Defensepro L3aa Solutionbrief 01102010

North America
Radware Inc.
575 Corporate Dr.,
Lobby 1
Mahwah, NJ 07430
Tel: (888) 234-5763
International
Radware Ltd.
22 Raoul Wallenberg St.
Tel Aviv 69710, Israel
Tel: 972 3 766 8666
www.radware.com

DefensePro

Scalable DefensePro Implementation

Solution Brief

September, 2010

Solution Brief DefensePro Scalable DefensePro Implementation
Date: September, 2010
P a g e | 1
Table of Contents

1 PREFACE ............................................................................................................................................ 2
1.1 INTRODUCING RADWARE DEFENSEPRO IPS AND ATTACK MITIGATOR ............................................................ 3
2 SOLUTION ARCHITECTURE AND FLOW .............................................................................................. 4
2.1 EQUIPMENT USED ............................................................................................................................... 4
2.1.1 Radware DefensePro Units......................................................................................................... 4
2.1.2 Cisco 7604 .................................................................................................................................. 4
2.1.3 Ixia XM12 ................................................................................................................................... 4
2.2 DEFENSEPRO CONFIGURATION .............................................................................................................. 4
2.3 TRAFFIC FLOW PATHS .......................................................................................................................... 5
3 TESTED SCENARIOS AND RESULTS ..................................................................................................... 6
3.1 DEFENSEPRO X412-NL TEST (FLOW #1) ................................................................................................. 6
3.2 DEFENSEPRO X412-BP TEST (FLOW #3) ................................................................................................. 6
3.3 PARALLEL DEFENSEPROX412 TEST (FLOW #2) ......................................................................................... 6
4 SUMMARY AND NOTES ..................................................................................................................... 7
4.1 CONCEPT LIMITATIONS ......................................................................................................................... 7
4.2 SECURITY AND PROTECTION CONSIDERATION ............................................................................................ 7
4.3 POC RESULTS FOCUS ........................................................................................................................... 7
4.4 MULTIPLE DEVICES ENVIRONMENT ......................................................................................................... 7
4.5 ETHERCHANNEL DISTRIBUTION OPTIONS (CISCO) ...................................................................................... 7

P a g e | 2
1 Preface
Radware DefensePro (x412 series) stands today at the top line of security products in terms of
capacity and performance by protecting networks of up to 12 Gbit/s with a single 2U appliance.
However, there are environments where the superior performance offered by DefensePro is not
sufficient because a protected networks capacity is higher than a single DefensePros capacity.
In order to provide comprehensive protection in environments with higher traffic capacity, a
scalable solution is required, where multiple appliance are required to work together to share
the traffic load between them.
This document presents a scalable solution for protecting high capacity networks based on the
DefensePro full set of protections. The solution, based on DefensePro and standard network
equipment, illustrates a simple and immediate way to aggregate the capabilities of several
DefensePro appliances without compromising the available security protections, whether they
are IPS protections or Anti-DoS protections.
This solution was tested and approved by the Radware professional services team.

Figure 1-1: Radware DefensePro x412 Series

P a g e | 3
1.1 Introducing Radware DefensePro IPS and Attack Mitigator
Radware's award-winning DefensePro is a real-time network attack prevention device that
protects your application infrastructure against network and application downtime, application
vulnerability exploitation, malware spread, network anomalies, information theft and other
emerging network attacks.
DefensePro includes the set of security modules (Intrusion Prevention System (IPS), Network
Behavioral Analysis (NBA) and Denial-of-Service (DoS) Protection) to fully protect networks
against known and emerging network security threats. It is based on standard signature
detection technology to prevent the known application vulnerabilities. The core of DefensePro is
patent protected behavioral based real-time signatures technology that detects and mitigates
emerging network attacks in real time such as zero-minute attacks, DoS/DDoS attacks and
application misuse attacks, all without the need for human intervention and without blocking
legitimate user traffic.
DefensePro uses a dedicated hardware platform based on Radware's OnDemand Switch
supporting network throughputs up to 12 Gbit/s. It embeds two unique and dedicated hardware
components: a DoS Mitigation Engine (DME) to prevent high volume DoS/DDoS flood attacks -
without impacting legitimate traffic and a String Match Engine (SME) to accelerate signature
detection.
APSolute Vision, DefensePros accompanying management and monitoring solution, offers a
centralized attack management, monitoring and reporting solution across multiple DefensePro
devices and locations. It provides the user real-time identification, prioritization and response to
policy breaches, cyber attacks and insider threats.

P a g e | 4
2 Solution Architecture and Flow
The solution tested and presented in this document is
based on two DefensePro devices implemented in
parallel. Traffic between the users and the servers was
simulated by IXIA equipment, and passed through
Cisco Catalyst core switches used to split the traffic,
based on Layer 3 information, to two physically
separated paths, one per each DefensePro device.
This environment allows for conducting performance
tests to each one of the DefensePro devices separately
as well as both of them together.
2.1 Equipment Used
This section details the hardware equipment used for
the test, including DefensePro units, network
infrastructure and the traffic simulator.
2.1.1 Radware DefensePro Units
Two high-end DefensePro units were used in the test.
The units used were not identical and they represent
two flavors of the DefensePro product family an IPS
and Behavioral Protection device and a pure
Behavioral Protection Device.
Table 2-1: DefensePro Product in the Test
Product Name Max Capacity Protection Set
DefensePro x412 IPS & BP 8 Gbit/s & 75K CPS Complete DefensePro protection set
DefensePro x412 BP 12 Gbit/s & 105 CPS DefensePro behavioral protect set
2.1.2 Cisco 7604
Two Cisco Catalyst 7604 core switches were used to split the traffic into two separated physical
links while using EtherChannel to maintain these links as a logical single link. Both switches were
using 10 G interfaces. Traffic distribution was done based on Layer 3 data (see section 4.5).
For detailed configuration refer to www.cisco.com.
2.1.3 Ixia XM12
IXIA XM-12 High Performance chassis was used to simulate high-rate real-user traffic for the test.
For detailed configuration refer to http://www.ixiacom.com/.
2.2 DefensePro Configuration
Both DefensePro devices were configured with identical separated policies according to the
different protection modules, using software version 5.01 and a current signature file.
Figure 2- 1: PoC Network Architecture

