A Network s New First Line of Defense

Transcription

1 WHITE PAPER A Network s New First Line of Defense Firewalls can t block many of today s cyber attacks. Here s what you can do to stop them cold. FIRST LINE OF DEFENSE

2 Introduction In September and October of 2012, the websites of Bank of America, JPMorgan Chase, Wells Fargo, US Bank, PNC Bank and Capital One all suffered day-long slowdowns and, at times, complete outages. Security experts put the blame on malicious denial-of-service attacks and say this is the largest cyber attack they ve ever seen. Ostensibly the aim of the attacks was not to steal data but to prevent legitimate customers from accessing the essential websites by overwhelming the banks IT infrastructure. Experts theorize the intent was to disrupt fi nancial transactions as well as undermine the trust that customers have in their fi nancial institutions. More than most industries, the fi nancial services sector goes to great lengths to build secure networks that are supposed to be impervious to attack. Their retail and commercial customers rely on online banking and other fi nancial services delivered over the Web. A network slowdown or even a short outage can result in a signifi cant loss of revenue for a bank as well as a very dissatisfi ed customer base. In some cases, customers of the banks could even sustain a loss of revenue if their fi nancial services aren t available to them when needed. Unfortunately, this scenario isn t unique to fi nancial institutions. Distributed denial-of-service (DDoS) and other advanced cyber attacks are becoming more commonplace against virtually every type of organization with a public Web presence. These attacks are cheap and easy to conduct, largely because there s no need to actually penetrate the network. DDoS toolkits and vast botnets available for rental make it easy for practically anyone with a cause or a grudge to launch and sustain an attack that prevents legitimate users from accessing a business s Web services. Depending on the strength and duration of the attack, the consequences for the business can be disastrous. Attacks aren t the only cause of unwanted Web traffic. Some businesses may have competitors visiting their website to screen scrape information on Web pages. For example, travel oriented websites routinely gather information from numerous companies websites in order to display competitive prices, say for rental cars or airfares. (See Figure 1.) These travel sites send out commands to competitors sites to display pages of information that is then scraped for display back at the original travel site. Though this isn t a denial-of-service attack for a site that s being queried, it may be considered nuisance traffi c that needlessly consumes IT resources. Figure 1: Comparison sites create unwanted traffic For most organizations, one or more fi rewalls usually comprise the fi rst line of defense charged with stopping unwanted and nefarious traffic coming into the network. Certainly the banks that were attacked had firewalls at their network perimeters. Perhaps they even had a cloud-based DDoS solution or an Internet service provider (ISP) clean pipe service in place. So what happened? How could the attack traffi c get past the existing security measures to fully disrupt access to the critical Web applications? Why didn t the fi rewalls do their job? The simple fact is that the fi rewalls did perform their job. These devices did what they were designed to do: evaluate incoming traffi c against a set of policies. The problem is that many of today s types of cyber attacks are specifi cally designed to overload or evade fi rewalls even next generation fi rewalls to get to the heart of a network s server and application infrastructure and disrupt its normal operations. When this occurs, a fi rewall is completely inadequate as a network s fi rst line of defense. If a cloud-based DDoS prevention service or other ISP service was in place, why didn t this stop the attacks? As the sophistication of cyber attacks and the determination of attackers both continue to increase, many of these standalone services and technologies simply cannot cover the depth and breadth of today s attack vectors, and attackers are aware of this shortcoming. According to the security solutions vendor Kaspersky Labs, more than 70% of the server-based attacks observed today are application layer DDoS attacks. These low and slow attacks are specifi cally designed to bypass cloud-based and ISP defenses undetected melting down servers without fi lling Internet pipes. 1

