2016.03 IP Protection Webcast v3[1]files.meetup.com/16943162/Incapsula's 'Protect Your... · IP"Protection 10 Confidential Legit DDoS Traffic Incapsula" Network GRE"Tunnel Incapsula"IP"Address
Post on 23-Jun-2020
3 Views
Preview:
Transcript
© 2015 Imperva, Inc. All rights reserved.
Protect Your Assets with Single IP DDoS Protection
Shahar Ben-HadorCISO
Dvir ShapiraDirector, Product Management@imperva@Incapsula_com
© 2015 Imperva, Inc. All rights reserved.
Agenda
• DDoS threat trends• Current solutions• IP Protection overview• How Imperva is using IP Protection• Lessons learned
Confidential2
© 2015 Imperva, Inc. All rights reserved.
Speaker Bio for Dvir Shapira
• Background– BSc in physics (no idea why I did it…) and EE– Saw the bubble burst around me as a part-time startup employee back at 2001
– Held various roles at Applied Materials, CheckPoint, Incapsula and a few startups.
• Director of product management• Email: dvir@incapsula.com
3
© 2015 Imperva, Inc. All rights reserved.
Speaker Bio for Shahar Ben-Hador
• Background– BSc in Math and Computer Science– More than 7 years with Imperva– Held various roles at Imperva around Infrastructure and Security
• CISO• Email: shaharb@imperva.com
4
© 2015 Imperva, Inc. All rights reserved.
DDoS Protection Today1
© 2015 Imperva, Inc. All rights reserved. Confidential6
© 2015 Imperva, Inc. All rights reserved. Confidential7
DDoS Propelling the Rise of Cyber Extortion
“Any organization can be hit by a DDoS attack” – Swiss Governmental Computer Emergency Response Team
• Armada Collective, DD4BC, others continue threatening attacks for Ransom
• Even governments are alerting organizations of the growing threat
• The need for comprehensive, upstream mitigation is urgent
© 2015 Imperva, Inc. All rights reserved.
You may not be protected even if you have anti-DDoS
• Non-HTTP assets are still vulnerable
• An attack on an exposed server can bring down your entire infrastructure
• Protected HTTP servers can still suffer direct-to-origin attacks
• Public cloud servers can be vulnerable
Confidential8
© 2015 Imperva, Inc. All rights reserved.
What are the alternatives?
• Use a different set of IPs
Confidential9
DDoS
LegitTraffic
• On demand BGP
• TCP/UDP proxy
• Single IP protection
© 2015 Imperva, Inc. All rights reserved.
IP Protection
Confidential10
DDoSLegitTraffic
Incapsula Network
GRE Tunnel
Incapsula IP Address1.2.3.4
Customer Infrastructure
• Provides complete Infrastructure DDoS protection for single IP addresses
• Deploys as an always-on service for immediate detection and mitigation of DDoS attacks
• Enables origin protection for DNS redirection based services (e.g. CDNs)
© 2015 Imperva, Inc. All rights reserved.
Common Use Cases2
Customer Story (1/3)
Confidential12
We have constant DDoS attacks on three IPs in which we use proprietary protocols. Looked at four different vendors, none of them were able to provide a decent protection.
Diego T | CTO, Online Poker site
No C-Class ranges, using proprietary protocol
BGP on-demand customer, requires always on
Customer Story (2/3)
Confidential13
We use on-‐demand BGP, but for one specific server we want to deploy an always on solution.John O | IT Director, video conferencing platform
Customer Story (3/3)
Confidential14
DDoS attacks on a few customers can affect the entire ISP operation. We need to identify the few targets and protect them, to keep our whole network from being burdened by attack.
Tim W | Ops Manager, ISP
ISPs need to protect Specific IPs that are vulnerable
© 2015 Imperva, Inc. All rights reserved.
How it Works3
Confidential16 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Traffic is routed directly to the server
Confidential17 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Incapsula establishes a GRE tunnel between its CDN and the origin server
Confidential18 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
1.1.1.1
Incapsula assigns a unique IP to the customer
2.2.2.2
Confidential19 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
Customer changes the DNS record to point to the Incapsula allocated IP
2.2.2.2
Confidential20 © 2016 Imperva, Inc. All rights reserved.
How it works
Customer Origin Server
All traffic is routed through the Incapsula global networkOnly clean traffic is passed to origin
2.2.2.2
© 2015 Imperva, Inc. All rights reserved.
Safeguarding our Own House4
© 2015 Imperva, Inc. All rights reserved.
Proof in the Pudding
• All IP ranges need to be protected
• Non-HTTP entry points usually weak links (e.g. VPN tunnels with customers, client server applications)
• We’re implementing on-demand Infrastructure Protection with IP Protection for all non-HTTP apps
• This approach provides full coverage for all assets
Confidential22
© 2015 Imperva, Inc. All rights reserved.
Imperva Architecture
Confidential23
Cloud Based DDOSand WAFProtection (Incapsula)
Redundant EnterpriseDatabase Firewalls
Redundant Enterprise Web Application
Firewalls
Database Servers Network
Application Servers Network
Web Servers Network
RedundantISP
Connections
Redundant Enterprise Edge
Routers
Redundant Enterprise Firewalls,IPS,AV
Website Protection
Infrastructure Protection
© 2015 Imperva, Inc. All rights reserved.24
Questions?
© 2015 Imperva, Inc. All rights reserved.
Lessons Learned
• Organizations face growing risk of DDoS attacks for ransom
• Existing mitigation solutions may still have vulnerabilities that leave organizations exposed
• Always-on IP-level DDoS protection is the only way to completely secure your network infrastructure
Confidential25
top related