AMS Competitive Analysis v2.pdf

Transcript

1. Beyond Today’s Perimeter Defense: Radware Attack Mitigation System Competition Analysis

   Avi Chesla Ron Meyran August 2011

2. Agenda • AMS Introduction • AMS competitive landscape • AMS

   competitive analysis – Online businesses – Critical Infrastructure (Data Center) – Anti-DoS MSSPs Slide 2

3. AMS Intro

4. Security Threat Vectors Slide 4 Large volume DoS Application DoS

   (High rate & slow) Intrusion Application pre-attack probes Web application attacks (e.g. XSS, Injections, CSRF) Misuse of stack resources “Low & Slow” connection DoS attacks Pre-attack probes Intrusion Intrusion, malware

5. Multi-Vulnerability Attack Campaigns Slide 5 Business Large volume network flood

   attacks Application flood attack (Slowloris, Port 443 data flood,…) Large volume SYN flood Web application attacks (e.g. XSS, Injections, CSRF) Low & Slow connection DoS attacks Network scan Web application vulnerability scan Conclusions • Attackers use multi-vulnerability attack campaigns making mitigation nearly impossible • DoS & DDoS tools are preferred weapon of mass disruption

6. Introducing Radware Attack Mitigation System (AMS) Slide 6

7. Radware Security Event Management (SEM) Slide 7 • Correlated reports

   • Event correlation • Compliance management • RT monitoring • Advanced alerts • Forensics 3rd Party SEM

8. Summary: Radware AMS Differentiators • Best security solution for online

   businesses: – DoS protection – Network behavioral analysis (NBA) – Intrusion prevention (IPS) – Reputation Engine service – Web application firewall (WAF) • Built-in SEM engine • Emergency Response Team (ERT) – 24x7 Service for immediate response – Neutralize DoS/DDoS attacks and malware outbreaks • Lowest CapEx & OpEx – Multitude of security tools in a single solution – Unified management and reporting Slide 8 “Radware offers low product and maintenance cost, as compared with most competitors.” Greg Young & John Pescatore, Gartner, December 2010

9. Slide 9 AMS competitive landscape Radware McAfee Sourcefire F5 Imperva

   Arbor Riorey Anti-DoS IPS WAF NBA Integrated SEM DDoS ERT

10. AMS Competitive Analysis

11. Online Business Protection

12. Online businesses (eCommerce): the need • Online businesses characteristics –

    Generate revenue through Internet access – Large number of users – Vulnerable to attacks aiming to deny service and reduce their revenue • Attackers motivation – Financially motivated – extortion, rivalry – Publicity and vandalism – Activists • The business need – Maintain service availability even when under attack – Maintain consistent user response time – Comply with PCI DSS requirements – Reduce OpEx and CapEx Slide 12

13. Success Criteria for Online Business protection • Full protection against

    network & Web application attacks – Network & Application DDoS protection – Intrusions – Web Application protection • Web application attacks • Web application vulnerabilities • Accurate attack mitigation – Block attacks without blocking legitimate users – Maintain user experience when under attack • Risk Management – Unified threat management and reporting • Mitigation performance – While forwarding legitimate user traffic Slide 13

14. Online business protection solutions comparison Feature Details Radware McAfee Sourcefire

    F5 Imperva Arbor Riorey Attack coverage Network DDoS Application DDoS Intrusions Web application attacks Monitoring and reporting SIEM with event correlation DDoS Emergency Response Performan ce Attack mitigation & legitimate traffic PPS 16Mpps 10Mpps 4Mpps N/R N/R 8Mpps 15Mpps Slide 14

15. Online business protection: The Radware Advantage • Best security solution

    for online businesses: – DoS protection – Network behavioral analysis (NBA) – Intrusion prevention (IPS) – Reputation Engine service – Web application firewall (WAF) • Built-in SEM engine – Business wide situational awareness – Other solutions require 3rd party SEM integration • Emergency Response Team (ERT) – 24x7 Service for immediate response – Neutralize DoS/DDoS attacks and malware outbreaks • Lowest CapEx & OpEx – Multitude of security tools in a single solution – Unified management and reporting Slide 15

