On-Premises DDoS Mitigation for the Enterprise



Similar documents
First Line of Defense to Protect Critical Infrastructure

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

First Line of Defense

WHITE PAPER Hybrid Approach to DDoS Mitigation

Understanding and Defending Against the Modern DDoS Threat

First Line of Defense

Corero Network Security First Line of Defense Executive Overview

Radware s Attack Mitigation Solution On-line Business Protection

SANS Top 20 Critical Controls for Effective Cyber Defense

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Next-Generation Network Security: A Buyers Guide

The Hillstone and Trend Micro Joint Solution

DDoS Overview and Incident Response Guide. July 2014

Next-Generation Firewalls: Critical to SMB Network Security

Introducing FortiDDoS. Mar, 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Intrusion Defense Firewall

Cisco IPS Tuning Overview

BlackRidge Technology Transport Access Control: Overview

Technology Blueprint. Defend Against Denial of Service Attacks. Protect each IT service layer against exploitation and abuse

Complete Protection against Evolving DDoS Threats

The Critical Importance of Three Dimensional Protection (3DP) in an Intrusion Prevention System

Defending Against Cyber Attacks with SessionLevel Network Security

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Content-ID. Content-ID URLS THREATS DATA

Hillstone Intelligent Next Generation Firewall

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

A Layperson s Guide To DoS Attacks

Your First Line of Defense AGAINST DDOS ATTACKS AND CYBER THREATS. for inspection performance, security. while providing an unprecedented

Fighting Advanced Threats

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Firewall Feature Overview

Introducing IBM s Advanced Threat Protection Platform

Intelligent. Data Sheet

Guideline on Firewall

Customer Service Description Next Generation Network Firewall

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

Gateway Security at Stateful Inspection/Application Proxy

I D C A N A L Y S T C O N N E C T I O N

Network- vs. Host-based Intrusion Detection

FortiDDos Size isn t everything

Networking for Caribbean Development

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

SecurityDAM On-demand, Cloud-based DDoS Mitigation

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

A Modern Framework for Network Security in Government

FIRST LINE OF DEFENSE

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis

Moving Beyond Proxies

Unified Security, ATP and more

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Advanced Threat Protection with Dell SecureWorks Security Services

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Corero Network Security First Line of Defense Overview

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Firewalls and Intrusion Detection

Symantec Advanced Threat Protection: Network

Advantages of Managed Security Services

Securing the Intelligent Network

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

How To Block A Ddos Attack On A Network With A Firewall

Fail-Safe IPS Integration with Bypass Technology

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

10 Things Every Web Application Firewall Should Provide Share this ebook

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Chapter 9 Firewalls and Intrusion Prevention Systems

Technology Blueprint. Protect Your . Get strong security despite increasing volumes, threats, and green requirements

FISMA / NIST REVISION 3 COMPLIANCE

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

10 Key Steps for a Sustained DDoS Protection Plan. Stephen Gates Chief Technology Evangelist - Corero

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

How To Design An Intrusion Prevention System

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Radware s Behavioral Server Cracking Protection

24/7 Visibility into Advanced Malware on Networks and Endpoints

Critical Security Controls

NSFOCUS Web Application Firewall

Carbon Black and Palo Alto Networks

Security Toolsets for ISP Defense

Why an Intelligent WAN Solution is Essential for Mission Critical Networks

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Intrusion Detection in AlienVault

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Using Palo Alto Networks to Protect the Datacenter

Reduce Your Network's Attack Surface

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Transcription:

