid changes to the source, form, timing, and volume of these threats contribute to their increasing number and complexity. IT managers are further burdened by the growing administrative complexities of the security solutions they must deploy in order to effectively mitigate enterprise risk. Against this backdrop, Radware has prepared an application security backgrounder that explains the primary concepts and solution capabilities IT managers need to understand when defining iterative security architectures relying on Intrusion Prevention Systems (IPSs) and Denial of Service (DoS) Protection. Security as a Business Enabler Security has often been thought of as requiring a company to trade-off performance for protection with legitimate users having to pay a price for protection against the growing number of application level threats perpetrated today. However, deploying application security solutions based on new, advanced technologies can actually improve business productivity while concurrently blocking attacks and ensuring compliance. Application-Smart Security Today s security solutions need to block both network and application level attacks. Application level attacks are targeted at disabling and damaging application operations. Viruses, intrusions, Trojans, malicious signatures and illicit traffic and protocol patterns including Denial of Service (DoS) and SYN attacks are examples of application-level attacks. Typically these layer 4-7 attacks can be identified by deep packet inspection and not by layer 3-4 parameters since these attacks use malicious actions within legitimate type of traffic. Intrusion Prevention System (IPS) IPSs are in-line devices that inspect application-level content and block a wide variety of attacks that would typically evade traditional firewalls and anti-virus solutions. IPSs feature several blocking techniques such as blocking packets, intercepting and resetting connections to protect against worms, spyware, Denial of Service (DoS) / Distributed Denial of Service (DDoS) and other types of application level attacks. State-of-the-art solutions provide multiple, proactive protection features and can be flexibly deployed to protect against known threats as well as unknown attacks such as zero-day exploits. Zero-day attacks occur when a security vulnerability is exploited on the same day as it has been publicly announced. Signature-based Protection Signatures are used to protect against known exploits and vulnerabilities. Signature-based intrusion prevention solutions examine traffic for specific signature pattern matches. Signaturematching is a resource intensive process which requires high-performance hardware, usually ASICbased, for large traffic volumes. Signatures are typically written by vendors security teams who constantly research the latest vulnerabilities and exploits. The signature sets are continuously updated and the latest versions can be automatically downloaded to the IPS from vendor websites. 1 Source: IDC. Threat Management: Protecting Organizations from Emerging Security Challenges, Chris Christiansen and Gerry Pintal, June 2006. Page 2

Zero-Day Attack These attacks exploit an unpublicized vulnerability without forewarning. While signatures are ideal for identifying known exploits and vulnerabilities, they are not effective in stopping unknown zeroday attacks for which no signatures exist. Behavior-based protection is best suited to block unknown attacks. Ideally, IPSs should combine both these techniques into a single appliance. Behavior-Based Protection Adaptive behavior-based technologies automatically create accurate signatures on-the-fly to block zero-day attacks, which otherwise might escape traditional signature-based detection because there is not an existing signature for the new attacks. Behavioral IPSs block both unknown zero-day attacks and other sophisticated blended/hybrid attacks which would slip through other defenses. Adaptive behavior based systems create baselines of normal network traffic. If any traffic deviates from the baseline it is characterized as anomalous. If the anomaly is sufficiently severe the traffic is blocked. Advanced behavior-based systems use self-learning and self-adapting techniques to model traffic. Iterative closed-loop processes are used to constantly fine-tune the blocking filters to accurately block only malicious traffic, while letting legitimate traffic through with minimal delay. Encrypted Attack Encrypted SSL-based transactions can contain attack traffic such as worms that can strike servers and other critical infrastructure elements. Most intrusion prevention solutions do not offer SSL attack protection. The best solutions include optional modules that use connection termination and blocking techniques to stop the SSL attacks. SSL traffic is inspected in parallel with regular traffic ensuring no added latency or performance loss and allowing for easy scalability. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack DoS and DDoS attacks are assaults that flood a network with enormous amounts of bogus messages and requests. They cause the slow down or complete interruption of legitimate traffic. Unlike a virus or worm, which can cause severe damage to databases, DoS and DDoS attacks interrupt network service. Access to the largest and most well-connected websites can be denied by these types of attacks. In addition to large websites, other targets of DoS/DDoS attacks include root servers, large enterprises, and ISPs who require massive bandwidth attacks to be knocked down. A multi-layer approach is required to effectively mitigate DoS/DDoS attacks. The first layer of protection uses a combination of rate-based and signature-based techniques to block known attacks that are launched from attack tools with identifiable signatures. Unknown zero-day DoS/DDoS attacks can be effectively blocked by behavior-based protection. The next effective layer is bandwidth management, which limits the rate and spread of attacks. Protocol Anomaly Hackers can compromise a target resource by misusing established network layer and applications layer protocols in a session that violates the state transition defined by a specific protocol (e.g., TCP, UDP, ICMP, SMTP, HTTP, DNS, etc). Stateful inspection can prevent such malicious use of protocols. Stateful inspection is a powerful tool designed to deal with a variety of attacks whereby packets exchanged between a client and a server are legitimate, yet the security threat is revealed only when inspecting a sequence of packets within a session and not when inspecting individual packets. Stateful inspection is a standard feature in a good intrusion prevention product that offers multiple layers of security. Page 3

