Mobile Internet Security & Service Integrity

Wire-speed, In-line DPI/DFI, Security Classification

DefensePro^® operates as an in-line transparent device, supporting all network tunneling protocols and encapsulations including MPLS, L2TP, GRE, GTP and PPP and IPV6 for wire-speed traffic inspection, security classification and integrity across all mobile carrier environments and peering points.

---

Zero-minute Flood Protection through Advanced Behavioral Anomaly Detection

DefensePro behavioral intrusion protection system (IPS) and Denial of Service (DoS) modules deliver zero-minute, zero-touch security protecting against network attacks, ensuring carrier and subscriber service integrity while preventing service failures to guarantee server level agreements (SLAs).

DefensePro’s adaptive, behavioral DoS/DDoS delivers wire-speed mitigation of network floods including

• TCP Syn floods
• Other TCP floods (Psh+Ack, Reset, FIN...)
• UDP floods
• DNS floods
• ICMP floods
• IGMP floods
• Aggressive self-propagating worms (TCP and UDP worms)

By applying fuzzy logic algorithms for analysis and correlation of anomalies, DefensePro immediately detects any form of DoS attack and creates a filter on-the-fly to mitigate it. DefensePro worm propagation protection algorithms immediately block the spread of attacks and identify misbehaving users to preempt attack outbreaks. DefensePro server protection algorithms protect against server DoS, application vulnerability scanning and brute force attacks.

---

IPS Signature-based Protection for Service Integrity

DefensePro signature-based protection is designed to block over 1,500 signature attacks and known DoS attacks in real time. Based on a patented ASIC-based StringMatch Engine^®, DefensePro inspects traffic to identify malicious content, worms, viruses and other attack signatures, immediately blocking known attacks.

Radware’s attack database, profile-based policies and pre-defined signature groups are dedicated to preventing mass volume customer-oriented attacks, affording protection for SIP applications, DNS, web applications, messaging, ensuring the integrity of all mission-critical carrier infrastructures. In addition, Radware’s Security Update Service (SUS) delivers ongoing protection from new and emergent threats.

---

Traffic Shaping and Infrastructure Protection

DefensePro’s bandwidth management (BWM) module lets carriers rate limit and shape traffic to further protect mobile carrier mission-critical resources against attacks and surges. By limiting the number of sessions for critical resources per end user (i.e., SIP registrars, DHCP requests) or limiting total bandwidth to a critical resource (i.e., total DNS requests), DefensePro BWM normalizes traffic to prevent flooding, SLAs, eliminate congestions and prevent uncontrolled worm propagation on top of peer-to-peer (P2P) traffic, all the while guaranteeing bandwidth to meet SLAs.

---

Attack Visibility and Understanding

Insite provides comprehensive attack visibility and reporting, enabling immediate identification of attack sources, attack analysis over time and full reporting of attack scope. With Insite, mobile carriers can gain understanding of mobile Internet service vulnerabilities to better manage network and service security.

---

Carrier-grade Reliability and Performance

DefensePro delivers unmatched, carrier-grade 6 Gbps security processing performance and reliability. It is built on top of a 4-tier ASIC switching architecture with a 44 GB wire-speed non-blocking backplane, dual network processors, RISC processor and ASIC StringMatch Engine for 1000× accelerated inspection speeds. DefensePro’s internal bypasses, dual power supply and fully redundant topologies ensure fault tolerance and 99.999% uptime.