Peter Long, Vice President, Marketing - PowerPoint PPT Presentation

1 / 23

About This Presentation

Title:

Peter Long, Vice President, Marketing

Description:

Offers network security solutions that ... 0-day worm or virus attacks. Botnet traffic. Rapid tracking of anomalous traffic origins ... – PowerPoint PPT presentation

Number of Views:23

Avg rating:3.0/5.0

Slides: 24

Provided by: donp58

Category:

more less

Transcript and Presenter's Notes

Title: Peter Long, Vice President, Marketing

1
(No Transcript)
2
Network Anomaly Detection and Mitigationthe
next step in your security strategy
Peter Long, Vice President, Marketing plong_at_netzen
try.com netZentry, Inc.
3
Who We Are

Founded July 2003
First Product Shipped 2004
Located in Palo Alto, California
Experienced Management and Engineering Teams
Network and Network Security Backgrounds
Venture-Funded
US Venture Partners, Alloy Ventures

4
What We Do

Offers network security solutions that
uniquely utilize a scalable and collaborative
approach to
instantly detect and
precisely track anomalous traffic to
efficiently mitigate its harmful effects

5
The Problem

Anomalous traffic floods can severely disrupt
enterprise and provider networks and services
Different types of anomalous traffic floods
External DDoS Attacks
Internal DDoS Attacks
Zero-day Worms
Current security solutions (firewalls, IDS/IPS)
are often incapable of stopping such attacks

6
Todays Network Security Offerings Limitations
Firewalls, IDS, IPS

Typical solutions cannot easily pick out good
versus bad traffic
Victim centric versus origin centric
Protection is too close to endpoint
False positives are extremely high
Humans must verify the attack is real before
coordinating mitigation
Lack of Scalability
Increased organizational costs

7
Typical Network
Peering Providers
Tracking
Management
Management
Mitigation
Edge Layer

Detection
Distribution Layer
Detection
Aggrregation Layer
Mitigation
Tracking
Servers And Endpoints
8
Outside-In DDoS Attack
9
Inside-Out DDoS Attack
Detect attack on specific target
Mitigate attack on specific links
Track attack to specific links
10
Inside Worm Attack
11
FloodGuard Highlights

Next step in solving network availability attack
Components
Detection (Sideline)
Tracking (Sideline)
Mitigation (Inline or Sideline)
Management (Sideline)
Millisecond response
Traffic Capture
NetFlow
cFlow
Gigabit packet capture

12
Detection Anomaly versus Signature

Signature-based schemes ascertain specific
patterns in packet properties/content or in
packet sequences
Anomaly-based schemes differentiate attack
traffic from normal traffic by using a
statistically derived baseline
Signature-based detection schemes are quite
precise for known attacks

13
DetectionSophisticated traffic algorithms

Traffic Analysis
Analyzes traffic close to the destinations
Protection domains created based on network
requirements
Traffic patterns capable of being base lined to
individual endpoints or broader IP blocks
Anomalous behavior identified relative to
established traffic patterns
Packet rate, Bandwidth, Destination and more
Continuous Learning Technology
Traffic patterns once initially baseline will be
continuously updated as necessary with optional
user intervention
Protection Domains or granularity of endpoint
monitoring can be automatically detected and
added
Detects multiple attacks occurring simultaneously

14
FloodGuard Tracking

Attacks are often spoofed
Cannot tell where a packet comes from just by
looking at a packets source address
Tracking identifies where attack packets are
coming from
Attacks often come on some of the ingress links,
not all
Only traffic on tracked links need to be
subjected to mitigation
Not all traffic to a target needs to be mitigated
Frees up other links from any mitigation
The further the mitigation is from the victim,
the more effective it is
Tracking crucial to identifying remote botnets in
real time

15
FloodGuard Mitigation

Mitigation using dynamic filtering
Allow good traffic while blocking attack traffic
Good traffic determined historically and
behaviorally
Per protection domain mitigation
Simultaneous filtering of attacks on multiple PDs
Per tracked link mitigation
Mitigation only links on which attack traffic is
successfully tracked

16
FloodGuard Management

Multiple functions
Live Attack management
Real-time Traffic monitoring
Continuous anomaly and traffic analysis
Multiple attack management modes
Manual
Interactive
Automatic
Flexible Real time Reporting
graphical reports
per PD detail reports
HTTP, Syslog, Email export
Role based management
Multi-tiered user access levels
Integrated with detection, tracking and
mitigation
Integrated with customer support systems
Remote secure access
Java-based UI

17
FloodGuard Solution Architecture
packets/flows
FloodGuard Appliance
rerouted attack traffic
scrubbing switch
re-injected scrubbed traffic
packets/flows
18
FloodGuard Deployment

Multiple Traffic Capture Methods
Packet capture (tapped or spanned)
Flow capture (netflow, cflow, sflow)
Different Footprints
Single appliance or multiple appliances
Choice of Footprint depends on
Traffic capture rate and
Number of independent protection domains
Alternate Mitigation Techniques
Inline using existing routers (Cisco, Juniper,
Others)
Sideline using FloodGuard-controlled scrubbing
switch
Remote Management
Java-based Live UI
HTTP-based Plots and Reports

19
Real Results NDS Live

HSP 1
16 Gbps of Ingress Traffic
Offered FloodGuard as a revenue generating
service
Example of Results
During July/August
97 of the servers attacked functioned 100
Remaining 3 were 75 responsive

HSP 2
1 Gbps of Ingress Traffic
Granularity set at /48
Completely automated detection, tracking, and
mitigation no manual intervention required
Example attacks being addressed 154K pkts/s _at_
140mbit/sec

20
Demo