On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide

The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has arisen for a new First Line of Defense. With the everbroadening motivations for attacks coupled with easy to obtain and even easier to use attack tools, the traditional Enterprise first line of defense, notably firewalls, are no longer capable of providing comprehensive protection by themselves. Cyber-attackers have a detailed technical understanding of firewalls and know how to formulate attacks to either melt-down or bypass the firewall s defenses. Flooding attacks, applicationabuses, advanced evasions and exploits easily pass through firewalls or simply take them offline. Why New Solutions are Required In addition to firewalls, organizations have also attempted to deploy modern-day Intrusion Prevention Systems (IPS) as the first line of defense and often experience DDoS related outages, unwanted latency caused by the IPS, data breaches during a DDoS smoke-screen attack and often a false sense of protection. Most IPS devices have few, if any proven defenses against the broad spectrum of DDoS attacks experienced today. Also IPS devices have been known to revert to layer-2 bypass mode due to excessive CPU consumption while under attack and they were never designed with perimeter defenses in mind. Most IPS devices do not have the ability to withstand the high volumes of unwanted traffic normally experienced at the Internet perimeter. 3

01 Granular Policy Corero s First Line of Defense managed through the Central Management console provides customers the most granular perimeter security controls in the industry. The Corero solution can be setup, tuned and actively mitigating in as little as thirty minutes and requires no baselining timeframes. Customers experience centralized provisioning, policy management and update control for all First Line of Defense devices in their global network. 24

Prevent Access Attempts 02 Corero s patented Dynamic Threat Assessment technology uses several algorithms including advanced challenge-response techniques to categorize sources as unknown, trusted, suspicious or malicious based upon their real-time behaviors. This technology can easily identify spoofed requests to connect and sources participating in DDoS attacks and blocks these unwanted access attempts while allowing trusted real users through. Dynamic Threat Assessment continuously monitors all IP sources, including those that appear legitimate during the entire length of their communications with your network resources. If a trusted source were to suddenly change its access or request behavior and begin participating in a DDoS attack Corero s First Line of Defense would identify the unwanted behavior and begin blocking that source s traffic. 35

03 Provide Behavior Detection & Enforce Acceptable Usage Policies Corero s Request/Response Behavior Analysis dynamically detects requests from sources that are non-standard, unexpected or unusually repetitive. For example, repeated requests for large tables of data or password-reset-requests. Corero constantly monitors all sources of application requests and uses a real-time system of accounting designed to manage client-request credit balances. If a source crosses the customer defined application-usage thresholds it will be blocked until that behavior abates. Access to downstream devices is allowed or blocked based upon individual source behavior which enables enforcement of usage standards on every source IP address. Corero s First Line of Defense easily detects application-layer denial of service attacks, as well as other unwanted behaviors and blocks them before they reach the victim devices. 6

Provide Bi-Directional Deep Packet Inspection 04 Corero s First Line of Defense operates bi-directionally, detecting inbound as well as outbound DDoS attacks and command & control communications simultaneously. Randomizing application-layer DDoS attack tools (for example High Orbit Ion Cannon) have rendered payload-pattern matching techniques obsolete and can only be reliably detected by observing outbound server responses - requiring bidirectional attack detection. In-Out, Source, Destination, Port, Protocol, Allow, Block, Detect and Inspect policies can be configured for any IP address regardless of location or traffic direction. Corero inspects every packet in every direction and its L3/L4 Packet Filtering can easily allow or block any port or protocol bi-directionally while thoroughly inspecting all allowed services with multidimensional unwanted traffic detection techniques. 7

05 Protect Against Protocol Anomalies and Zero-Day Attacks Corero s Protocol Validation Engines inspects all packets of a network and/or application transaction. It compares the observed content and characteristics to what is allowed, expected, or required, based upon the protocol specifications and known implementations, and taking the appropriate actions (e.g. detection/ blocking) of the violations. Corero s Protocol Analysis technique is quite different from inspecting traffic against a list of pattern-matching signatures or using simple and rudimentary protocol header checks. Due to its purpose-built, multidimensional hardware architecture, Corero s First Line of Defense delivers one of the only successful and widely deployed implementations of inline Protocol Validation on the market today. 8

Prevent Advanced Evasion Technique (AET) Attacks 06 Corero s Advanced Evasion Detection technology can block nearly every advanced evasion attempt. With Corero s First Line of Defense, the same malware, exploits and other targeted attacks will still be detected regardless of evasion techniques used. With its specially designed AET inspection engines complete payload inspection is always performed for every packet within every data stream. 9

