Enabling next-generation cyber-defense that is dynamic and provides Terabit-scale attack mitigation.
The volume, cadence and sophistication of cyber-attacks are rapidly increasing on large internet-based organizations including cloud providers, service providers and software-as-a-service (SAAS) providers. Attackers have started to compromise millions of Internet of Things (IOT) devices to create armies of “botnets”, which send large-scale malicious traffic in a coordinated manner to disrupt critical internet-based services. The self-spreading Mirai malware for example compromised over a hundred thousand internet-connected video cameras to generate over 1 Terabit of Domain Name Service (DNS) attack, and blocked multiple high-profile Internet domains for hours. It has become necessary for organizations to deploy cyber-defense mechanisms to protect against such massively distributed Denial of Service (DDoS) attacks.
Requirements for Next-generation Cyber-defense
To defend organizations from such massive and sophisticated cyber-attacks, a next-generation cyber-defense solution requires new software-centric capabilities:
- Mitigation off-load: To block Terabit-scale attack, mitigation function needs to be decoupled from attack detection so that it is offloaded to external mitigation-only infrastructure that can be scaled independently and affordably to Terabit bandwidth.
- Dynamic Operation: Attack detection tool must programmatically interact with external mitigation infrastructure to programmatically communicate identified attack signatures (directly or via security orchestration engine that enforces change control policies).
- L7 Intelligence: To block sophisticated attacks, mitigation infrastructure needs packet- and transaction-level intelligence, programmed by attack detection tool.
- Scalability and Cost-optimization: Scale-out mitigation infrastructure needs to scale from 10 Gigabit to 1+ Terabit in a cost-optimized pay-as-you-scale manner.
Software-driven Architecture for Next-generation Cyber-defense.
Software-driven programmatic interactions become the basis for architecting next-generation cyber-defense. The architecture has three programmatically-connected components: Attack detection, externalized attack mitigation (via SDN fabric) and Security orchestration.
- An attack (e.g. DDOS) detection tool, receives network traffic and detects the attack and communicates attack signatures to security orchestration engine.
- Security Orchestration engine (optional) programs the external attack mitigation system, adhering to Infosec change control policies.
- SDN fabric (with L2 – L7 intelligence) acts as the external attack mitigation system, programmable via SDN controller, to block the attack.
BigSecure Architecture for Dynamic, Terabit-scale Cyber-defense
The BigSecure Architecture leverages SDN-based Big Monitoring Fabric Inline, cluster of high-performance Service Nodes and 3rd party attack detection tools to deliver next-generation cyber-defense.
The BigSecure Architecture consists of:
- Big Monitoring (Big Mon) Fabric (Inline) — an SDN-based solution leveraging open networking switches, deployed at the Data Center edge or in the DMZ for creating scalable security tool service chains. The centralized SDN controller supports programmatic operations through RESTful APIs for dynamic multi-system interactions. For distributing attack signatures in a multi-site deployment, DevOps tools such as Ansible can be leveraged to simultaneously program multiple Big Mon controllers.
- Big Monitoring Fabric Service Node — a high performance (40G–160G) x86 DPDK-based service node appliance, centrally controlled and managed by Big Mon SDN Controller — enables deep packet/flow inspection and filtering based on whitelist/blacklist signatures for the purpose of attack mitigation. With the aid of Big Mon controller, it can also be inserted dynamically into security service chains to guarantee front-line mitigation processing. Multiple service nodes are deployed in a scale-out manner for Terabit filtering and mitigation.
- Open networking switches — industry-standard 10G/40G/100G fabric switches operating at multi-terabit bandwidth, centrally controlled and managed by the Big Mon controller.
- Attack detection tools — 3rd party security tools that detect sophisticated Attacks (including DDOS attacks), leverage programmatic (zero-touch) interactions with SDN controller and offload dynamic threat mitigation to high-speed SDN fabric.
In addition to Terabit scale mitigation, Big Secure Architecture also exports flow telemetry (NetFlow, sFlow) of network traffic to anomaly-detection/traffic visibility systems which provide the ability to detect, classify, and traceback DDoS attack traffic.
By leveraging the BigSecure Architecture, customers can deploy a dynamic cyber-defense solution that provides Terabit attack mitigation capability at an affordable price while continuing to leverage best-of-breed DDoS attack detection tools.