16. Radware weak points that can be used against us •

    NSS Certification – IPS criteria – McAfee, Sourcefire and other IPS vendors have NSS certification – What to say: • Radware holds NSS certification for Attack Mitigation criteria, which offers wider coverage for online business threats • NSS certifies only a small part of the overall solution • ICSA / Network IPS certification – HP is the only vendor holding active ICSA certification – What to say: • ICSA is not considered as a real network security testing authority Slide 16

17. Critical Infrastructure (Data Center) Protection

18. Critical Infrastructure (data center): the need • Carrier and large

    enterprises deploy data centers to deliver services and support operations • The data center is a critical resource • Data center hosts: – Critical infrastructure: DNS, DHCP, SIP – Carrier operations OSS/BSS, Provisioning, Billing, CRM – Web portals – Mail servers • The need – Protect critical applications and servers under attack – Accurate detection and prevention Slide 18

19. Success Criteria for Data Center protection • Full protection against

    network & application attacks – Network & Application DDoS protection – Server intrusions – DNS service protection – VoIP service protection – Web Application protection • Accurate attack mitigation – Block attacks without blocking legitimate users – Maintain user experience when under attack • Risk Management – Unified threat management and reporting • Mitigation performance – While forwarding legitimate user traffic Slide 19

20. Critical Infrastructure protection solutions comparison (1/2) Feature Details Radware McAfee

    Sourcefire F5 Imperva Arbor Riorey Attack coverage Network DDoS Application DDoS Intrusions DNS attacks VoIP Misuse attacks Web application attacks Slide 20

21. Critical Infrastructure protection solutions comparison (2/2) Feature Details Radware McAfee

    Sourcefire F5 Imperva Arbor Riorey Monitoring and reporting SIEM with event correlation DDoS Emergency Response Performan ce Attack mitigation & legitimate traffic PPS 16Mpps 10Mpps 4Mpps N/R N/R 8Mpps 15Mpps Slide 21

22. Critical Infrastructure protection: The Radware Advantage • Best security solution

    for online businesses: – DoS protection – Network behavioral analysis (NBA) – Intrusion prevention (IPS) – Reputation Engine service – Web application firewall (WAF) • Built-in SEM engine – Business wide situational awareness – Other solutions require 3rd party SEM integration • Emergency Response Team (ERT) – 24x7 Service for immediate response – Neutralize DoS/DDoS attacks and malware outbreaks • Lowest CapEx & OpEx – Multitude of security tools in a single solution – Unified management and reporting Slide 22

23. Anti-DoS for MSSPs

24. High Med Low DDoS Protection: Layers of Defense Slide 24

    Type of DoS attacks Challenges: PPS & Bandwidth flood attacks Connection & application flood attacks Directed application DoS attacks Attack volume: • Accurate mitigation – maintain very low false positives • Time to protect • PPS processing capacity • Bandwidth capacity • Accurate mitigation – attack sessions look legitimate • L7 content inspection • Ad-hoc filters creation

25. DDoS Protection: Radware Coverage Slide 25 Radware DDoS Protections Up

    to 12MPPS of attack prevention Up to 800K new TPS of HTTP Challenge-Response PPS & Bandwidth flood attacks Connection & application flood attacks Directed application DoS attacks Multi-Gig DPI (RegEx) processing StringMatch Engine (SME) RegEx Engine Static & user filters Multi-core CPUs Real-time signatures & challenge - response technologies ASIC-Based DoS Mitigator Engine (DME) Real-time signatures technology

26. DDoS Protection: Radware Technologies Slide 26 PPS & Bandwidth flood

    attacks Connection & application flood attacks Directed application DoS attacks • Behavioral based real-time signatures blocking • SYN Protection (SYN cookies; Web cookies) • Rate based protections • HTTP & DNS advanced Challenge – Response techniques • Behavioral based real- time signatures • Rate based protections • Auto-updated RegEx filters • Counter attack techniques • Ad-hoc filters • Widest DDoS attacks coverage out-of-the-box • Best time to protect: in seconds