Access Control Access control is traditionally a firewall function. IPSs today incorporate some of these functions. These include the ability to block specific hosts, IPs, network segments and application ports. Black and White access lists enable highly granular access control to make it easier for security administrators to temporarily block or unblock specific hosts without making time consuming changes to security policies. Below are a few examples of temporary black/white listing that is beneficial: Blocking all activities arriving from a specific host that is infected by a worm or virus, until the host is disinfected. Allowing network management activity that can be considered a security infraction, such as scanning for an available PC from specific PCs. Allowing uninterrupted network traffic from a certain host due to suspicion of specific false-positives, until clearing the case. Pre-Attack Scan Hacking techniques (such as port scanning and ping sweeps) that scan vulnerable application ports and hosts. This potentially malicious activity reveals information about the hosts and vulnerable applications. Anti-scanning capabilities protect against many types of scans. For example: Vertical scanning (multiple ports on a single host) Horizontal scanning (a single port across multiple hosts) ICMP (ping) sweeps Slow scanning Scanning from many source ports Scanning of multiple destination IPs and ports The anti-scanning measures protect the business network before an attack occurs because a scan usually precedes an actual attack. Bandwidth Management During an attack (even if unsuccessful) an enterprise s bandwidth could get clogged by attack traffic (especially denial of service). In such conditions, legitimate mission-critical applications may not get the bandwidth they need. In such cases, bandwidth management becomes an important feature of an IPS because it limits and isolates attack traffic to ensure that business applications are not affected even when under attack. Flexible, granular bandwidth management policies that enable users to prioritize critical traffic by subnet, application, hosts or session are desirable. Attack Isolation Attack isolation limits the propagation of an attack across users, applications and networks. Attack isolation is particularly important for securing multi-segment networks, limiting the attack while concurrently enabling the availability and continuity of all legitimate traffic. Page 4

Spyware Spyware is software that sends information about web surfing habits to its web site. It is often quickly installed on computers in combination with a free download selected from the web, spyware transmits information in the background as a user moves around the web. Also known as "parasite software," "scumware," "junkware", and "thiefware, spyware is also occasionally installed just by visiting a web site. IPSs can block spyware by preventing installation on user computers and preventing infected hosts from disclosing information by detecting and blocking uploads to spyware servers. IPSs include signatures to protect against various, common spyware threats on the internet. They provide protection against spyware infection, hacker communications to the spyware, and spyware communications to remote servers that disclose private user information. Self-Propagating Worms A self-propagating worm, by definition, spreads without human intervention. A self-propagating worm typically uses a random IP address generation technique (i.e. scanning) in order to locate a vulnerable host to infect. When a vulnerable host is identified, the worm immediately executes it code on this host, thereby infecting the computer with the worm s malicious code. At this point, both infected hosts initiate similar scanning techniques and infect other hosts. In this way, the worm propagates exponentially. Advanced behavior-based IPSs detect, characterize, and prevent worm spreading activities without any human intervention. They can pinpoint and protect infected systems, thus providing the system administrator with time to implement reactive measures (i.e., system patching and upgrading) while ensuring business continuity. Behavior-based IPSs enable accurate prevention of worms and other network attacks that plague organizations today. Evasion Techniques Evasion techniques are attempts to hide attacks aimed at harming servers or operating systems. They are used by hackers who are aware of specific types of traffic protection and are attempting to bypass IPSs. Since most security systems recognize attacks by spotting the attack signature in the packet, attacks can be disguised by dividing them into two or more packets, or by sending them through encrypted SSL channels. Good IPSs use a variety of anti-evasion techniques including packet reassembly, signature-based protection, protocol anomaly detection and behavioral analysis to block these attacks. Multi-Layer Defense (firewalls, anti-virus, intrusion prevention systems) Traditional security solutions such as firewalls and anti-viruses are unable to protect against the newest threats. To lower security risk it is important to deploy multiple layers of defense. These include: Firewalls are complementary solutions. Many of these devices are bound by legacy technology and typically operate from layer two to layer three. Traditional firewalls are not application-smart. Page 5

The second layer is anti-virus. These are also seen as complementary solutions and not comprehensive, restrictive to the individual host, and usually do not offer protection against unknown threats. The third and critical layer of defense is intrusion prevention systems. IPSs provide a strong, critical layer of defense against unknown zero-day threats. State-of-the-art solutions provide multiple, proactive protection features and can be flexibly deployed. 2006 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A. Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information