Embed Size (px)
Citation preview
(WH ITE PAPE R)
Securing Data Centers:A Unique Opportunityfor ISPs
Securing Data Centers: A Unique Opportunity for ISPs
1
Executive Summary
For today’s enterprises, any downtime in their Internet data center (IDC) operations can dramatically impact the bottom line. Soit is no surprise that the increasing scale and frequency of distributed denial of service (DDoS) attacks are now having a muchgreater impact on the business continuity and profitability of these companies. What’s more, while DDoS attacks may have beendriven by noneconomic reasons in the past, they now have major monetary drivers including extortion, competitive advantageand corporate revenge.
DDoS threats that impact the availability of services represent a significant opportunity for Internet service providers (ISPs).Enterprises and their IDC operators are more concerned about DDoS than ever before, and ISPs can help them combat thesethreats. This white paper explores the security challenges affecting today’s enterprises and IDC operators, and examines howISPs are in a unique position to respond by delivering revenue-generating, managed DDoS protection services.
The Growing Managed Security Services Market
The managed security service provider (MSSP) market is expected to grow toaround $4 billion by 2016 in North America alone, according to Frost & Sullivan.Moreover, the managed security and security monitoring services segment willcontinue to yield the highest percentage of total revenue in the MSSP market.
“Although budget cutbacks have resulted from the economic slowdown, compa-nies are continuing to implement measures to upgrade security,” says Frost &Sullivan Research Analyst Martha Vazquez. “Outsourcing security to an MSSPwill free up time for organizations to focus on core business processes.”
Enterprises will spend more on network-based security services from ISPs as they become more comfortable with ISPs provid-ing these services. Many factors—such as better support, more mature options, improved service control and faster services—will increase this comfort level. Today, the majority of MSSP customers purchase managed security services that are based oncustomer premise equipment (CPE). Consequently, customers might have fewer concerns about purchasing a network-basedsecurity service if it also includes a CPE-based component.
The Evolving DDoS Threat
The market demand for managed security services is real and growing. Service providers have some inherent advantages thatenable them to capitalize on this demand because they own the pipes that transmit data across the Internet. This makes ISPsuniquely well-positioned to deliver a comprehensive solution that can combat the two primary types of DDoS attacks.
First, they can stop “volumetric” DDoS attacks. These are usually generated by Internet bots or compromised PCs that aregrouped together in large-scale botnets. Examples include DDoS attacks against UK-based online betting sites1 where thehackers extorted the betting firms, and the politically motivated DDoS attacks against the Georgian government.2 They are gen-erally high-bandwidth attacks and originate from a large number of bots that are geographically distributed. Because of thehigh-bandwidth and distributed nature of these attacks, the congestion might occur upstream in the provider’s network and cannot be stopped at the enterprise or data-center edge.
The managed security serviceprovider (MSSP) market is expectedto grow to around $4 billion by 2016in North America alone, according toFrost & Sullivan.
1 news.bbc.co.uk/2/hi/technology/4169223.stm2 www.cnn.com/2009/TECH/08/07/russia.georgia.twitter.attack
In addition, a new type of DDoS attack has emerged that threatens the business viability of service provider customers. Twodays before Christmas in 2009, last-minute shoppers could not access some of the world’s most popular Internet shopping sitesincluding Amazon, Expedia and Walmart. A targeted DDoS attack against UltraDNS,3 a leading provider of domain name system(DNS) services, took these major retail sites offline. The attack could have dramatically affected the Christmas shopping seasonand the profitability of these retailers if UltraDNS had not been able to detect and stop the attack very quickly.
This attack revealed the potential impact of DDoS to online commerce. More importantly, it revealed a new type of “application-layer” DDoS attack that targets specific services and consumes lower bandwidth. These new application-layer DDoS attacksthreaten a myriad of services ranging from Web commerce and DNS services to email and online banking.
Enterprise customers are very concerned with the availability of critical services running in their data centers. At the sametime, attackers view these Internet-facing data centers as new prime targets and are launching DDoS attacks to wreak havocon these companies. The convergence of volumetric and application-layer DDoS attacks poses a significant threat to onlineservices, and customers will be looking for solutions.
Only ISPs Can Provide the Comprehensive Solution to Protect Data Centers from DDoS
ISPs can gain a unique advantage by providing a layered network- and edge-based managed solution to combat both volumetricand application-layer DDoS attacks. The best place to stop volumetric DDoS attacks is in the ISP cloud (via network-based DDoSprotection) because the saturation happens upstream and can only be remediated in the provider’s cloud. The best place toperform application-layer DDoS detection is in the data center itself because the attack can only be detected and quickly stoppedat the data-center edge. Only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and aCPE-based service component to stop application-layer DDoS attacks—representing a distinct competitive advantage.
Securing Data Centers: A Unique Opportunity for ISPs
2
DDoS driven by financial motivations
3 www.cnn.com/2009/TECH/12/24/cnet.ddos.attack/index.html
INTERNET INTERNET DATA CENTER
Load Balancer
Load Balancer
IMPACT
IMPACT
IMPACT
TARGET
IMPACT
Paid Attacker Botnet
Attack Traffic
Legitimate Traffic
$
IMPACT
TARGET
$
TARGET
$
There are cost efficiencies at work, too. When an ISP is already supplying a managed firewall, Secure Socket Layer virtualprivate network (SSL VPN), intrusion detection system (IDS), intrusion prevention system (IPS) and other security measures,adding an incremental managed DDoS protection service can be relatively straightforward and cost-efficient.
