場次: C3• Full coverage of OWASP Top-10 by negative & positive security models •...

場次: C3

公司名稱: Radware

主題: ADC & Security for SDDC

主講人: Sam Lin (職稱)總經理

L4-L7 ADC (appliance or NFV) and Security service (appliance or NFV ) for (Software Define) Data Center

Sam Lin

Radware Taiwan

SDDC definition

Slide 3

Data Center Use Case: 1傳統server

Slide 4

Web

DB

App

FW/IPS Alteon

ADC Alteon

ADC

-SLB

-GSLB

-Caching

-SSL

-IPS

Data Center Use Case: 2 virtual server

Slide 5

Web

DB

App

FW/IPS Alteon-NG

ADC Alteon

ADC

+APM

+FastView

+WAF

+SSO

+DDoS

Data Center Use Case: 3virtual network on NFV

Slide 6

Web

DB

App

NGFW/IPS

-NFV

Alteon ADC

-NFV Alteon ADC

-NFV

Software Define Data Center use case 4

Slide 7

Web

DB

App

NGFW/IPS

-NFV

Alteon ADC

-NFV

Alteon ADC

-NFV

Cloud

Orchestrator

SDN Controller

Alteon-NFV & DefensePro-NFV for Cloud in a Rack

Slide 8

Radware 2014

9

(for Cloud

Controller:)

1. SLB

2. SSL

3. Cache

4. APM

5. FastView

6. AS++

7. VX Hypervisor

8. vDirect

9. Cloud Signaling

10. DDoS

11. BWM

12. WAF

13. SSO

14. GSLB

(for SDN

Controller:)

Alteon 100M-80G

(#1Vision L7 Controller)

DefensePro 200M-40G

#1 DDoS +IPS)

LinkProof 100M-16G (#1線路平衡)

Alteon features:

Gartner ADC 2014

• Alteon NG ADC for Private/Public Cloud

Slide 10

Alteon Platform Line-Up- Number 1 vision

Slide 11

Alteon 6420

20 - 80 (160)Gbps 1 - 88 vADCs

ADC virtualization - for any size data center!

Alteon 5208 5-26 Gbps 1 - 24 vADCs

Alteon VX - Isolated Resource

On Demand

Services

Infrastructure

Layer 4-7 Services

Network

Global SLB

SharePoint

1Gbps

IP Domain 1

Customer Managed

Global SLB, Security,

ITM

Fully featured ADC

Health Checks, Layer

7 Configurations, etc.

Vlans, ARP Tables,

Virtual Routing and

Forwarding Tables

Physical Resources

(CPU, Memory, SSL)

Private:

config file

logging

statistics

On Demand

Services

Infrastructure

Layer 4-7 Services

Network

ITM

Oracle

2Gbps

IP Domain 2

On Demand

Services

Infrastructure

Layer 4-7 Services

Network

Security

Marketing

Applications

2Gbps

IP Domain 3

Customer “Monitor Only” Provider Managed

Private:

config file

logging

statistics

Private:

config file

logging

statistics

Slide 12

• ADC市場中最極緻的Layer 4-7 效能 ---Alteon 5208

• Default 5G(可擴充到10G,20G)throughput ---最完整!

• ADC市場中，2個10G ports 加6個1G ports及效能Layer 4 CPS 700K ---最強大!

• Default vADC 2個 (可擴充到24個) ，完整獨立且不相互干擾 ---最特別!

• 內含SSL, cache加速, STP,RIP,BGP,DDoS防護 • 含TCL語言功能延伸 • HTML加速及網路速度監控功能一年授權 ---最新穎! • 可擴加WAF及動態結合中華電信DDoS外線防護功能 -

---最完善!

• 可與雲端控控器整合

Slide 13

Alteon 5208 九大優勢

NFV-SDN-Cloud Architecture

Slide 14

Slide 15

ETSI certified NFV

Proactive SLA Management

Breakdown by application, location or specific transaction

Monitor application’s SLA and user transaction response time

Track real user transactions that breach SLAs

Real time error detection - tracking proper transaction completion

Slide 16

FastView Under the Hood

Render page for specific

browser

Transform resources

Transform HTML

Create acceleration

template

Slide 17

FastView™: Page Performance

F5’s site more than twice as fast with Radware’s FastView More than twice as fast with Radware FastView™

Slide 18

Database

Servers Firewall

Data Center

Internet

Radware ADC

Advanced Data Center 動態配置系統資源

Step #1 使用者連線應用程式

Step #4 伺服器負載平衡器便可將流量導引至新增的VM

VMware vCenter

Orchestrator

Step #2 vCenter Orchestrator 隨時監控應用程式伺服器的CPU負載情形.連線者數量及連線回應時間

Step #3 當超過管理設定的門檻數值時, vDirect 通知vCenter 新增VM,並自動通知伺服器負載平衡器更改設定

Step #5 當使用者人數開始減少，並需等到Guest OS client連線最後一筆session正常close後，vDirect通知vCenter並將會自動回收WEB/AP之Guest OS及退出SLB Pool 。

Slide 19

GSLB Elasticity & Cloud Burst

Slide 20

Data Center A Data Center B

PUBLIC CLOUD

Elastically Scale-out On-Prem Applications

Scale-out To public cloud

vDirect ADC Workflow State Sync

Web Security

Slide 21

Complete Web Application Protection

• Full coverage of OWASP Top-10 by negative & positive security models

• Protection against dozens of attack vectors listed on WASC Threat

Classification

• Efficient, accurate and difficult to evade out-of-the-box negative security

– Terminating TCP connections

– Normalizing client encoded traffic

– Blocking various evasion technics

App Mapping

Reservations.com

/config/

/hotels/

/register/

/info/

/reserve/

Adaptive Auto Policy Generation (1 of 4)

