APSolute Immunity with DefensePro Brochure

Smart Network. Smart Business.

APSolute Immunity: Your Business’ Clear Choice for Proactive Network Security

The Changing Threats Landscape: Non-Vulnerability attacks do not exploit any software design flaw and go undetected below existing network security radars.

Bots, HTTP flood attacks, Trojan horses, Worms, application specific vulnerabilities, application and network floods, brute force

attacks – they are all out there, multiplying every day. Millions of opportunities ready to shut down, exploit or misuse your business

network – resulting in anything from a mere workday nuisance to a national security threat. The motivation of hackers has evolved

from notoriety to financial gain. Zero-minute threats have exploded with vulnerabilities being sold instead of being disclosed. Of

more concern is a new breed of ‘stealth attacks’, non-vulnerability threats which do not exploit any software design flaw and go

undetected below existing network security radars. And thus, protecting the network perimeter alone is no longer sufficient in a

world where boundaries are increasingly erasing and threat sources are rapidly multiplying. The deployment of standard network

security tools is no longer sufficient against non-vulnerability attacks and zero-minute attacks, as standard signature protections

and rate-based protections cannot detect attacks such as these that aim to shut your network down or misuse your applications.

Figure 1: APSolute Immunity, featuring DefensePro, offers vulnerability-based and non-vulnerability-based threat protection

APSolute Immunity with DefensePro: Protect against vulnerability-based attacks and non-vulnerability attacks that seek to compromise the health of your application infrastructure

Radware’s award-wining DefensePro® is a real-time intrusion

prevention system (IPS) and DoS protection device that

maintains your business continuity by protecting your

application infrastructure against existing and emerging

network-based threats that cannot be detected by a traditional

IPS such as: network & application resource misuse, malware

spreading, authentication defeat and information theft.

DefensePro features full protection from traditional

vulnerability-based attacks through proactive signature updates

preventing already known attacks including worms, Trojans,

Bots, SSL based attacks and VoIP attacks.

Unlike market alternatives that rely on static signatures,

DefensePro provides unique behavioral-based,

automatically generated real-time signatures, preventing

non-vulnerability- based attacks and zero-minute attacks

such as: network & application floods, HTTP page floods,

malware propagation, web application hacking, brute

force attacks aiming to defeat authentication schemes,

and more. And, DefensePro does this all without

blocking legitimate user traffic and without need for

human intervention.

With multiple segment protection in a single unit, a

“pay-as-you-grow” license upgrade approach and ease of

management through ”hands-off” security features such

as no-configuration and self-tuning, DefensePro is the

industry’s leading IPS for best functionality, maximum

affordability and ease of management.

FEATURESStandard Network Security Protection:

Comprehensive Application Vulnerability ProtectionDefensePro deploys a hardware accelerated signature engine, which performs deep packet inspection of information from Layer 3 up to Layer 7. This allows it to prevent known application vulnerability attacks before they occur. DefensePro offers comprehensive application security for the enterprise and data centers cleaning Internet and internal traffic flows including: web protection against IIS and Apache vulnerabilities; SQL injection and cross-site scripting; mail server protection against POP3, IMAP and SMTP vulnerabilities; SQL servers and DNS service protection against SQL and DNS vulnerabilities; remote access protection against Telnet and FTP server vulnerabilities; SIP servers, proxies and IP phones against SIP protocol violations preventing shut downs, denial of service and malicious takeovers; Microsoft vulnerabilities; and malware protection against worms, Trojan Horses, Spyware, Phishing and backdoor attacks.

World Recognized Security Operation CenterRadware’s Security Operation Center (SOC) is the prime research center for application vulnerabilities and exploitations and is responsible for issuing weekly signature updates, emergency updates and custom signatures. Radware’s SOC was the first to discover and disclose critical application vulnerabilities such as iPhone denial of service vulnerability, Web 2.0 vulnerabilities, the Mozilla Firefox vulnerability and more. SOC researchers present their latest findings in industry events such as Black Hat and RSA conferences.

Protection Against Encrypted, SSL-Based AttacksSSL was designed to protect the privacy of sessions between clients and servers communicating over the public IP infrastructure. However SSL traffic has a vulnerable network security “Achilles Heel” since it does not allow content inspection and security enforcement policies. Hackers’ opportunities are wide-open: attacks carried over SSL encrypted sessions bypass all network security layers including firewalls, IDS, and IPS.

In conjunction with Radware’s AppXcel™ application accelerator appliance, DefensePro provides a powerful and scalable solution for protection against encrypted SSL-based attacks that would otherwise evade regular security inspection.

