Date post: | 20-Aug-2015 |
Category: |
Technology |
Upload: | radware |
View: | 1,040 times |
Download: | 2 times |
Radware DefenseFlow
The SDN Application That Programs Networks for DoS Security
Sales Presentation
April 2013
• DDoS Threat is Evolving• Limitations of Legacy Out-Of-Path
Deployments• Radware DefenseFlow Solution• Summary
US Banks Under Attack: From The News
3
Anonymous Attacks Grow
4
Industry Security SurveyWhich of the following motivation(s) are behind the DDoS/DoS
attacks that you experienced?
Motivation is unknown
57%Political/Hacktivism
22%
Angry users10%
Competition6%
Ransoms5%
Ponemon Research 2012:DDoS Attacks are Mainstream
5
of organizations had an average of 3 DDoS attacks in the past 12 months65%
Minutes average downtime during one DDoS attack54 MinAverage cost per minute of downtime$22,000Average annual cost of DDoS attacks
$3,000,000
6
Limitations of Netflow Based Mitigation
CapabilityNetflow Based
Mitigation
Detection Network DDoS flood attacks Full coverage
Mitigation Mitigation response time Slow – 5 Minutes
Network OperationRequires BGP announcement, GRE
tunneling and several detectorsComplicated
Diversion Traffic granularity Low Granularity
Cost Effective
Requires hardware detectors
Requires scrubbing center
Consumes routers CPU and ports
Expensive
Slow
Complicated
Inaccurate
Expensive
7
Introducing Radware DefenseFlow
Controller
DefensePro
SDN Data Plane
SDN Controller
SDN Applications
The SDN Application That Programs Networks for DDoS Protection
OpenFlow API
API
Slide 8
DefensePro
Internet
“Flow Diversion” - Control
Detection Analyze & Decide
Programmable Probe – Collect
Security Service provisioning
Attack!!!
SDN Controller
Create baselines per: IP Address, Protocol &
Service (Port)
DefenseFlow: The SDN Application That Programs Networks for DoS Security
Configure DefensePro with learned baselines
9
CapabilityNetflow Based
MitigationRadware DefenseFlow
Detection Network DDoS flood attacks Full coverage Full Coverage
MitigationMitigation response time
Slow – 5 MinImmediate –
seconds
Network Operation
Requires BGP announcement, GRE tunneling and several detectors
ComplicatedSimple -
diversion is a
network service
Diversion Traffic granularity Low GranularityHigh Granularity
– divert only
suspicious traffic
Cost Effective
Requires hardware detectors
Requires scrubbing center
Consumes routers CPU and ports
Expensive Low cost
DefenseFlow Vs. Netflow
Slow
Complicated
Inaccurate
Expensive
10
Operator Benefits
• Designed for attack mitigation– Attack detection is performed out of path– During attack period only suspicious traffic is
diverted through mitigation device
• Scalable solution – DefensePro mitigation devices can be placed
in any location– DefenseFlow diverts the traffic to the nearest
mitigation device
• Easy provisioning– Adding protection policy to a customer in a
few seconds
• Lowest cost solution– Detection as a native SDN stats collection– Diversion as a native SDN control operation
11
Summary
• DDoS attacks are prevalent threat to every business and agency
• Current Netflow based solutions fail to offer cost effective solution
• DefenseFlow is a SDN application that programs networks for DDoS Protection, gaining:– Easy provisioning– Immediate attack detection– Low cost
Thank Youwww.radware.com