3 Cloud-based DDoS solutions are excellent at blocking large-scale volumetric attacks that are targeted on fi lling pipes with nothing but attack traffi c, but low and slow attacks easily pass through most providers safeguards completely undetected. Again, attackers know this. ISP clean pipe services are excellent at using black hole routing to block attackers at their source. Attackers simply adjust their tactics to spoof their source IP addresses to appear to come from the parts of the world where the victim company does business. They will spoof traffi c to make it appear to come from the victim s partners, customers, locations, etc. Attackers know that if they start to spoof these addresses, the usage of black hole routing will effectively block legitimate traffi c along with the attack traffi c. At the end of the day, the attack is successful, resulting in lost revenues, dissatisfi ed users and a bad reputation. Organizations need to shore up their network perimeter with a new red line a security device specifi cally designed to detect and stop unwanted traffi c before it can overrun the fi rewall and expose the IT infrastructure to performance issues or even catastrophic failures. This new fi rst line of defense must be able to distinguish between harmful attack traffi c that mimics legitimate traffi c and the real and true customer traffi c that businesses want and welcome. In this white paper, we examine this need for a new fi rst line of defense and why existing infrastructure tools like fi rewalls and intrusion prevention systems don t meet the need. We look at the key steps of protection that a new type of solution must provide in order to mitigate today s types of cyber attacks. And fi nally, we look at how Corero s First Line of Defense solution prevents DDoS attacks and protects the investment in existing infrastructure. Modern day attacks put extreme stress on IT infrastructure If you think about why businesses build networks, the very primal reason is to give legitimate or good users access to the servers that host their business applications and data. In the case of Web-based applications, users come into the application via the Internet, typically with structured requests to access specifi c Web pages and content. These pages may need access to databases and content servers that are built to sustain a certain volume of traffi c (or requests) in a given time. Figure 2 below is a simple illustration of a typical network topology representative of an enterprise network, a data center, a disaster recovery site, or the like. Figure 2: Illustration of a typical network topology On the left in Figure 2 is a router that provides Internet connectivity into the network. On the far right are the servers and applications that provide content to legitimate customers and employees. In between are border fi rewalls and other essential Web management devices such as intrusion prevention systems (IPS), server load balancers (SLB) and Web application fi rewalls (WAF). 2

4 In the green cloud on the left are the good users that generate the desired customer traffi c. These good users might be customers, prospects, business partners or employees. The network was built so that they can have streamlined access to the resources and applications they need. It also was built for uptime and performance. Therefore, the fi rewall s policies are generally written to allow traffi c from these users to fl ow unabated. Unfortunately, the reality today is that the Internet is full of attackers who understand the existing vulnerabilities of the typical IT infrastructure. Attackers exploit these vulnerabilities using volumetric or other attacks, including advanced evasions, SYN fl oods, server side exploits and other low and slow application layer DDoS attacks, as shown in Figure 3. Figure 3: A typical network topology under attack During a DDoS attack on your infrastructure and applications, the incoming bad traffi c can look quite similar to good traffi c, at least on the surface. For example, there might be a request to load a specifi c Web page, such as a page with a product description on a shopping website. A user who asks for this page once or even a few times is generating good or desired traffi c because he might be looking to make a purchase. But when a user (or more likely a bot computer) or a thousand computers in a botnet request that same page a hundred times each in rapid succession, this is bad traffi c. The sole reason to repeatedly make that page request is to overwhelm the server and database that must work to present the page to the user. When this happens, the service of that application or website is denied to legitimate users. When the fi rewall is the fi rst line of defense against such attacks, a number of things can happen to the network infrastructure on a technical level: Firewalls often times get overworked when processing large numbers of connections for both good and bad traffi c. Even a large capacity fi rewall can become fl ooded with activity and become so degraded that it begins adding signifi cant latency and even worse, often starts dropping good traffic. IT infrastructure gets stressed processing not only the good traffi c but the bad traffi c as well. Servers are often overwhelmed with unnecessary traffi c, resulting in unresponsive applications. For example, a server CPU may go to 100% usage and degrade performance for every application dependent on that server. This may include applications totally unrelated to the Web process under attack, causing a ripple effect of downtime for many of the organization s applications. 3

