Advanced Techniques for DDoS Mitigation and Web Application Defense

Similar documents
Secure your Web Applications with AWS WAF & AWS Shield. James Chiang ( 蔣宗恩 ) AWS Solution Architect

Additional Security Services on AWS

Building a Self-Defending Border. Shane Baldacchino, Solutions Architect, AWS Marcus Santos, Solutions Architect, AWS

haltdos - Web Application Firewall

Security: Michael South Americas Regional Leader, Public Sector Security & Compliance Business Acceleration

Elastic Load Balancing

Security on AWS(overview) Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

AWS Web Application Firewall. Darren Weiner Cloud Architect/Engineer

Getting started with AWS security

Accelerating your Business with Security

Imperva Incapsula Product Overview

Title: Planning AWS Platform Security Assessment?

Cloud Security Strategy - Adapt to Changes with Security Automation -

Getting started with AWS security

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Cisco Firepower with Radware DDoS Mitigation

Comprehensive datacenter protection

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

4/4/2018 F5 Government Symposium 2018 AWS and F5 Deep Dive

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Creating Your Virtual Data Center

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title


CogniFit Technical Security Details

F5 comprehensive protection against application attacks. Jakub Sumpich Territory Manager Eastern Europe

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

Securing Your Amazon Web Services Virtual Networks

Getting Started with AWS Security

Designing Fault-Tolerant Applications

Security Aspekts on Services for Serverless Architectures. Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

Pulse Secure Application Delivery

Imperva Incapsula Website Security

THUNDER WEB APPLICATION FIREWALL

Check Point DDoS Protector Introduction

VMware Cloud on AWS The Next Generation Hybrid Cloud Architecture

What to expect from the session Technical recap VMware Cloud on AWS {Sample} Integration use case Services introduction & solution designs Solution su

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

What s next for your data center? Power Your Evolution with Physical and Virtual ADCs. Jeppe Koefoed Wim Zandee Field sales, Nordics

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Srinath Vaddepally.

AWS Well Architected Framework

Solutions Business Manager Web Application Security Assessment

The Orion Papers. AWS Solutions Architect (Associate) Exam Course Manual. Enter

A GUIDE TO DDoS PROTECTION

Intelligent and Secure Network

Securing Dynamic Data Centers. Muhammad Wajahat Rajab, Pre-Sales Consultant Trend Micro, Pakistan &

NGFWv and ASAv in Public Cloud

Understanding Perimeter Security

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Vulnerability Assessment with Application Security

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Accelerating Content, APIs and Applications with Amazon CloudFront and

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

DEVOPS AND THE FUTURE OF ENTERPRISE SECURITY

Copyright ECSC Group plc 2017 ECSC - UNRESTRICTED

ALIENVAULT USM FOR AWS SOLUTION GUIDE

Hackproof Your Cloud Responding to 2016 Threats

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Ahead in the Cloud. Matt Wood TECHNOLOGY EVANGELIST

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Architecture: Consolidated Platform. Eddie Augustine Major Accounts Manager: Federal

Remediate the Flag Practical AppSec Training Platform. Andrea Scaduto

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

F5 Synthesis Information Session. April, 2014

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

Securing Your Microsoft Azure Virtual Networks

A10 DDOS PROTECTION CLOUD

Framework for Application Security Testing. September 11th, 2018

Enterprise D/DoS Mitigation Solution offering

Security Readiness Assessment

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Securing Serverless Architectures

Overview. AWS networking services including: VPC Extend your network into a virtual private cloud. EIP Elastic IP

ARCHITECTING WEB APPLICATIONS FOR THE CLOUD: DESIGN PRINCIPLES AND PRACTICAL GUIDANCE FOR AWS

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Minfy MS Workloads Use Case

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

Cloud security 2.0: Joko nyt pilveen voi luottaa?

Introducing Amazon Elastic File System (EFS)

WHITEPAPER AMAZON ELB: Your Master Key to a Secure, Cost-Efficient and Scalable Cloud.

SECURITY-AS-A-SERVICE BUILT FOR AWS

BERLIN. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Security & Compliance in the AWS Cloud. Amazon Web Services

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security. Outline

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Yuri Gushin & Alex Behar

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Creating your Virtual Data Centre

Transcription:

Advanced Techniques for DDoS Mitigation and Web Application Defense Dr. Andrew Kane, Solutions Architect Giorgio Bonfiglio, Technical Account Manager June 28th, 2017 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

What to expect from this session Types of Threats AWS Shield AWS WAF AWS VPC

Types of Threats

Types of Threats DDoS Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods

DDoS Threats Network / Transport Layer DDoS

DDoS Threats Application DDoS Good users Web server Database Bad guys

Application Threats Good users Web server Database Bad guys Exploit code XSS SQL injection

Bad Bot Threats Good users Web server Database Bad guys Steal premium content

AWS Shield

Types of Threats AWS Shield DDoS Application Layer HTTP floods Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods

AWS Shield Standard Protection Advanced Protection Available to ALL AWS customers at No Additional Cost Paid service that provides additional protections, features and benefits.

