On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide
The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has arisen for a new First Line of Defense. With the everbroadening motivations for attacks coupled with easy to obtain and even easier to use attack tools, the traditional Enterprise first line of defense, notably firewalls, are no longer capable of providing comprehensive protection by themselves. Cyber-attackers have a detailed technical understanding of firewalls and know how to formulate attacks to either melt-down or bypass the firewall s defenses. Flooding attacks, applicationabuses, advanced evasions and exploits easily pass through firewalls or simply take them offline. Why New Solutions are Required In addition to firewalls, organizations have also attempted to deploy modern-day Intrusion Prevention Systems (IPS) as the first line of defense and often experience DDoS related outages, unwanted latency caused by the IPS, data breaches during a DDoS smoke-screen attack and often a false sense of protection. Most IPS devices have few, if any proven defenses against the broad spectrum of DDoS attacks experienced today. Also IPS devices have been known to revert to layer-2 bypass mode due to excessive CPU consumption while under attack and they were never designed with perimeter defenses in mind. Most IPS devices do not have the ability to withstand the high volumes of unwanted traffic normally experienced at the Internet perimeter. 3
01 Granular Policy Corero s First Line of Defense managed through the Central Management console provides customers the most granular perimeter security controls in the industry. The Corero solution can be setup, tuned and actively mitigating in as little as thirty minutes and requires no baselining timeframes. Customers experience centralized provisioning, policy management and update control for all First Line of Defense devices in their global network. 24
Prevent Access Attempts 02 Corero s patented Dynamic Threat Assessment technology uses several algorithms including advanced challenge-response techniques to categorize sources as unknown, trusted, suspicious or malicious based upon their real-time behaviors. This technology can easily identify spoofed requests to connect and sources participating in DDoS attacks and blocks these unwanted access attempts while allowing trusted real users through. Dynamic Threat Assessment continuously monitors all IP sources, including those that appear legitimate during the entire length of their communications with your network resources. If a trusted source were to suddenly change its access or request behavior and begin participating in a DDoS attack Corero s First Line of Defense would identify the unwanted behavior and begin blocking that source s traffic. 35
03 Provide Behavior Detection & Enforce Acceptable Usage Policies Corero s Request/Response Behavior Analysis dynamically detects requests from sources that are non-standard, unexpected or unusually repetitive. For example, repeated requests for large tables of data or password-reset-requests. Corero constantly monitors all sources of application requests and uses a real-time system of accounting designed to manage client-request credit balances. If a source crosses the customer defined application-usage thresholds it will be blocked until that behavior abates. Access to downstream devices is allowed or blocked based upon individual source behavior which enables enforcement of usage standards on every source IP address. Corero s First Line of Defense easily detects application-layer denial of service attacks, as well as other unwanted behaviors and blocks them before they reach the victim devices. 6
Provide Bi-Directional Deep Packet Inspection 04 Corero s First Line of Defense operates bi-directionally, detecting inbound as well as outbound DDoS attacks and command & control communications simultaneously. Randomizing application-layer DDoS attack tools (for example High Orbit Ion Cannon) have rendered payload-pattern matching techniques obsolete and can only be reliably detected by observing outbound server responses - requiring bidirectional attack detection. In-Out, Source, Destination, Port, Protocol, Allow, Block, Detect and Inspect policies can be configured for any IP address regardless of location or traffic direction. Corero inspects every packet in every direction and its L3/L4 Packet Filtering can easily allow or block any port or protocol bi-directionally while thoroughly inspecting all allowed services with multidimensional unwanted traffic detection techniques. 7
05 Protect Against Protocol Anomalies and Zero-Day Attacks Corero s Protocol Validation Engines inspects all packets of a network and/or application transaction. It compares the observed content and characteristics to what is allowed, expected, or required, based upon the protocol specifications and known implementations, and taking the appropriate actions (e.g. detection/ blocking) of the violations. Corero s Protocol Analysis technique is quite different from inspecting traffic against a list of pattern-matching signatures or using simple and rudimentary protocol header checks. Due to its purpose-built, multidimensional hardware architecture, Corero s First Line of Defense delivers one of the only successful and widely deployed implementations of inline Protocol Validation on the market today. 8