5 When the IT infrastructure is slow to perform or simply unavailable, the business impacts can include: Lost revenue based on the loss of intended transactions that can t go through Dissatisfi ed good users who get tired of waiting on a service that is slow or unresponsive Loss of trust and reputation when the public learns that the business is unable to protect its computing assets The current infrastructure isn t capable of dealing with these attacks Firewalls are a good and necessary part of every network with external access. These devices are typically the separation point between an organization s private network and everyone else. Even in the face of the new DDoS attacks, such as the example described above, fi rewalls are still a critical network component. However, the people who initiate DDoS and other modern-day attacks know the limitations of what a fi rewall can do and exploit those limitations. At its most basic level, a fi rewall s primary objective is to control the incoming and outgoing network traffi c by analyzing the data packets and determining whether they should be allowed through or not, based on a predetermined rule set. The fi rst generation of fi rewalls were originally designed to block incoming ports to prevent unauthorized access to data and services. The packet inspection, or fi ltering, was generally limited to the fi rst three layers of the OSI reference model, which means most of the work is done between the network and physical layers, with a little bit of peeking into the transport layer to fi gure out source and destination port numbers. Second generation fi rewalls add the ability to operate up to Layer 4, the transport layer of the OSI model. The fi rewall records all connections passing through it in a state table and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. This is known as stateful packet inspection. Though static rules are still used to approve or reject traffi c, these rules can now contain connection state as one of their test criteria. Typical state table sizes for most fi rewalls have a limited number of entries. Attackers know this and use it to their advantage. Certain DDoS attacks bombard the fi rewall with thousands of fake connection packets in an attempt to overwhelm it by fi lling its connection state memory. When the fi rewall is saturated, it may begin to drop good traffi c or even worse, reboot to clear out its state table. Given that this is the current fi rst line of defense for most networks, fi rewalls simply do not have the capacity and are not up to the task of fending off large volumetric attacks. Many next generation fi rewalls profess to have a built-in DDoS defense feature. The marketing claims are often misleading as to the true capabilities of the feature. As an example, one of the leading vendors of a high capacity next generation firewall has designed its DDoS protection feature such that good and bad traffi c are treated equally when the fi rewall is under a DDoS attack. If the proportional amount of bad traffi c is signifi cantly higher than the amount of good traffi c (which is almost always the case when under attack), some bad traffi c is dropped but a lot of it gets through the fi rewall and brings down backend servers even while the fi rewall stays up. As for the other security devices behind the fi rewall for example IPS, SLB and WAF they were designed to perform deep packet inspection (DPI), load balancing, application proxy, input inspection, etc. They were not designed to eliminate the noise coming from the Internet fi rst before performing their inspection. When they come under a direct attack or feel the effects of an attack elsewhere in the network, the reality is that they end up performing massive amounts of deep packet inspection on unnecessary traffi c, which increases latency and reduces processing throughout the network. The common thread is that while these devices are providing point solutions for security and/or performance, they still have to deal with all the traffi c, good and bad, much of the time. As a result, legitimate traffi c gets slowed down, malicious attacks slip through undetected, and excessive logs are generated, which fl oods logging systems and skews reports. At the end of the day, the legitimate and desired customer traffi c is negatively impacted because the bad traffi c is overwhelming the IT infrastructure. In order to allow the existing fi rewall, IPB, SLB, WAF and other similar devices to do the jobs they are intended to do, there is a need for a new type of technology to be deployed at the very edge of the network in front of the fi rewall and other devices. This new fi rst line of defense must effectively stop the unwanted traffi c (i.e., the noise ) from reaching and overwhelming the fi rewall and other infrastructure components. When the noise is removed, the network can do what it s intended to do: allow the good customer traffi c to have streamlined access to applications and data. 4