27. Success Criteria for DDoS Service Providers • Full protection against

    DDoS attacks – Can you effectively detect and protect against emerging DDoS attacks? – Can you detect all type of DDoS attacks, including low and slow attacks? – Can you detect and protect against SSL attacks? • Ensure customer SLA – Can you offer detailed customer centric reporting and alerts to reflect the full value of your service? – Can you detect and start blocking attacks in seconds? Minutes? – Do you avoid penalties? • Operational efficiency – Does your out-of-the-box protections really resolve the majority of cases? – Does the mitigation solution integrates easily with your infrastructure (Customer portal, SEM, OSS, SOC)? Slide 27

28. Slide 28 DoS Mitigation solutions comparison (1 of 2) Feature

    Details Radware DP 12412 Arbor TMS 3200 IntruGuard IG2000 Riorey RS10 TopLayer IPS5500-2400ES Attack coverage Network DDoS attack protection Application DDoS attack protection Directed DoS attack protection Monitoring and reporting Built-in SIEM with advanced SLA reports and alerts Time to protect In seconds In minutes In seconds In minutes In seconds Accurate attack mitigation User experience under attack High Medium Low Low Low Techniques Selective challenge actions, action escalation Collective actions (challenge & rate limit) Rate limit based Rate limit based Rate limit based

29. Slide 29 DoS Mitigation solutions comparison (2 of 2) Feature

    Details Radware DP 12412 Arbor TMS 3200 IntruGuard IG2000 Riorey RS10 TopLayer IPS5500-2400ES Performance Attack mitigation PPS 12Mpps 7Mpps 3.8Mpps 4Mpps 3Mpps DDoS Emergency Response NSS certification TopLayer last NSS report is dated 2005

30. Slide 30 Radware DP 12412 IntruGuard IG2000 TopLayer IPS5500-2400ES Arbor

    TMS 3200 Riorey RS10 Performance 10 MPPS 3.8 MPPS < 4 MPPS 7 MPPS 4 MPPS Application challenge technologies 302, JS, DNS N/R N/R 302, DNS N/R User experience under attack (Accuracy) High Low Low Med Med Selective challenge actions, action escalation Rate-limit Rate-limit “Collective” actions & rate limit Rate-limit L7 regex filters (ASIC) Tenant support - Capability doesn’t exist - Severely impact performance once multiple rules are activated Mitigation techniques comparison - Limited to 8 customers (groups) - Other vendors include legitimate traffic processing with attack mitigation

31. Slide 31 Radware DP 12412 IntruGuard IG2000 TopLayer IPS5500-2400ES Arbor

    TMS 3200 Riorey RS10 L3/L4 DoS filters 10 MPPS 3.8 MPPS < 4 MPPS 7 MPPS 4 MPPS L4 Challenge 10 MPPS 3.8 MPPS < 4 MPPS 7 M PPS N/R L7 Attack challenge (HTTP) 800K CPS N/R (only signatures) N/R (only signatures) N/A N/R (only signatures) L7 regex filters (ASIC) Up to 2G -Capability doesn’t exist - Severely impact performance once multiple rules are activated Mitigation techniques – detailed performance comparison - Other vendors include legitimate traffic processing with attack mitigation

32. Radware Addresses the Best Success Criteria for DDoS Service Providers

    • Best DDoS attack coverage – High PPS & bandwidth DDoS attacks protection – Connection & application DDoS attacks protection – Directed attacks protection – The only NSS Recommended attack mitigator in the industry • Ensure customer SLA – Shortest time-to-protect solution in the market – in seconds! – Most comprehensive reporting engine with detailed per-customer reports and advanced alerts • Operational efficiency – Best out-of-the-box protection – SOC can focus on complex attack cases – Multitude of DDoS protection and SEM in a single integrated solution – significant CapEx and OpEx savings Slide 32

33. Thank You www.radware.com