As the threat landscape intensifies, data center operators are demanding next-generation solutions to monitor pervasively and withstand massive cyber-attacks while operating within flat budgets. Today, we are announcing the BigSecure Architecture – a next-generation DMZ security architecture leveraging SDN fabric, best-of-breed security tools, deep packet inspection (DPI) service nodes and NFV tool farm for combating large-scale externally-originated attacks.

 

Drivers for BigSecure Architecture

The volume, cadence and sophistication of cyber-attacks is rapidly increasing on large organizations including cloud providers, service providers and software-as-a-service (SaaS) providers. Attackers have started to compromise tens of thousands of Internet of Things (IoT) devices to create armies of “botnets,” which collectively send large-scale malicious traffic to disrupt critical internet-based services. Recently, the self- spreading Mirai malware compromised over one hundred thousand internet-connected video cameras to generate over 1 Terabit of distributed denial of service (DDOS) attack to a Domain Name Service (DNS) service provider, blocking multiple high-profile Internet domains for hours. It has become necessary for organizations to deploy cyber-defense mechanisms to protect against massively distributed attacks without breaking their security budget.

 

 

 

Requirements for Next-generation Cyber-defense

To defend organizations from such massive and sophisticated cyber-attacks, a next-generation cyber-defense solution must provide elastic mitigation infrastructure, in addition to those provided by security tools.

By deploying such a solution, organizations would be able to:

  • Leverage the high-bandwidth network to mitigate network-level (L2 – L4) attacks

  • Deploy a pool of compute resources to mitigate high-bandwidth packet/flow-level attacks

  • Enable programmatic interactions across security tools and elastic mitigation infrastructure for dynamic enforcement

  • Operate in a scale-out manner, from 10Gigabit to 1+ Terabit performance

 

 

 

BigSecure Architecture for Dynamic, Terabit-scale Cyber-defense

The BigSecure Architecture leverages SDN, a pool of compute resources and the best-of-breed security tools to deliver next-generation cyber-defense.

 

The BigSecure Architecture consists of:

  • Big Monitoring Fabric (Inline) -- an SDN-based inline fabric deployed at the data center edge or in the DMZ for connecting and load balancing security tools and creating service chains

  • Big Monitoring Fabric Service Node -- a high performance (40G to 160G) Intel x86 DPDK-based service node, centrally controlled and managed by the Big Mon SDN Controller, for deep-packet and flow inspection and filtering based on whitelist/blacklist of signatures for the purpose of attack mitigation.

  • NFV Tool Farm -- a pool of x86 compute resources available for hosting security tools in the form of virtual network functions (VNFs) in order to elastically scale them for Terabit attack mitigation. Big Monitoring Fabric programmatically augments service chains as well as load balances across a large set of tool VNFs.
  • Security Tools -- 3rd party security tools (such as A10 Networks’ Threat Protection System) that detect and mitigate sophisticated attacks and interact programmatically with the Big Mon controller for dynamic attack mitigation.
  • Open Hardware -- industry-standard 10G/40G/100G Ethernet switches from Dell EMC and Edgecore Networks operating at multi-terabit bandwidth, centrally controlled and managed by the Big Monitoring Fabric controller; industry-standard x86 servers for SDN controllers, service nodes and NFV tool farm.

Once BigSecure Architecture is instantiated, a security tool detects high-bandwidth attacks and interacts with the Big Monitoring Fabric Controller via programmatic APIs to redirect incoming traffic for elastic mitigation. Depending on the type of attack, the Big Mon Controller (a) activates the SDN fabric and compute resources for attack mitigation, (b) reconfigures the service chain to redirect traffic to mitigation infrastructure, and (c) load-balances traffic across a cluster of Big Mon service nodes and NFV tool farm for scale-out performance. Together, the SDN fabric, Big Mon service nodes and NFV tool farm perform Layer-7 scans of network traffic and block those packets/flows that contain attack signatures. With BigSecure, security teams are able to quickly deploy dynamic a cyber-defense architecture that provides elastic, Terabit-scale attack mitigation capability at an affordable price while continuing to leverage best-of-breed security tools.

In addition to Terabit scale mitigation, BigSecure Architecture also exports flow telemetry (NetFlow, sFlow) of network traffic to anomaly-detection/traffic visibility systems, which provide the ability to detect, classify, and traceback a variety of attacks.

With attack sophistication increasing day-by-day, security professionals have no choice but to deploy an adaptive, intelligent and scalable cyber-defense solution to continually protect their organizations.  We believe the BigSecure Architecture is an important step in that direction.

 

Prashant Gandhi

VP and Chief Product Officer