Network Security & Service Integrity
Wire-speed, In-line DPI/DFI, Security Classification, Carrier-grade Reliability and Performance
DefensePro
® is designed for carrier-grade performance, scalability and fault tolerance delivering unmatched 4 Gbps processing power, internal bypasses and dual power supplies for redundancy and immediate disaster recovery.
Network-based IPS
DefensePro delivers a managed intrusion protection system (IPS) security service designed to block over 1,500 signature-based attacks in real time. Employing an ASIC-based StringMatch Engine
®, DefensePro inspects all subscriber link traffic to identify malicious content, Trojans, known worms, BOTs activity, viruses and other attack signatures and immediately blocks them to clean customer links from intrusions.
DefensePro inspects IPv6 traffic for attack signatures, scanning and DoS/DDoS floods as well as multiple carrier encapsulation and tunneling protocols including L2TP, GRE, GTP and MPLS to ensure maximum flexibility for the carrier deployment. Radware’s attack database lets carriers define custom attack signatures and profiles, simplifying IPS management while affording full flexibility to meet diverse subscriber needs.
Radware’s Security Update Service (SUS) provides ongoing updates of attack signature databases for continuous and automated protection against newly emergent threats. Affording PoP-based IPS, DefensePro lets carriers leverage their unique ability to secure against network-based attacks on the customer end of links utilizing stateless capabilities, ensuring the full continuity of subscriber network and end-user operations.
Zero-touch, Zero-minute, Zero-false Positives DoS/DDoS Flood Prevention through Unique Behavioral Anomaly Detection
DefensePro Denial of Service (DoS) employs a powerful behavioral engine capable of identifying and immediately thwarting any form of DoS attacks for wire-speed mitigation of network floods including
- TCP Syn floods
- Other TCP floods (e.g. Ack, Psh+ack, Reset)
- UDP floods
- DNS floods
- ICMP floods
- IGMP floods
- Aggressive self-propagating worms (TCP and UDP worms)
Employing unique traffic monitoring and baseline behavioral mapping, DefensePro is capable of preventing both known and unknown DoS/DDoS attacks, creating a new filter to protect subscriber networks within 18 seconds, or activating a known filter from the Radware attack database, for unmatched protection. In addition to active DoS attack mitigation, DefensePro worm propagation protection algorithms identify misbehaving users, to proactively protect against suspect sources. By controlling all egress traffic, DefensePro rate limiting and bandwidth/traffic shaping capability moderates available network resources to guarantee service levels for mission-critical applications, while further protecting against worm propagation on top of uncontrolled peer-to-peer (P2P) traffic.
Traffic Shaping, P2P Traffic Control and Infrastructure Protection
DefensePro bandwidth management (BWM) module lets carriers rate limit and shape traffic to further protect mission-critical resources against attacks and surges. From limiting the number of sessions for critical resources per end user (i.e., SIP registrars, DHCP requests, etc.) to limiting total bandwidth to a critical resource (i.e., total DNS requests), DefensePro BWM normalizes traffic to prevent flooding.
In addition, DefensePro classifies and controls P2P traffic employing egress rate limiting and shaping functions to regulate P2P traffic, ensuring service level agreements (SLAs), eliminating bandwidth congestions and preventing uncontrolled worm propagation on top of P2P traffic.
Attack Visibility, Understanding and Reporting
Insite provides comprehensive attack visibility and reporting, for immediate identification of attack sources and understanding attack scope across the carrier-core. Top-N and bandwidth consumption reports provide insight into P2P and uncontrolled traffic.