For IT Infrastructure, Mobile and Cloud Computing - Why and how

Similar documents
IxLoad-Attack: Network Security Testing

Firewall Testing Methodology W H I T E P A P E R

White Paper. Network Security Testing

CS5008: Internet Computing

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

How To Stop A Ddos Attack On A Website From Being Successful

How To Protect A Dns Authority Server From A Flood Attack

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Barracuda Intrusion Detection and Prevention System

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

A Layperson s Guide To DoS Attacks

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Malicious Network Traffic Analysis

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

DDoS Attacks Can Take Down Your Online Services

Huawei Eudemon200E-N Next-Generation Firewall

Firewall and UTM Solutions Guide

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Network Security Solution. Arktos Lam

Jort Kollerie SonicWALL

FortiGate-3950B Scores 95/100 on BreakingPoint Resiliency Score (Security, Performance, & Stability)

Denial of Service (DoS)

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

The Information Security Problem

Cyberoam Next-Generation Security. 11 de Setembro de 2015

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Automated Mitigation of the Largest and Smartest DDoS Attacks

Why it's time to upgrade to a Next Generation Firewall. Dickens Lee Technical Manager

Networking for Caribbean Development

Applications erode the secure network How can malware be stopped?

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Seminar Computer Security

CompTIA Security+ (Exam SY0-410)

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Chapter 8 Security Pt 2

Acquia Cloud Edge Protect Powered by CloudFlare

Load Balancing Security Gateways WHITE PAPER

Next-Generation Firewalls: CEO, Miercom

SonicWALL Unified Threat Management. Alvin Mann April 2009

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Innovations in Network Security

TDC s perspective on DDoS threats

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Cyber Range Training Services

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Next Generation Firewalls and Sandboxing

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Validate the performance and security of IPS/IDS, Firewall and Proxy - January 2009

Huawei Eudemon1000E-X series Firewall. Eudemon 1000E-X Series Firewall. Huawei Technologies Co., Ltd.

Denial of Service Attacks

ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

VALIDATING DDoS THREAT PROTECTION

TLP WHITE. Denial of service attacks: what you need to know

Denial of Service (DoS) Technical Primer

SonicOS 5.9 One Touch Configuration Guide

How Traditional Firewalls Fail Today s Networks And Why Next-Generation Firewalls Will Prevail

Top tips for improved network security

Competitive Testing of the Cisco ISA500 Security Appliance

FortiDDos Size isn t everything

Pravail 2.0 Technical Overview. Exclusive Networks

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

CloudFlare advanced DDoS protection

Security Technology White Paper

Threat Events: Software Attacks (cont.)

AntiDDoS1000 DDoS Protection Systems

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

Stopping zombies, botnets and other - and web-borne threats

Safeguards Against Denial of Service Attacks for IP Phones

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Using big data analytics to identify malicious content: a case study on spam s

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

EC Council Certified Ethical Hacker V8

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Comparative Performance and Resilience Test Results - UTM Appliances. Miercom tests comparing Sophos SG Series appliances against the competition

A Very Incomplete Diagram of Network Attacks

Application Intelligence, Control and Visualization

NIP6300/6600 Next-Generation Intrusion Prevention System

Network Security: Introduction

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

USG6600 Next-Generation Firewall

Unified Threat Management, Managed Security, and the Cloud Services Model

Complete Protection against Evolving DDoS Threats

Denial of Service (DOS) Testing IxChariot

Transcription:

For IT Infrastructure, Mobile and Cloud Computing - Why and how

Will you fear me... First, who is this group called Anonymous? Put simply, it is an international cabal of criminal hackers dating back to 2003, who have shut down the websites of the U.S. Department of Justice and the F.B.I. They have hacked into the phone lines of Scotland Yard. They are responsible for attacks against MasterCard, Visa, Sony and the Governments of the U.S., U.K., Turkey, Australia, Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand. (Source: Wikipedia) Source: Wikipedia Disruption and Denial of Service caused by hundreds of thousands of computers 3

May I be your nightmare... Ever read about your own death on your Website? -- Rupert Murdoch did... 4

Security Attacks and Damage Increasing Rapidly Exponential growth in new threats Number of vulnerabilities discovered in apps is far greater than in OS Hacking changed from Hobby to prosperous Business! Cybercrime economy estimated at $ 1 trillion in 2009! 6

The Source(s) of the Problem The Internet Flawed software Known vulnerabilities Unknown (zero-day) vulnerabilities Misconfiguration Network Servers Clients Trusting people

The Damage Loss of data Loss of time Monetary loss Disabled/crippled services Legal exposure Loss of reputation Customer churn

Types of Vulnerabilities 10

Network Security Threats Malware Viruses Worms Trojans Rootkits Spyware Spam Malicious adware/scareware Evasion techniques All of them are malicious..

It s all about Making Money Unauthorized bank, credit card transactions Advance fees (Nigeria) Product sales Scareware adware Criminal services Toolkits Stolen account information CAPTCHA-breaking services Virus testing Search redirection

The solution: Security Appliances (?) 20

Security Mechanisms/Devices Firewall VPN gateway Intrusion prevention (IPS) URL filtering Anti-virus Anti-spam Individual devices or combined Unified Threat Management (UTM) Feb 11, 2010 Fortinet ships 500,000 th ISA SonicWall NSA Series (now Dell)

Network Security Devices You have that all... But who can grant they are working correctly under Attack?

Measuring Security Devices Effectiveness Accuracy Performance Full load Real-world multiplay traffic Source: Microsoft Technet

Network Security Testing Known Vulnerabilities Unknown Vulnerabilities Massive DDoS Line-rate multiplay traffic Encrypted traffic Viruses Spam Trojans Rootkits Spyware Adware Network attacks Many thousands of vulnerabilities (CVE) Dozens of evasion techniques Frequent updates 24

Network Security Testing Known vulnerabilities (BPS/Ixia) Unknown vulnerabilities (BreakingPoint) Massive DDoS Line-rate multiplay traffic Encrypted traffic ARP flood PING Ping of death Smurf Unreachable host Land Teardrop SYN flood SYN/ACK FIN flood UDP fragment flood ACK fragment flood DNS flood Evasive UDP PING sweek Xmas tree 25

Network Security Testing Known vulnerabilities Unknown Vulnerabilities (BPS) Massive DDoS Line-rate multiplay traffic Encrypted traffic IPSec SSL/TLS 26

Trade-offs: DoS Attack Impact on Performance DoS Attack begins DoS Attack ends Customer traffic degradation IPsec performance degradation Results from an actual firewall test

Distributed Denial of Service

Illegal, yet happen frequently Easy to implement, easy to hide Monetary gain DDoS as a service DDoS blackmail What Motivates DDoS Attackers? Payback and revenge Take down competitive websites Personal attack Political Practicing DDoS attacks For fun

What are botnets? Automated software that controls a collection of zombie machines How big are they? 100,000+ zombies in large botnets Generate DDoS traffic at rates of 10 Gbps to 100 Gbps Botnets Microsoft Security Intelligence Report, June 2010

Unexpected Peak Hours DDoS attacks can be the result of an overwhelming number of legitimate Google recognized a DDoS pattern when millions of search queries for Michael J. death had an unexpected peak for several hours

Security in the Cloud 32

Cloud Service Providers Cloud Service Providers Say Data Security Not My Job : eweek.com May, 2010 Ponemon Institute survey: 103 US providers, 24 European providers 73% of U.S. providers: services did not substantially secure sensitive information 69% didn t believe securing data was their responsibility. Majority don t have dedicated security personnel Cloud providers are least confident in their ability to: Restrict privileged user access to sensitive data Ensure proper data segregation requirements 33

Virtualization Vulnerabilities Hyper-jacking VM escape VM hopping VM theft VM sprawl 34

VM Migration Vulnerability 35

Mobile Security 36

Air interface Applications Thousands each day Often written by novice programmers Vendors can t review everything Anti-virus often not installed Smartphone OS targets iphone Android Wireless Network Security 37

Testing Network Security Devices 38

Testing Network Security Devices Security effectiveness Ability to detect and block malicious traffic Effectiveness = blocked attacks / attempted attacks Detection accuracy False positives Blocking legitimate traffic = denial of service Scale and performance Application delivery performance QoE impact when handling attacks Resistance against high rates or volumes of attacks IPsec performance, especially for wireless gateways Availability Availability = 100 x uptime/(uptime + downtime)

Vendors Test Individual Components IDS/IPS 40

Enterprises need to test Entire Networks 41

IxLoad-Attack Ixia s comprehensive network security solution that validates: Distributed Security effectiveness Denial of Service Security accuracy Effectiveness Performance impact IxLoad-Attack test modules Vulnerabilities and malware DoS and DDoS Multiplay traffic generator Data theft simulation IPsec, SSL and GTP Vulnerabilities & Malware Data Leakage SSN, Credit Cards Data, Classified Information Accuracy Performance IPsec, SSL & GTP Real-world multiplay traffic

What is it all about? Making sure you can defend against the broad range of Threats Making sure you are supporting the real Traffic Mix Making sure the Evolution of Applications are safe / secure against the Evolution of Threats Every IT-Infrastructure is UNIQUE Vendor s datasheets will never show the real world! They just show a small part of their secure Lab environment. 43

What type of Stability Test do we offer? With BreakingPoint: IPv4 and IPv6 Fuzzing Tests L2 Fuzzing - Stack Scrambler Malformed Ethernet Frames L3 Fuzzing - Stack Scrambler Malformed IP Frames L4 Fuzzing - Stack Scrambler Malformed TCP and UDP Flows L7 Fuzzing - Application Simulator Malformed Applications IPv4 and IPv6 Traffic Impairment Test - Drop packet - Frack packet - Corrupt packet in bytes 1-64 - Corrupt packet in bytes 65-256 - Corrupt packet in bytes 257-end - Randomly corrupt packet - Corrupt IP checksum 44

Targeted Security Devices Targets a broad array of threat management devices: Intrusion prevention systems (IPS) Unified threat management (UTM) Firewalls VPN Gateways Data Leakage Prevention Content Filtering URL Filtering Anti-Virus Anti-Spam

Vulnerability & Malware Testing 9,000+ unique attacks Evasion techniques Bidirectional attacks Frequent attack updates Attacks over IPsec Security effectiveness under Load Attack injection with legitimate traffic Detailed user QoE measurements Vulnerabilities and malware injected over IPsec IxLoad-Attack Delivers DoS and DDoS Line rate 1GE and 10GE 26 DDoS attacks layer 2/4 Performance benchmarking UDP and TCP performance Voice, video and data mix Data leakage prevention Transmission of confidential data Email, HTTP, FTP, IM ZIP Archive, PDF, XLS, DOC

Physical Test Setup

Test Results Firewall performance while enabling network security services 42Gbps firewall mode, 32 Gbps IPS, 12 Gbps GAV Effectiveness of threat detection and prevention Stateful TCP application traffic @10 Gbps 200 high severity attacks blocked @ 99% No appreciable CPU utilization impact with full DPI Security performance while under massive attacks 1Gbps DDoS, vulnerability attacks, 10Gbps application traffic 1,200,000 DDoS packets per second CPU utilization increased 30%, no appreciable HTTP impact

Test Results Vulnerabilities

Test Results DDoS

The right gear delivered by Ixia Network- and Security Test Equipment and Services for known and unknown Security Threats in Wired, Wireless, Virtual and Mobile Most efficient Security Monitoring Sie finden uns in Halle 12 -Stand 12.0-118 IXIA / BreakingPoint -Stand 12.0-543 IXIA / Anue -Stand 12.0-449 IXIA IXIA / Anue IXIA / BreakingPoint 52

iphone5 Ziehung um 15:00 UHR Stand 449 Halle 12 53

Thank You Any questions feel free to contact me at rrey@ixiacom.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information