Benefits of AWS Shield AWS Integration DDoS protection without infrastructure changes Always-On Detection and Mitigation Minimize impact on application latency Affordable Don t force unnecessary trade-offs between cost and availability Flexible Customize protections for your applications

AWS Shield Standard Layer 3/4 protection ü Automatic detection & mitigation ü Protection from most common attacks (SYN/UDP Floods, Reflection Attacks, etc.) Layer 7 protection ü AWS WAF for Layer 7 DDoS attack mitigation ü Self-service & pay-as-you-go ü Built into AWS services Automatic Protection against 96% of Layer 3/4 attacks Available globally on all internet-facing AWS services

AWS Shield Advanced Additional Detection & Monitoring Protection Against Large DDoS Attacks Visibility Into Attack Detection & Mitigation AWS WAF at No Additional Cost 24x7 DDoS Response Team Cost Protection (Absorb DDoS Scaling Cost)

AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: Large-Scale Attack Network Layer Mitigations AWS Services DDoS Detection DDoS Response Team Web Layer Mitigations Customer Infrastructure

AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: SYN Floods Reflection Attacks Suspicious Sources Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure

AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: SSL Attacks Slowloris Malformed HTTP Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure

AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: HTTP Floods Bad Bots Suspicious IPs Network Layer Mitigations AWS Services Web Layer Mitigations DDoS Detection DDoS Response Team Customer Infrastructure

AWS Shield Advanced DDoS Multi-Layered Mitigation Internet-Layer Mitigations Internet Border Network Effective Against: Sophisticated Layer 7 attacks Network Layer Mitigations AWS Services DDoS Detection DDoS Response Team Web Layer Mitigations Customer Infrastructure

Shield Demo

AWS Shield Advanced Available on... Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53 In the following regions... ü Northern Virginia (us-east-1) ü Oregon (us-west-2) ü Ireland (eu-west-1) ü Tokyo (ap-northeast-1)

AWS WAF

Types of Threats DDoS AWS WAF Application Attacks Bad Bots Application Layer HTTP floods SQL injection Social engineering Sensitive data exposure Application exploits Crawlers Content scrapers Scanners & probes Network / Transport Layer Reflection SSL abuse Amplification Slowloris Layer 4 floods

Challenges of Web Application Firewalls Setup is complex and slow Too many false positives Limited APIs for automation Expensive to implement and maintain

AWS WAF A web application firewall designed to help you defend against common web application exploits Fast Incident Response Flexible Rule Language APIs for Automation Preconfigured Protection

What is AWS WAF Web traffic filtering with custom rules Malicious request blocking Active monitoring and tuning

How Does AWS WAF Protect You? Security Automations Preconfigured Protections Highly Flexible Rule Language

Highly Flexible Rule Language ü Quick Incident Response ü Mitigations in < ~1 Min ü Inspect Any Part of the Request Security Automations Preconfigured Protections Highly Flexible Rule Language

Preconfigured Protections You can get started quickly with built-in rules based on common use-cases. CloudFormation template AWS WAF Configuration Security Automations Preconfigured Protections Highly Flexible Rules Engine

Preconfigured Protections Demo

Virtual Patching Demo

Security Automations Automated anomaly detection that you can take action on using Lambda functions. ü Dynamic Rules Based on Anomaly ü Using Lambda & Service Logs Security Automations Preconfigured Protections Highly Flexible Rules Engine

Security Automations Traditional incident response Security Automations Preconfigured Protections Highly Flexible Rules Engine

Security Automations Next-generation incident response Security Automations Preconfigured Protections Highly Flexible Rules Engine

AWS VPC

What customers asked for ü Private IP space in AWS ü Familiar networking model ü Customer-defined networking logic ü Strong security controls ü Private connectivity to their data centers

Key Features of VPC Choosing an address range Setting up subnets in Availability Zones Creating a route to the Internet Authorizing traffic to/from the VPC

VPC Controls 10.0.1.0/24 SG-ALB Public Subnet 10.0.2.0/24 SG-Web SG-Web SG-Web Private Subnet (Web Tier) 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)

Simple Approach Allow all traffic 10.0.1.0/24 SG-ALB Public Subnet Allow 10.0.1.0/24 10.0.2.0/24 SG-Web SG-Web SG-Web Private Subnet (Web Tier) Allow 10.0.2.0/24 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)

Secure Approach Allow CloudFront IP Ranges only 10.0.1.0/24 Allow SG-ALB only SG-ALB Public Subnet 10.0.2.0/24 Allow SG-Web only SG-Web SG-Web SG-Web Private Subnet (Web Tier) 10.0.3.0/24 SG-App SG-App SG-App Private Subnet (App Tier)

Security Groups + CloudFront IP ranges AWS Lambda Amazon SNS IP-ranges.json SG-ALB Blog Post here -> http://amzn.to/2fj4q8e

Thank you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback