As security professionals facing the rising tide of threats, many of us find ourselves researching and implementing next-generation perimeter defenses to mitigate risks. Through analysis of threat vs. protection we quickly realize that no single protection will suffice; current risks require multiple protection layers to secure the business.
Typical intrusion prevention services (IPS) and next generation firewall (NGFW) devices claim coverage, but beware – they fall short. In fact recent studies from Radware’s 2011 Global Application & Network Security Report show combined IPS and FW account for 32% of the common DDoS bottleneck.
Also realize next Generation IPS and DDoS tools are not created equal. Products on the market differ tremendously across the board from detection to mitigation. One major difference is due to the fact that many vendors are now jumping on the DDoS bandwagon and creating products with no real functionality, but advertising them none the less. As you move forward with your evaluation and selection of attack mitigation systems, I suggest you review the following criteria:
Hardware Architecture Designed for Perimeter Attack Mitigation: Hardware designed to withstand network floods such as SYN, RST, ICMP and UDP Floods is essential. Throughout 2011 and continuing into 2012, a significant increase in both network and application layer denial of service attacks were observed. Freely available tools have enabled the enemy to leverage sophisticated attacks in a very simple to use interface. Ensure the hardware you select can perform detection and mitigation techniques to meet your network availability requirements. Look beyond the vendors’ marketing and validate the claim.
Ease of Deployment: Deployment options should be flexible to allow for the ability to deploy with little to no impact on operations. Common options include inline and out of path. Be cautions of out of path options which rely on flow (netflow/cflow) based information as they are not capable of detecting application and slow and low attacks.
When Flow based technologies do detect an attack, it requires several minutes to detect and swing traffic in which case the firewall or IPS would likely have already crashed under high PPS floods. Out of path options require re-routing traffic to the mitigation device when under attack. Out of path flow-based attack mitigation solutions are more expensive due to separate detection and mitigation components and the complexity of deployment and support requires significantly more effort. On the other hand, in-line deployments provide detection and mitigation within the same appliance, which can mitigate attacks in real time and offer ease of deployment, further reducing total cost of ownership.
Low False Positive – High Quality of User Experience: Most vendors claim a low false positive rate though many of us have learned otherwise and realize security tools are not black boxes. More specifically, IPS and security incident event management (SIEM) event correlation systems require many hours of initial and ongoing tuning. Identify exactly how the vendor is reducing false positives and benign events. Ensure they do so while avoiding false negatives (real incidents which go unnoticed).
The behavioral analysis or heuristics algorithms in use should scale with fluctuations in bandwidth and accommodate flash crowds (legitimate business). Verify that the mitigation appliance does not drop legitimate traffic when under attack. Consider replaying live traffic through the device while simulating attack traffic or have the vendor do it for you in their lab.
Multi-Tenancy: Multi-Tenancy is often a concern for managed service providers and corporations where different business units can have different requirements. Ensure configuration of polices can be segmented. Verify granular end user reporting (reporting per policy), real time monitoring and alerting is available. Functionality within an existing portal or management station may be required; verify there is an API available to accommodate.
Granularity of Configuration: Opposing security controls may need to be applied to different functional areas of the network. Configuration of network security policies should be capable of being segmented with different customers, business units or environments. For instance customer A should have capability to have a distinct separate policy than customer B. In addition policies should be capable of different protection actions – For instance a policy in block with another in report only mode.
DDOS Protection: Perimeter Attack Mitigation Systems should be capable of withstanding high rate TCP/UDP floods and slow and low attacks. A significant trend has been identified on the application layer attacks and a strong emphasis should be placed on analyzing the full OSI stack (all 7 layers). Some vendors rely on netflow information to identify network anomalies and are not able to detect application layer or slow and low attacks. Tools such as LOIC, HOIC, RefRef, THC-SSL and ApacheKiller have surfaced publicly and are contributing to the rise of application layer DDoS attacks. Ensure your vendor has protections to detect and identify attack tools, validate malicious sources and block both known vulnerability and zero day network and application exploits.
Network Behavior Analysis (NBA): Network Behavior Analysis is the secret sauce for identifying anomalies in the network and identifying zero day attacks. It is imperative to understand how NBA is implemented and how false positives are avoided. Behavior analysis should be both network (TCP/UDP) and application aware to protect critical services such as ftp, smtp, http, SSL, DNS, and SIP. Proper behavior analysis mechanisms should only trigger when there is a difference in the traffic ratios and not cause false positives under flash crowd or increases in bandwidth.
Challenge / Response Mechanisms to validate clients: Many attacks today are carried out with weaponized tools. Challenging the attacker provides the ability to filter out the attack traffic and permit only the legitimate clients. There should be challenge and response mechanism in place to protect both network and application layers such as DNS, HTTP and SSL.
Reconnaissance and Brute Force Protections: The attack mitigation system should provide protections from known vulnerabilities, (IPS signatures), brute force and reconnaissance scanning. These detections should detect and mitigate vulnerability assessments, network scanning tools and malware spreading.
Web Application Vulnerabilities (XSS, SQL Injection, etc.): It is common place for cyber attackers to deface and alter website content, steal confidential and personal information. Due to the vast and frequent vulnerabilities found in web applications it is critical that patches be applied. It is a timely process, however, and often not done. In this case, web application firewalls are the tool of choice; verify your vendor can prevent the OWASP vulnerabilities such as XSS, SQL injections, etc.
Reporting and Alerting: As with any security device it is essential to have a sound reporting engine to show return on investment. Internal log collection, correlation, alerting and reporting should be available within the device management systems, as well as have an API to integrate with existing infrastructure such as syslog servers, SIEM and network monitoring systems. Identify the ability to create and export reports in the required format (pdf, csv, etc.,) and delivery options (ftp, email, etc.). Security devices should be capable of being monitored remotely via SNMP, and ability to send alerts to syslog, SNMP traps, and email.
Support/Emergency Response Team: Identify the vendor support structures and ensure they meet the level of support you require. During testing or proof of concept, test the TAC at different hours of the day and days of the week. Identify who to contact when under attack along with associated cost structures and availability. Ensure there is a clear, escalated procedure backed by an SLA to follow when you are under attack.
Capex/Opex Costs: Equipment should be capable of on-demand upgrades to scale beyond current needs without replacing or adding additional gear causing additional expenses and network down time. Consider the complications of out of path (expensive) vs. inline mentioned in the ease of deployment section above.
Customer References: There is no better reference than an existing customer who can validate a vendor’s claims for preventing multi-vector attacks. Request to speak with a few customers in relevant business size and scope. Evaluate the overall pre and post sales experience especially under attack.
Third Party Reviews and NSS Labs Certifications: Research third party certifications and reviews; NSS Labs is a reputable third party research group that performs evaluations of many security products. Go online and research from reputable sources, the more the better.
Like no other, Radware’s Attack Mitigation System (AMS) includes protection mechanisms to mitigate the emerging risks through the combined use of IPS, DDoS Protection, Network Behavioral Analysis (NBA), Web Application Firewalls (WAF) and Reputation services on hardware that has been tailored for the task. The unique offering of Radware AMS also includes a full-blown SIEM for log collection, aggregation, correlation alerting and reporting. To further enhance and differentiate, the Radware AMS offering is backed by a dedicated 24/7 Emergence Response Team with expertise in cyber attack mitigation.