/admin/

Slide 22

Reservations.com

/config/

/hotels/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

Adaptive Auto Policy Generation (2 of 4)

App Mapping

Information leakage

Gain root access control

Unexpected application behavior, system crash, full system compromise

Threat Analysis

Risk analysis per “ application-path”

/admin/

Spoof identity, steal user information, data tampering

Slide 23

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

***********9459

P

Adaptive Auto Policy Generation (3 of 4)

App Mapping

Policy Generation

Prevent access to sensitive app sections

Mask CCN, SSN, etc. in responses.

Parameters inspection

Threat Analysis

Traffic normalization & HTTP RFC validation

Slide 24

Reservations.com

/config/

/hotels/

/admin/

/register/

/info/

/reserve/

SQL Injection

CCN breach

Buffer Overflow

Directory Traversal

Adaptive Auto Policy Generation (4 of 4)

Time to protect

App Mapping

Policy Activation

Add tailored application rules

Optimize rules for best accuracy

Policy Generation

Threat Analysis

***********9459

Virtually zero false positive

Best Security coverage Slide 25

P

The Reporting Dashboard

Slide 26

PCI Compliance Summary Report

PCI Requirement

Analysis Info

Action Plan

Slide 27

Compliance Status

WAF service in Carrier

28

Volumetric attacks Stateful attacks Application attacks

App Misuse

Attackers Deploy Multi-vulnerability Attack Campaigns

High Bandwidth or PPS Network flood attacks

Syn Floods

SSL Floods

HTTP Floods

Brute Force

Slide 29

Internet Pipe Firewall IPS/IDS ADC Attacked Server SQL Server

Intrusions

“Low & Slow” DoS attacks (e.g.Sockstress)

Network Scan

SQL Injection

Cross Site Scripting

More than 50% of 2013 attack campaigns

had more than 5 attack vectors.

DefensePro Platform Line-Up— Number 1 in Carrier

Slide 30

DPx412

10Gx4+1Gx8+1GSPFx4

4/8/12 Gbps

DPx420

40Gx4+10GSPFx40

10/20/30/40 Gbps

* Scheduled for mid 2014

DP x06 1GSPFx2+1Gx4 100/200/500M/1/2 Gbps

• DefensePro NG IPS for Private/Public Cloud

Slide 31

Alteon ADC: DoS Signaling to Local AMS

Slide 32

Protected online services

Protected Organization Alteon Signals to AMS

DefensePro Alteon NG

Inclusive SSL-based attack mitigation

Firewall

Integrated WAF module

ADC health parameters:

• CPU utilization

• Tables capacity utilization

Traffic parameters:

• Bandwidth

• PPS, CPS, CEC

• Total & per service

AMS mitigates attack

DoS Signaling to the Cloud

Slide 33

Protected online services

Protected Organization

DefensePro Alteon NG

Inclusive SSL-based attack mitigation

Firewall

Integrated WAF module

Pipe is saturated

Volumetric DDoS attack

that saturates Internet pipe

Alteon signals to AMS

ERT and the customer decide

to divert the traffic

DefensePipe mitigates

volumetric attack

Internet pipe

is cleaned

CHT MSSP service

Slide 34

ElasticScale The SDN application that programs the network for

scalable L4-L7 application delivery services

Application Anti-DoS App

Application Anti-DoS App

NBAPI & Orchestration Plug-ins

SDN Drivers L4-L7 Drivers

Application Anti-DoS

App

Distributed Mitigation App

Network Anti-DoS App

Abstraction layer

ElasticScale App

36

36

Alteon VA

Application1

Application 2

Alteon Appliance

Virtualization Manager

IBM Unified SDN Controller

Elastic Scale SDN Application

DefenseFlow DDoS The SDN application that transforms the network into

a secure monitoring & attack mitigation network

Application Anti-DoS App

Application Anti-DoS App

Control “Flow diversion” and

Mitigation

Collect network stats Programmable Probes

Program Network Anti-DoS service

provisioning

vSwitch

vSwitch

Local flow counters

Edge flow counters

DefensePro

Attack Mitigation Scrubbing Center

IBM Unified SDN

Controller

NBAPI

SDN Drivers L4-L7 Drivers

Abstraction layer

Application Anti-DoS App

Network DDoS Attack

detected !!! Application

Anti-DoS App Network Anti-

DoS App

Tune the security

policy

Analyze & Decide Detection

Attack Area

Normal Adapted

Area

Traffic parameters Traffic parameters

Suspicious

Area

Adaptive Network Anomaly Decision Surface

Attack Area

SDN Controller

Slide 39

DefenseFlow Anti-DoS App

Tune the security

policy and baselines

Attack

detected !!!

Rest API

Protected Objects

Protected Link

Scrubbing Center

We want to

protect this

link to our

servers.

DefenseFlow

Application

instructs the

SDN to send

back statistics

SDN Network

sends back stats

which the

DefenseFlow

App Monitors

Attack Starts! DefenseFlow

App tunes

scrubbing center

DefenseFlow

instructs SDN to

divert attack traffic to

Scrubbing Center

DefensePro