“Encrypted traffic is increasing gradually, a significant problem for IPS. As the percentage of Secure Sockets Layer and other encrypted traffic increases it presents a growing "blind spot" when SSL decryption is not in the product…IPS vendors

must include SSL inspection to meet this challenge”

- Greg Young, John Pescatore,Gartner, February 20081

The Radware Difference: Real-Time Signature Protection

Radware’s DefensePro protects against emerging attacks including non-vulnerability attacks, zero-minute attacks and application misuse attacks through behavioral-based, automatic real-time signatures – all without the need for human intervention. Behavioral analysis of network-, server- and client-based traffic allows the creation of baselines for normal application traffic patterns. An expert system then identifies attacks in real-time and creates a real-time signature that blocks attacks without blocking legitimate user traffic. Radware behavioral analysis technology is protected by seven patents.

Non-Vulnerability Attack ProtectionNon-vulnerability attacks use legitimate application services for malicious activity. Each attack session behaves like a legitimate user transaction. Non-vulnerability attacks do not rely on any application vulnerability nor do they use malicious code, making the detection and prevention impossible through standard signature-based technology.

Since vulnerability-based signatures do not exist, DefensePro creates a behavioral pattern that explicitly identifies the attack traffic, which is valid only for the duration of the attack. This pattern is represented by the real-time signature, which is generated automatically in no time. The real-time signature represents abnormal application behavior rather than malicious code.

Network floods, HTTP page floods, SIP Invite and Bye floods, Brute force attacks, Web application hacking, SIP subscriber scanning – all are non-vulnerability based attacks that use legitimate application transactions in order to: misuse network and application resources, defeat an authentication scheme, discover application vulnerabilities, scan for subscriber information or even invoke full service shut down.

DefensePro offers full protection against non-vulnerability attacks including:

• Brute Force and dictionary attacks targeting HTTP, FTP, POP3, IMAP, SIP, MS-SQL and MySQL servers • Web application hacking through web vulnerability scanning • HTTP Page Flood attacks • DoS/DDoS Flood attacks

1 Gartner, Inc., Magic Quadrant for Network Intrusion Prevention System Appliances, 1H08, Greg Young and John Pescatore, February 14, 2008.

Proactive Zero-Minute Threat ProtectionTypically traded by the hacking underground industry, a zero-minute threat exploits newly discovered vulnerabilities, for which no patch or signature exists. Hackers and research organizations today are locked in a constant cat and mouse battle to discover and inform vendors about undiscovered threats. Hackers have added zero-minute vulnerabilities to their arsenal and employ targeted attacks using these undiscovered vulnerabilities, making detection nearly impossible.

With DefensePro, dealing with zero-minute attacks becomes simple. You do not need to set pre-defined security policies or employ rate-based rules, nor do you need to rely on vendor emergency signature updates. DefensePro detects and prevents zero-minute vulnerabilities automatically using behavioral analysis and creates a real-time signature on-the-fly, automating the vulnerability research center process. Malware spreading, network scans, and infected mobile users that plug into your network - all are automatically detected and prevented without need for human intervention.

“A major concern in deploying an in-line device is the blocking of legitimate traffic…DefensePro completedall our tests without

raising a single false positive alert”

NSS Labs, April 2008

VoIP Service Misuse ProtectionDespite speed, flexibility and economies of scale, VoIP service is vulnerable to attacks at the signaling and voice stream channels. Misuse of the VoIP service may lead to voice quality degradation, service disruption, service fraud and Spam over IT Telephony (SPIT).

DefensePro offers real-time protection against attacks that aim to misuse the VoIP service such as: • SIP brute force and dictionary attacks • SIP servers scanning • SIP servers flood attacks including Invite flood, Register floods and Bye floods.

Looking Closer at an HTTP Page Flood Attack

Generated from large-scale Bot rings, HTTP page flood attacks are the next wave of extortion through DoS/DDoS attacks. Hundreds and thousands of HTTP bots start systematically downloading web pages (usually pages crafted with heavy graphics) from your web site. These are not necessarily high rate attacks. They still overwhelm server resources but they fly under the radar of traditional intrusion detection and prevention technologies since they do not contain any non-legitimate application requests, do not break any application rule, nor do they exceed pre-defined traffic or connection thresholds. The challenge remains: how to distinguish attack traffic from legitimate traffic?

DefensePro identifies abnormal web hit rates to mitigate HTTP page floods. In conjunction with abnormal user detection it prevents downloads generated by malicious users (Bots) only to the specific web pages under attack, while maintaining legitimate user access to the web site.

HTTP Bot(Infected Host)

Misuse ofService Resources

Public Web Servers

IRC Servers

GET/search.php HTTP/1.0

BOTCommand

Attacker

HTTP Bot(Infected Host)

HTTP Bot(Infected Host)

HTTP Bot(Infected Host)

GET/search.php HTTP/1.0

GET/search.php HTTP/1.0

GET/search.php HTTP

/1.0

Figure 2: HTTP page flood attacks scenario

Most Accurate Attack Detection and Prevention:In order to minimize false positives DefensePro deploys multiple mechanisms for accurate attack detection and prevention:

• Stateful signature inspection including protocol parsing, packet reassembly and multi token signature search.• Signatures are updated on weekly basis, and in case of emergency – same day. All signatures are extensively tested at real world beta sites prior to release.• Expert system that correlates between rate-based and rate-invariant parameters eliminating cases such as flash crowd access to a web site.• Real-time signature creation using up to 20 different L4 to L7 header fields with OR/AND Boolean operations between header values, creating the narrowest filter.• Closed feedback mechanism deployed whenever a real-time signature is deployed, optimizing the signature based on the ongoing attack’s evolvement/mutation and remove the signature when attack is over.

On Demand IPS Scalability: Best investment Protection and Minimal Initial Investment:Radware is the first to offer on demand IPS scalability across its line of IPS models, which range from 100 Mbps all the way up to 8Gbps. The line is complemented by Radware’s set of behavioral protection products, which range from 4 Gbps up to more than 12 Gbps of throughput to offer the highest performance available. Based on its on demand, “scale as you grow” approach, no forklift upgrade is required when your network bandwidth grows, guaranteeing short-term and long-term savings on CAPEX and OPEX for full investment protection.

You can start deployment with a certain bandwidth IPS product model. When business grows or network bandwidth grows you can simply upgrade your IPS to a higher bandwidth product model by applying a software license key. There is no need for hardware replacement, configuration conversion, lab testing, staging and training. And, the upgrade occurs without service downtime.

Comprehensive Security Management, Monitoring and Reporting:With features that enable centralized device configuration, monitoring and reporting, Radware’s APSolute Insite management solution increases visibility and control of network security. Insite offers:

• The ability to customize security policies for each network segment using the Connect & Protect policy configuration table.• Real-time dashboards that enable administrators to monitor top attacks, top attack sources and destinations and malware spread activity in your network (see Figure 3).• Traffic monitoring views allowing the admin to observe real-time network and server traffic behavior versus their learned baselines (see figure 4) and attacks volume that were mitigated by DefensePro.• Real-time security event monitoring and advanced forensics for examining historic network activity down to the packet level.• Pre-defined and customized executive reporting capabilities to support security decision-making and investments (See figure 5).

Figure 3: Real-Time Dashboard A real-time dashboard provides security managers with immediate awareness to the top attacks against their networks and affected systems

Figure 4: HTTP Mitigator ViewReal-time web servers’ traffic monitoring enables the admin to view normalvs. real-time HTTP requests rates, indicating abnormal request patterns generated by HTTP Bots

(1) Baseline: ExpectedRequests Rate

(2) Real-timeRequests Rate

(4) AttackMitigated

(3) AbnormalRequests Rate

Figure 5: Executive Report Executive reports are generated and sent automatically by mail on preset dates, e.g., “weekly top attacks report every Monday @ 9:00 AM”

Certainty SupportRadware offers technical support for all of its products through the Certainty Support Program. Each level of the Certainty Support Program consists of four elements - phone support, software updates, hardware maintenance, and on-site support. Radware also has dedicated engineering staff that can assist customers on a professional services basis for advanced project deployments.

Learn MoreTo learn more about how Radware’s integrated application delivery solutions can enable you to get the most of your business and IT investments, email us at info@radware.com or go to www.radware.com.

© 2008 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks or trademarks of Radware in the U.S. andother countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A.

Why Radware?Radware, with more than 10 years of experience, is the industry leader in integrated application delivery solutions. Over 6,000 companies worldwide use Radware’s award-winning APSolute™ application delivery solutions and network security solutions to ensure the full availability, maximum performance and complete security of their networked and IP-based applications. Virtually all

major sectors including finance, education, manufacturing, retail, insurance, government, healthcare, transportation, services, wire-line and cellular carriers rely on Radware every day to reduce costs, drive business productivity, and improve profitability. Let Radware make your network “business-smart” so you can also get the greatest value from your business and IT data center investments.

DefensePro Business Value

Maintain business continuity of operations (COOP) even when the network is under attack • Maintains critical application availability while under attack • Blocks attacks without blocking legitimate user traffic

Best security coverage • Real-time protection from non-vulnerability based attacks, zero-minute attacks, SSL-based attacks and VoIP service misuse • Vulnerability-based signature detection engine with proactive signature updates, preventing the known application vulnerability exploitations

Accurate attack detection and prevention Extremely low false-positives due to: • Real-time signature is generated per attack pattern only, using up to 20 different parameters • Closed feedback mechanism optimizes the real-time signature based on the ongoing attack’s evolvement/mutation and removes the signature when attack is over • Vulnerability-based signatures are tested extensively at real customer beta sites

Reduces total cost of ownership (TCO) of security management • Full investment protection and extended platform life time thanks to the pay-as-you-grow license upgrade scalability delivering best ROI and CAPEX investment protection • Increased savings on OPEX through self learning, self adapting system that requires minimum configuration and is maintenance free • Seamless integration into the network environment

“Overall we found the DefensePro…to be a robust and capable Attack Mitigator and believe that it should be on any short list as a candidate for a

mitigation solution on the network perimeter.”

NSS Labs, April 2008