6 Key steps of protection for any first line of defense Any solution that claims to be a fi rst line of defense in today s ever-changing threat landscape must be able to provide several key steps of protection. These steps move successively deeper into the protocol stack to inspect the packets more closely in order to address far more issues than any fi rewall alone can mitigate. These steps are necessary to stop DDoS and other advanced attacks before they reach the network. When the noise is blocked, an organization is better able to ensure that fi rewalls, load balancers, servers and databases are working on genuinely desired traffi c, thus protecting the IT infrastructure, eliminating downtime, and improving the robustness of all Web-facing services. The fi ve key steps of protection include: 1. Restrict access to the network from sources that are known or appear to be attackers. 2. Limit the rates at which traffi c can enter the network. 3. Ensure that traffi c conforms to desired types of behavior. 4. Look for known security issues in the traffi c. 5. Provide visibility to better secure the network against future threats. Figure 4: The key steps of protection for a first line of defense solution Each of these steps has a series of questions that help guide a better defensive solution. 1. How can an organization restrict access to its network? a. Does the traffi c come from a known attacker? b. Is the traffi c coming from a geolocation in a part of the world that the organization doesn t do business with? c. Is the traffi c originator on a list of malicious or unwanted IP addresses, either provided by internal log intelligence or intelligence gathered elsewhere? Inspection of traffi c at this level involves primarily looking at source IP addresses and comparing them to known bad IP addresses via reputation, geolocation and other customized lists of unwanted source IP addresses provided by the customer or elsewhere. Once traffi c passes through the fi rst gate of restricted access, more inspection must be performed concerning the rate of the traffi c to head off volumetric attacks. 5

7 2. At what rate can traffic enter the network? a. Is the traffi c acting like an attacker? For example, half open connections, unable to complete a transmission control protocol (TCP) three-way handshake, etc. b. Why does this user have thousands of connections open to a target (victim) server? c. How can application abusers be controlled? Inspection of traffi c at this level involves dynamic threat assessment as a way of determining the threat level of unknown attackers. Limiting concurrent client and client group TCP connections plus analyzing request and response behaviors are techniques used to detect too many requests, too many connections and other network and application layer usage. Assuming that traffi c is not fl agged for entering the network at an abnormal rate, the next step is to look at its behavior. 3. Is the traffic conforming to desired behavior? a. Is the traffi c conforming to established protocols? b. Are there questionable protocols or protocol violations within the allowed traffi c? c. Can the traffi c be inspected bi-directionally? Inspection of traffi c at this level involves primarily looking at clients, servers, ports, protocols, allows, blocks, IPS rule sets and security policy enforcement. Stateful protocol analysis as a way of protocol enforcement resides at this level, as well as bi-directional traffi c inspection. If the traffi c has appropriate behavior, the next step is to inspect the actual payloads. 4. Does the traffic contain known security issues? a. What are the traffi c s payloads actually carrying? b. Are there any server-side exploits or malware in the headers or payloads? c. Is advanced evasion being used in blended attacks? Inspection of traffi c at this level involves deep packet inspection, attack and vulnerability signatures, overfl ows, injections and bruteforce password protection and advanced evasion detection. Once traffi c gets to this point in the inspection process and it has passed all the tests, most likely it is good customer traffi c that can be allowed past this fi rst line of defense. However, given that attacks are continuously changing and growing more sophisticated, there is one more step of protection to consider in a new fi rst line of defense solution: increased visibility. 