2016.03 IP Protection Webcast v3[1]files.meetup.com/16943162/Incapsula's 'Protect Your... ·...

© 2015 Imperva, Inc. All rights reserved.

Protect Your Assets with Single IP DDoS Protection

Shahar Ben-HadorCISO

Dvir ShapiraDirector, Product Management@imperva@Incapsula_com


Agenda

• DDoS threat trends• Current solutions• IP Protection overview• How Imperva is using IP Protection• Lessons learned

Confidential2


Speaker Bio for Dvir Shapira

• Background– BSc in physics (no idea why I did it…) and EE– Saw the bubble burst around me as a part-time startup employee back at 2001

– Held various roles at Applied Materials, CheckPoint, Incapsula and a few startups.

• Director of product management• Email: [email protected]

3


Speaker Bio for Shahar Ben-Hador

• Background– BSc in Math and Computer Science– More than 7 years with Imperva– Held various roles at Imperva around Infrastructure and Security

• CISO• Email: [email protected]

4


DDoS Protection Today1

© 2015 Imperva, Inc. All rights reserved. Confidential7

DDoS Propelling the Rise of Cyber Extortion

“Any organization can be hit by a DDoS attack” – Swiss Governmental Computer Emergency Response Team

• Armada Collective, DD4BC, others continue threatening attacks for Ransom

• Even governments are alerting organizations of the growing threat

• The need for comprehensive, upstream mitigation is urgent


You may not be protected even if you have anti-DDoS

• Non-HTTP assets are still vulnerable

• An attack on an exposed server can bring down your entire infrastructure

• Protected HTTP servers can still suffer direct-to-origin attacks

• Public cloud servers can be vulnerable

Confidential8


What are the alternatives?

• Use a different set of IPs

Confidential9

DDoS

LegitTraffic

• On demand BGP

• TCP/UDP proxy

• Single IP protection


IP Protection

Confidential10

DDoSLegitTraffic

Incapsula Network

GRE Tunnel

Incapsula IP Address1.2.3.4

Customer Infrastructure

• Provides complete Infrastructure DDoS protection for single IP addresses

• Deploys as an always-on service for immediate detection and mitigation of DDoS attacks

• Enables origin protection for DNS redirection based services (e.g. CDNs)


Common Use Cases2

Customer Story (1/3)

Confidential12

We have constant DDoS attacks on three IPs in which we use proprietary protocols. Looked at four different vendors, none of them were able to provide a decent protection.

Diego T | CTO, Online Poker site

No C-Class ranges, using proprietary protocol

BGP on-demand customer, requires always on


Confidential13

We use on-‐demand BGP, but for one specific server we want to deploy an always on solution.John O | IT Director, video conferencing platform


Confidential14

DDoS attacks on a few customers can affect the entire ISP operation. We need to identify the few targets and protect them, to keep our whole network from being burdened by attack.

Tim W | Ops Manager, ISP

ISPs need to protect Specific IPs that are vulnerable


How it Works3

Confidential16 © 2016 Imperva, Inc. All rights reserved.

How it works

Customer Origin Server

1.1.1.1

Traffic is routed directly to the server


How it works


1.1.1.1

Incapsula establishes a GRE tunnel between its CDN and the origin server


How it works


1.1.1.1

Incapsula assigns a unique IP to the customer

2.2.2.2


How it works


Customer changes the DNS record to point to the Incapsula allocated IP

2.2.2.2


How it works


All traffic is routed through the Incapsula global networkOnly clean traffic is passed to origin

2.2.2.2


Safeguarding our Own House4


Proof in the Pudding

• All IP ranges need to be protected

• Non-HTTP entry points usually weak links (e.g. VPN tunnels with customers, client server applications)

• We’re implementing on-demand Infrastructure Protection with IP Protection for all non-HTTP apps

• This approach provides full coverage for all assets

Confidential22


Imperva Architecture

Confidential23

Cloud Based DDOSand WAFProtection (Incapsula)

Redundant EnterpriseDatabase Firewalls

Redundant Enterprise Web Application

Firewalls

Database Servers Network

Application Servers Network

Web Servers Network

RedundantISP

Connections

Redundant Enterprise Edge

Routers

Redundant Enterprise Firewalls,IPS,AV

Website Protection

Infrastructure Protection


Lessons Learned

• Organizations face growing risk of DDoS attacks for ransom

• Existing mitigation solutions may still have vulnerabilities that leave organizations exposed

• Always-on IP-level DDoS protection is the only way to completely secure your network infrastructure

Confidential25

2016.03 IP Protection Webcast v3[1]files.meetup.com/16943162/Incapsula's 'Protect Your... ·...

Documents

Transcript of 2016.03 IP Protection Webcast v3[1]files.meetup.com/16943162/Incapsula's 'Protect Your... ·...