Prevent Advanced Evasion Technique (AET) Attacks 06 Corero s Advanced Evasion Detection technology can block nearly every advanced evasion attempt. With Corero s First Line of Defense, the same malware, exploits and other targeted attacks will still be detected regardless of evasion techniques used. With its specially designed AET inspection engines complete payload inspection is always performed for every packet within every data stream. 9
07 Reject Exploits Designed for Data Exfiltration at the Perimeter Corero s Overflow and Injection protection utilizes specialized exploit and vulnerability signatures to detect and block these focused attacks before they breach the network perimeter. With regards to the broad-spectrum of perimeter based attacks experienced today, Corero s First Line of Defense provides a greater defensive posture than first or next-gen firewalls, IPS, anti-ddos devices and cloud-based DDoS providers. 10
Block Known Malicious IP Addresses Dynamic Reputation Intelligence 08 Corero has implemented a real-time reputation engine, ReputationWatch, into its First Line of Defense that updates identified high-risk malicious or suspicious IP addresses at least once every hour. ReputationWatch integrates industry leading security intelligence feeds, including from technology partners. Corero s ReputationWatch allows organizations to set up a security policy to monitor or block communications into or out of its network, with known high-risk IP addresses. 11
09 Block Access to Your Network From Unwanted Geolocations Corero s Geolocation service is a component of the ReputationWatch service. This allows Corero customers the ability to set configurable geolocation access policies based on country of origin. In addition, because the Corero solution is monitoring communications bi-directionally the First Line of Defense can prevent compromised internal assets from communicating with countries you select to blacklist. This will significantly reduce the opportunity for cyber criminals to exfiltrate sensitive data from your servers. 12
Increase Your Visibility into the Behavior of Suspicious Network Traffic 10 Corero s First Line of Defense delivers the visibility needed to quickly determine the operating state and security of an organization s Internet and Data center perimeters. Normally deployed at the very edge of the protected network, the technology provides real-time on-system logging, live statistics, IP lookups, security event packet captures (PCAP), flow mirroring, discard packet copying and inline packet sniffing. The solution fully integrates with nearly all commercially available SEIM solutions via Syslog and SNMP. Corero s solution includes Central Management components (software) providing remote device management, security policy management and protection update management for up to 64 hardware devices and includes reporting, alerting and forensics as well. 13
Conclusion Firewalls are designed to provide high level policy control of network traffic against port type, protocol, application classification and several generic network services such as Network Address Translation (NAT), Port Forwarding, DHCP and VPN Termination. IPS devices on the other hand are focused more on malware and anomaly detection. Both are incapable of defeating the broad-spectrum of perimeter attacks experienced today, for example DDoS. The enterprise needs a new First Line of Defense purposely designed for the task at hand. That is why enterprises, data centers, hosting and service providers are actively adding Corero s First Line of Defense to their layered security topology, shoring up the existing defenses against today s cyber-threats. 14
About Corero Corero Network Security, an organization s First Line of Defense, is an international network security company and a leading provider of Distributed Denial of Service (DDoS) defense and next generation security solutions. As the First Line of Defense, Corero s products and services stop attacks at the perimeter including DDoS, before they can penetrate your network, protecting IT infrastructure and eliminating downtime. Customers include enterprises across industries from banking, to financial services, gaming, education, retail and critical infrastructure as well as service providers and government organizations worldwide. Corero s solutions are dynamic and automatically respond to evolving cyber attacks, known and unknown, allowing existing IT infrastructure such as firewalls which are ineffective at stopping much of today s unwanted traffic at the perimeter to perform their intended purposes. Corero s products are transparent, highly scalable and feature the lowest latency and highest reliability in the industry. Corero is headquartered in Hudson, Massachusetts with offices around the world. www.corero.com 15
Offices United States 1 Cabot Road Hudson, MA 01749 Tel: +1 978 212 1500 Fax: +1 978 212 1600 Email: info@corero.com United Kingdom Regus House, Highbridge, Oxford Road Uxbridge UB8 1HR, UK Tel: +44 (0) 1895 876579 Email: info_uk@corero.com FIRST LINE OF DEFENSE