5. How can added visibility secure my network better against future threats? a. How can the network be better protected against future threats? b. Will increased visibility allow a better understanding of what s going on at the perimeter? c. Will this visibility increase the ability to better control traffi c? A solution that can take these fi ve steps and go deeper and deeper into analyzing and approving or rejecting all network traffi c before it reaches the fi rewall will eliminate the problem of an IT infrastructure that is overwhelmed by volumetric and other modern-day attack methods. The Corero First Line of Defense Solution delivers protection for every step The Corero First Line of Defense solution is purpose-built to meet all of the criteria of the key steps of protection listed above. Corero uses an industry best practices approach to answering the critical questions and developing sophisticated processes to thoroughly evaluate network traffi c. Placed at the outermost position of the network perimeter even beyond the fi rewall the Corero solution weeds out attack and other unwanted traffi c while allowing good customer traffi c to proceed. (See Figure 5.) By fi ltering out the bad traffi c before it ever reaches the fi rewall, IPS, SLB, etc., these devices can do their intended jobs more effi ciently and effectively. 6

8 Figure 5: The Corero First Line of Defense is at the network perimeter The sections ahead look at each of the five critical steps of protection and how the Corero First Line of Defense solution uniquely executes on every step to effectively prevent DDoS and other advanced cyber attacks. Going beyond the physical, data link and network layers, the Corero solution addresses levels 3 through 7 of the OSI model: the transport, session, presentation and application layers. Step 1: Restrict access The industry best practice for controlling access to a network is to execute control based upon dynamic reputation of IP addresses. There are known bad IP addresses, questionable sources, and unknown attackers that pose threats. Therefore, the fi rst step in Corero s process is to block traffi c coming from sources that are known to be bad and then to thoroughly scrutinize all other traffi c based on reputation, geolocation and potential threat. Corero s First Line of Defense solution uses real-time reputation updates, current geolocation information and real-time threat detection to evaluate inbound traffi c. ReputationWatch Sophisticated botnets and denial-of-service attackers change their identities frequently and often hide using anonymized IP addresses. Corero s ReputationWatch service identifi es malicious IP addresses on the Internet even hidden ones in real-time and delivers a continuous global intelligence feed to the Corero First Line of Defense system. Using up-to-the minute, IP-based information, ReputationWatch automatically identifi es and blocks access from: Known sources that have participated in DDoS attacks Bots (computers) that fall within identified botnet command structures Systems delivering specially crafted denial-of-service exploits, such as KillApache Anonymized IP addresses behind proxies Identifi ed sources of malicious content attacks Phishing sites Spam sources In addition, ReputationWatch provides geolocation technology that allows an organization to enforce policy based on national origin of IP addresses. For example, an administrator can limit or exclude traffi c from countries where the company does no business or countries associated with a high number of attackers. On-Demand Shunning The Corero First Line of Defense solution can quickly and temporarily block all traffi c initiated by IP addresses that are suspected of launching an attack or otherwise identifi ed as requiring their traffi c to be blocked. This action is called shunning. Shunning an attacker s IP address at an ingress point to the network reduces the possibility of expanding the attack to other targets within the environment protected by the Corero First Line of Defense. Shunning is applied to traffi c whose source IP address matches a shunned IP address. 7

9 Step 2: Limit the rates of traffic An unnatural rate of traffi c coming into a network is a strong indication of an attack. There may be users with way too many requests or open connections. For example, computers that are part of a botnet may ask for the same HTTP object over and over again, or ask for objects that don t exist. Or, a botnet may be sending large numbers of DNS requests to the victim DNS server(s). There are numerous types of excessive rate indicators of an attack. The industry best practice recommends identifying anomalous behavior to mitigate such rate-based attacks. Corero s First Line of Defense solution does this using several techniques. Dynamic Threat Assessment The Corero First Line of Defense solution has the ability to dynamically determine the threat level of over 2 million source IP addresses on a single unit at any given time. For example, when a packet arrives from a new or unknown IP address (meaning the source IP address is not currently in the Corero unit s state table), the device attempts to determine the threat level of this unknown client. If the client is exhibiting good IP behavior, the device will quickly promote the client to Trusted Status and allow traffi c from the Trusted Client. If, however, the client is exhibiting bad IP behavior, the device quickly demotes the client to a Malicious Status and blocks all traffi c from the Malicious Client. This entire process is designed to allow that one good user access to the network