P a g e | 5
Table 2-2 details the specific protection set enabled on each DefensePro device.
Note: This configuration serves as a guideline only.
Table 2-2: DefensePro Network Policy Configuration
Traffic Classification Phy. Port Direction Protection Threats Protection Comments
Any to Any XG-1 Inbound Behavioral DoS DoS & DDoS
Any to Any XG-1 Inbound DoS-Shield DoS & DDoS
Any to Any XG-1 Inbound Anti-Scan Scanning
Any to Any XG-1 Inbound Intrusions Signature IPS&BP only
2.3 Traffic Flow Paths
According to the architecture described above, two flow paths were created, one through each
of the DefensePro units. These flows were used in the three different tests that were done in
order to demonstrate the performance of both with a single device architecture and with parallel
devices architecture.
Table 2-3: Tested Flow Paths
#1 Traffic Flows through one
DefensePro (IPS & BP) device
#3 Traffic Flows through two
DefensePro devices
#2 Traffic Flows through one
DefensePro (BP) device
IXIA
TM
communi cat i ons
1.7 in.
CISCO 7604
1.7 in.
CISCO 7604
IXIA
TM
communi cat i ons

IXIA
TM
communi cat i ons
1.7 in.
CISCO 7604
1.7 in.
CISCO 7604
IXIA
TM
communi cat i ons

IXIA
TM
communi cat i ons
1.7 in.
CISCO 7604
1.7 in.
CISCO 7604
IXIA
TM
communi cat i ons

P a g e | 6
3 Tested Scenarios and Results
Three different test scenarios were conducted to show the performance of each hardware unit
as a standalone solution as well as the combined performance when both are used
simultaneously.
The following are the test results for each individual unit.
3.1 DefensePro x412-NL Test (Flow #1)

Network Traffic Legitimate HTTP 1.1 traffic
Scenario Flow #1 - traffic is flowing through the 1
st
path only
HW Platform x412-NL-D-QZ
Tested Dimension CPS and Mitigation
CPS Result 75K CPS
Mitigation Result 10M PPS

3.2 DefensePro x412-BP Test (Flow #3)

Scenario Flow #2 - traffic is flowing through the 2
nd
path only
HW Platform x412-D-QZ-BP
CPS Result 105K CPS

3.3 Parallel DefenseProx412 Test (Flow #2)

Scenario Flows 1+2 - traffic is flowing through both the 1
st
and 2
nd
paths
HW Platform
x412-NL-D-QZ &
x412-D-QZ-BP
CPS Result 180K CPS

P a g e | 7
4 Summary and Notes
This solution paper provides a brief introduction to a scalable DefensePro implementation option
that can support protection of environments which require higher performance than a single
DefensePro device can provide. Multiple DefensePro devices can be installed in parallel relying
on the network infrastructure to distribute the traffic between the devices, thus providing
comprehensive protection to high capacity links.
4.1 Concept Limitations
The solution presented in this document is not an Active-Active cluster and data is not shared by
the DefensePro devices. It does present a valid implementation option where the protected link
capacity is higher than the maximum capacity of a single DefensePro device.
Traffic distribution is done according to Layer 3 parameters. In real environments, the
distribution can be done according to various other parameters, for example source or
destination IP. This way the system administrator can ensure an even distribution based on
available resources and internal network architecture.
4.2 Security and Protection Consideration
Traffic distribution can be harnessed to guarantee that the different behavioral protection
modules enabled on each one of the DefensePro devices will statistically inspect even portions of
overall traffic, thus detecting anomalies in traffic behavior.
4.3 PoC Results Focus
DefensePro performance is measured in three dimensions: total bandwidth, packet per second
(PPS) rate, and connections per second (CPS) rate. Test results in this document relate to the CPS
dimension only, though the other two dimensions are affected similarly, meaning the total PPS
or bandwidth is the sum of the individual device capacities.
4.4 Multiple Devices Environment
Though the tests conducted for this solution paper used two DefensePro devices, the solution
concept is not limited to a pair of devices. Implementation of multiple devices in parallel is
feasible, as well.
4.5 EtherChannel Distribution Options (Cisco)
EtherChannel load balancing can use MAC addresses, IP addresses, or Layer 4 port numbers with
a Policy Feature Card 2 (PFC2) and either source mode, destination mode, or both. The mode you
select applies to all EtherChannels that you configure on the switch.
For example, if the traffic on a channel only goes to a single MAC address, use of the destination
MAC address results in choosing the same link in the channel each time. Use of source addresses
or IP addresses can result in a better load balance.

Defensepro L3aa Solutionbrief 01102010

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Defensepro L3aa Solutionbrief 01102010

Caricato da

Copyright:

Formati disponibili

North America

Potrebbero piacerti anche