07 Reject Exploits Designed for Data Exfiltration at the Perimeter Corero s Overflow and Injection protection utilizes specialized exploit and vulnerability signatures to detect and block these focused attacks before they breach the network perimeter. With regards to the broad-spectrum of perimeter based attacks experienced today, Corero s First Line of Defense provides a greater defensive posture than first or next-gen firewalls, IPS, anti-ddos devices and cloud-based DDoS providers. 10

Block Known Malicious IP Addresses Dynamic Reputation Intelligence 08 Corero has implemented a real-time reputation engine, ReputationWatch, into its First Line of Defense that updates identified high-risk malicious or suspicious IP addresses at least once every hour. ReputationWatch integrates industry leading security intelligence feeds, including from technology partners. Corero s ReputationWatch allows organizations to set up a security policy to monitor or block communications into or out of its network, with known high-risk IP addresses. 11

09 Block Access to Your Network From Unwanted Geolocations Corero s Geolocation service is a component of the ReputationWatch service. This allows Corero customers the ability to set configurable geolocation access policies based on country of origin. In addition, because the Corero solution is monitoring communications bi-directionally the First Line of Defense can prevent compromised internal assets from communicating with countries you select to blacklist. This will significantly reduce the opportunity for cyber criminals to exfiltrate sensitive data from your servers. 12

Increase Your Visibility into the Behavior of Suspicious Network Traffic 10 Corero s First Line of Defense delivers the visibility needed to quickly determine the operating state and security of an organization s Internet and Data center perimeters. Normally deployed at the very edge of the protected network, the technology provides real-time on-system logging, live statistics, IP lookups, security event packet captures (PCAP), flow mirroring, discard packet copying and inline packet sniffing. The solution fully integrates with nearly all commercially available SEIM solutions via Syslog and SNMP. Corero s solution includes Central Management components (software) providing remote device management, security policy management and protection update management for up to 64 hardware devices and includes reporting, alerting and forensics as well. 13

Conclusion Firewalls are designed to provide high level policy control of network traffic against port type, protocol, application classification and several generic network services such as Network Address Translation (NAT), Port Forwarding, DHCP and VPN Termination. IPS devices on the other hand are focused more on malware and anomaly detection. Both are incapable of defeating the broad-spectrum of perimeter attacks experienced today, for example DDoS. The enterprise needs a new First Line of Defense purposely designed for the task at hand. That is why enterprises, data centers, hosting and service providers are actively adding Corero s First Line of Defense to their layered security topology, shoring up the existing defenses against today s cyber-threats. 14

About Corero Corero Network Security, an organization s First Line of Defense, is an international network security company and a leading provider of Distributed Denial of Service (DDoS) defense and next generation security solutions. As the First Line of Defense, Corero s products and services stop attacks at the perimeter including DDoS, before they can penetrate your network, protecting IT infrastructure and eliminating downtime. Customers include enterprises across industries from banking, to financial services, gaming, education, retail and critical infrastructure as well as service providers and government organizations worldwide. Corero s solutions are dynamic and automatically respond to evolving cyber attacks, known and unknown, allowing existing IT infrastructure such as firewalls which are ineffective at stopping much of today s unwanted traffic at the perimeter to perform their intended purposes. Corero s products are transparent, highly scalable and feature the lowest latency and highest reliability in the industry. Corero is headquartered in Hudson, Massachusetts with offices around the world. www.corero.com 15

Offices United States 1 Cabot Road Hudson, MA 01749 Tel: +1 978 212 1500 Fax: +1 978 212 1600 Email: info@corero.com United Kingdom Regus House, Highbridge, Oxford Road Uxbridge UB8 1HR, UK Tel: +44 (0) 1895 876579 Email: info_uk@corero.com FIRST LINE OF DEFENSE

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information