while simultaneously blocking a volumetric, rate-based DDoS attack. A side-effect of Corero s dynamic threat assessment is the ability to obfuscate the results of scanners and therefore hinders pre-attack port scanning reconnaissance attempts. Typically, attackers utilize widely available tools to profi le victims in the effort to detect open ports and public-facing applications. Corero s First Line of Defense deters what is normally the precursor to a targeted attack on applications, servers and other infrastructure. If attackers fi nd it diffi cult or confusing to correctly profi le a victim s infrastructure they may move on to easier targets elsewhere. Request Response Behavior Analysis This technique protects against unwanted application layer behavior. Corero assigns credits and/or demerits based upon a user s HTTP/HTTPS/DNS behavior. Based on the assigned number of credits or demerits, the system determines good user traffi c from attack traffi c and dynamically allows or blocks incoming traffi c on a per-client basis. Connection Behavior Limiting This process protects against TCP connection fl oods by controlling the maximum number of allowable TCP connection from any single group and/or any single source IP. Advanced Demerit Score Analysis PCs that are enjoined to botnets don t always operate as a bot. This advanced scoring technique protects against botnets sending excessive requests, but also allows for the periodic restoration of credits for the dynamic assessment of client traffi c. Step 3: Ensure behavior conformance If Web traffi c has passed the previous two steps, the next measure is to look at whether it conforms to desired behavior. Examples of non-conformance are users that are violating protocol and application usage standards or corporate usage policies, and questionable outbound traffi c not conforming to policies and/or standards. The Corero First Line of Defense solution uses three techniques to evaluate traffi c at this stage. Policy Management The Corero solution provides extremely granular Policy Management capabilities. Corero addresses the potential for undesired network and application access by adopting a unique policy-based stateful firewall stance. In the First Line of Defense solution, Corero provides IP fragment abuse protection, Layer 2 and Layer 3 fi ltering, and stateful fi rewall filtering. An administrator can confi gure the fi rewall fi lters to control who gets access to which servers and applications connected to the network, thereby preventing a malicious user from gaining entry to steal or destroy valuable intellectual property. Stateful Protocol Analysis Stateful Protocol Analysis (SPA) is the process of comparing predetermined profiles of generally accepted defi nitions of benign protocol activity for each protocol state against observed events to identify deviations. In simpler terms, SPA is a technique for inspecting all the packets of a network transaction and comparing the observed content and characteristics to what is allowed, expected, or required, based upon the network protocol specifi cations and known implementations, and taking the appropriate actions (e.g. detection/ blocking) of the SPA violations. 8

10 Stateful protocol analysis is quite different than inspecting traffi c against a list of pattern-matching signatures or using simple and rudimentary protocol header checks. SPA provides increased protection against unknown (zero-day) network-borne cyber threats. This technique has been demonstrated to detect and block backdoor channels and specially crafted packet DDoS attacks. In some implementations, SPA can be very resource-intensive. However, the Corero First Line of Defense solution has the horsepower required to inspect traffi c at wire speeds against a wide variety of Stateful Protocol Parsers for the most commonly used Internet Protocols while maintaining less than 60 microseconds of overall inspection latency. Complete Traffic Inspection The Corero First Line of Defense solution has the ability to conduct bi-directional traffi c inspection, which plays a role in detecting unwanted application usage behaviors. For example, there is a DDoS attack tool call Hulk that fl oods HTTP Web servers with an infi nite number of random requests. The tool is designed to create a new request that is different from the preceding request, over and over again. Because this tool and others like it are designed to circumvent attempts to use signature payload pattern matching techniques, the transactions generated by these tools are very hard for the average security solution to detect. Since the Corero solution inspects both inbound client requests as well as the outbound server responses, demerit scores can be applied to the client based upon a server response. For instance, if an attacker is requesting an object that does not exist, the server would normally respond with a 404 page not found error, which is detected by the Corero solution bi-directionally. Demerits would be attributed to that client s credit pool. If the credit pool is diminished for any given client, all traffi c from that client is blocked. This is an effective way of detecting the actions of randomizer-like attack tools. Step 4: Look for known security issues Typically, known security issues are specifi cally targeted attacks against server infrastructure. They include traffic containing buffer overflows, injections and brute-force password attacks. Attack traffi c also can contain random malware and exploits as part of their payloads, and although they are not necessarily targeted at server infrastructure, these vulnerabilities do exist and must be protected. Further, advanced evasion techniques such as fragmentation and segmentation can be used to obfuscate (hide) attacks. Often Advanced Evasion Techniques (AET) are used in blended attacks. Application Attack Defense The Corero First Line of Defense solution provides a range of techniques that defend against application attacks, including: Buffer Overfl ow and Injection Protection for a wide array of operating systems and Web-based applications. Alerting for FTP and SSH brute-force password cracking attacks High-speed Deep Packet Inspection (DPI) that compares traffi c against a host of known signatures Unique fragment reorder engines that detect all types of advanced evasion techniques Step 5: Provide visibility Cyber attacks are becoming more advanced as well as more frequent. Attackers are growing more sophisticated in the ways they exploit network vulnerabilities and evade detection. In order to fi ght fi re with fi re, security experts need more visibility into what is happening at their network s perimeter. They need to be able to answer questions like: Who are the attackers? What are they attacking? How are they attacking? Where are my vulnerabilities? How can I better protect my network against future threats? The Corero First Line of Defense solution incorporates a multi-pronged approach to increase the needed visibility. Security Operations Centers Many businesses have a shortage of expertise in overall perimeter protection. Corero Network Security remedies this situation through the expertise provided by Corero and our partners Security Operations Centers. These centers combine state-of-the art monitoring workstations, high speed Internet connectivity, and the companies most experienced engineers, standing ready to help customers realize the value of their security solutions. Centralized Management Although each Corero First Line of Defense device supports its own Web-based management GUI, the devices are also capable of being managed from a central console. This allows for central management of security updates, policy creation/ versioning/distribution, real-time alerting and drilldown, patch fi xes and software revision distribution. An administrator gets the insight and control he needs, including real-time attack statistics, security event drilldown, and real-time policy control. 9

11 Third Party Integration Most organizations implement multiple layers of network security. This often entails the use of point products from multiple vendors. Security Information and Event Management (SIEM) solutions attempt to draw all security related information into one engine for correlation and analysis for real-time protection. Corero integrates its syslog information with SIEM tools to provide a better overall, real-time view of what security incidents may be happening at the network perimeter. This creates better visibility into a network s current security status. A summary of Corero s key steps of protection The Corero First Line of Defense solution addresses all fi ve of the key steps of protecting an organization s network infrastructure. Known malicious IP addresses Questionable geographies Detected attacker IP addresses Problem Protection Corero Solution Unknown IP addresses Volumeric HTTP/DNS attacks Protocol violations Questionable outbound traffi c Buffer overfl ows, exploits, malware Obfuscation attacks using fragmentation Limited analysis of attack traffi c Shortage of security expertise Step 1 Restrict Access Step 2 Limit Rates Step 3 Enforce Protocol Step 4 Prevent Intrusions Step 5 Increase Visibillty Real-time reputation updates Current geolocation of IP addresses Dynamic IP threat assessment Network behavior analysis Intended protocol use violation Bi-directional traffi c inspection Protection packs and signatures Advanced evasion detection Data integration with SIEM tools Corero SecureWatch services The Corero First Line of Defense Solution in Action Recently a high profile Wall Street fi rm came under a persistent and relentless DDoS attack. The fi rewall was auto-blocking 600 to 800 attackers, and within hours the total had risen to more than 1,000, which overtaxed the limits of the firewall. Consequently, the company s clients were totally unable to access any of its websites. The IT support team tried to use reverse lookups to manually block the attacking source IPs. This action was time consuming, labor intensive and worst of all, ineffective, as the fi rm was hit by 10,000 attackers from almost every country in the world. The firewall was at 95% utilization with this continual attack, shutting down all network traffi c. The fi rewall would be rebooted, traffic would fl ow for a few minutes, then grind to a halt again. The fi rewall s own DDoS protection had little effect in mitigating the attack. The device vendor admitted the DDoS defense was really a marketing feature designed to handle trivial attacks. This sustained attack clearly overwhelmed the fi rewall and there would be no relief through this device. Nor could the company s ISP offer any help. The traffi c was typical of an application layer DDoS attack low and slow which does not clog the bandwidth as much as overwhelm the target server with repeated but seemingly legitimate requests. Unless the attack delivered network floods fi lling the pipes, the ISP couldn t do anything to stop the attack. The company needed a solution fast. It was losing money by the hour and its clients were growing increasingly impatient with the denial of service. As it happens, the company s external IT support team had been reviewing DDoS vendors, and Corero was their top choice. Corero s First Line of Defense was the most innovative, responsive and cost effective solution. Only Corero has the comprehensive coverage to stop all DDoS attacks, from the traditional network layer attacks, such as SYN, UDP, and ICMP, to the more sophisticated and much harder to detect application layer attacks that mimic legitimate traffic. The IT team installed a Corero First Line of Defense appliance and stopped the DDoS attack cold. It was installed in 45 minutes, and it was like shutting off a water faucet, said one IT executive. Hackers stopped, traffi c delays were gone, and the firewall utilization was back down to single digits. 10

12 The Corero First Line of Defense stops DDoS attacks and ensures that IT infrastructure such as fi rewalls, switches, and targeted Web and DNS servers operate the way they were intended. It eliminates downtime, such as the crippling losses incurred by the DDoS attack. Conclusions Though firewalls are still a critical and necessary component of any network, they are no longer the best type of device to deploy as the network s first line of defense. Firewalls, even modern NextGen fi rewalls, have limitations in what they are designed to do. Attackers know these limitations and have devised attacks that can evade or overwhelm a fi rewall, as well as the secondary security devices behind the fi rewall, such as an IPS. Once an attacker gets past the fi rewall, he can put a choke hold on the infrastructure in no time. The new first line of defense defi nes the network perimeter to be in front of the fi rewall. This security solution must deflect unwanted traffic that is intended to fl ood or otherwise harm the IT infrastructure, rendering it unavailable to legitimate users. The new first line of defense needs to go deeper into the traffi c s packets to inspect payloads, understand behavior and dynamically assess and mitigate threats in real-time. Corero s First Line of Defense solution uses industry best practices as well as sophisticated techniques and technologies to thoroughly inspect traffic bi-directionally in order to stop DDoS and other advanced attacks. It protects the operation of the entire spectrum of fi rewalls, from low end current generation to high end next generation devices. The Corero solution stops unwanted traffic that slows the infrastructure and frustrates users, and in the process, this new fi rst line of defense protects the existing infrastructure and enables maximum uptime of business applications. About Corero Network Security Corero Network Security, an organization s First Line of Defense, is an international network security company and a leading provider of Distributed Denial of Service (DDoS) defense and next generation security solutions. As the First Line of Defense, Corero s products and services stop attacks at the perimeter including DDoS, server targeted, and zero-day attacks, protecting IT infrastructure and eliminating downtime. Customers include enterprises across industries from banking, to fi nancial services, gaming, education, retail and critical infrastructure as well as service providers and government organizations worldwide. Corero s solutions are dynamic and automatically respond to evolving cyber attacks, known and unknown, allowing existing IT infrastructure such as fi rewalls which are ineffective at stopping much of today s unwanted traffic at the perimeter to perform their intended purposes. Corero s products are transparent, highly scalable and feature the lowest latency and highest reliability in the industry. Corero is headquartered in Hudson, Massachusetts with offices around the world. Corporate Headquarters 1 Cabot Road Hudson, MA Phone: EMEA Headquarters 68 King William Street London, England EC4N 7DZ Phone: +44 (0) Copyright 2013 Corero Network Security, Inc. All rights reserved