Why Traditional Security Products Fail to Address the Evolving DDoS Threat
Firewalls, IPS and other products are key elements of your customers’ security strategy, but these solutions are designed toprovide security functions that are fundamentally different from dedicated DDoS detection and mitigation products. For example,firewalls are essentially policy enforcement points that are usually deployed at the network or data-center perimeter. Their roleis to establish and enforce the rules that govern what traffic is allowed in and out of a data center as defined by ports, protocolsand destinations. Internet-facing data centers are open to Web traffic (TCP port 80/443) and other services such as video,voice and file transfer. DDoS attacks target the very services that firewalls have to allow through, so there is no inherent DDoSprotection in the firewall layer.
In fact, because firewalls maintain state information for every session established between a client on the Internet and thecorresponding server in the data center, the firewalls themselves are commonly the targets of DDoS attacks. What’s more, theyare potentially the single point of failure that disables the data center during large-scale DDoS attacks. In these cases, it is bestto provide DDoS protection in the ISP network or “cloud” before it reaches the data center since by that time it is too late.
Securing Data Centers: A Unique Opportunity for ISPs
3
Load Balancer
IDS/IPS
Firewall
Target Applicationsand Services
ISP
DATA CENTER
LARGE DDoS ATTACKS
APPLICATION LAYERATTACKS
Firewall
ISP CLEANINGCENTER
IDS/IPS
Attack Traffic
Legitimate Traffic
Multiple layers of defense required for comprehensive DDoS protection
IPS/IDS devices are also not designed or positioned to protect against some denial of service attacks. They are designed toinspect packets and remove network-based malware through signature matching. Many times, however, DDoS attack traffic isnot a signature-based threat. Because all IDS/IPS devices are deployed in-line and suffer from the same resource and memoryexhaustion problems that plague firewalls, they are also a potential single point of failure on the network and increase networklatency. In these cases, the detection and removal of DDoS attack traffic is best done in the ISP’s network either before itreaches the data-center edge or through off-ramping the malicious traffic.
Some firewalls and IDS/IPS products offer DDoS detection using techniques such as statistical anomaly detection or malformedprotocol detection. But since firewalls and IDS/IPS products conduct anomaly detection on a per point basis, they have a verymyopic view of the network. The very nature of a “distributed” denial of service attack means that the attack traffic is coming fromdifferent sources. Therefore, the solution must be able to recognize this behavior and stop the traffic as close to the sources aspossible. This is another reason why the distributed detection and mitigation of DDoS attacks are best done in the ISP network.
Securing Data Centers: A Unique Opportunity for ISPs
4
BotnetIPS
Attack Traffic
Legitimate Traffic
CONGESTIONCONGESTION
ISP/INTERNET DATA CENTER
FAILURE
IPS devices are not designed to stop DDoS attacks
CONGESTION
BotnetFirewall
ISP/INTERNET
Attack Traffic
Legitimate Traffic
DATA CENTER
FAILURE
CONGESTION
Firewalls can actually be the targets of DDoS attacks
Arbor Peakflow SP: The Platform for Comprehensive Managed DDoS Services
A complete DDoS protection solution must support the following:
- Both in-line and, more importantly, out-of-band deployment to avoid being a single point of failure on the network.
- True “distributed” DoS (DDoS) attack detection, which requires broad visibility into the network (not just from a singlenetwork perspective) and the ability to analyze traffic from different parts of the network.
- Attack detection using multiple techniques such as statistical anomaly detection; customizable threshold alerts; andfingerprints of known or emerging threats that are based on Internet-wide intelligence.
- Mitigation that can easily scale to handle attacks of all sizes, ranging from low-end (e.g.,1 Gbps of mitigation, deployedin the data center) to high-end (e.g., 40 Gbps of mitigation, deployed in the ISP network).
The solution must also feature managed security service enablers. These include application programming interfaces (APIs)for integration with existing systems; the ability to launch a customer portal easily; provisioning templates; fault tolerance; andredundancy. Lastly, the solution must be proven and backed by a company that is a known industry expert in Internet-basedDDoS threats.
The Arbor Peakflow® SP solution (“Peakflow SP”) is a complete platform that service providers can use to develop comprehen-sive managed DDoS services for customers. Today, the majority of the world’s leading ISPs rely on Peakflow SP for thenetwork-wide visibility and security they need to proactively fend off malicious threats, thwart DDoS attacks and strengthen thequality of their service. Increasingly, these ISPs are leveraging their investment in Peakflow SP to deliver profitable, new, in-cloudmanaged services.
Securing Data Centers: A Unique Opportunity for ISPs
5
PEERING/TRANSIT EDGE
CUSTOMER/HOSTING EDGE
BACKBONEREGIONAL MITIGATION
CENTER
Managed Service Customers
Peakflow SPCollector Platform (CP) 5500
Peakflow SPCollector Platform (CP) 5500
Peakflow SPFlow Sensor (FS)
Peakflow SPBusiness Intelligence (BI)
Peakflow SPPortal Interface (PI)
Peakflow SP Threat ManagementSystem (TMS) 1200/2500
Peakflow SP Portal Interface (PI)
Peakflow SPThreat Management System (TMS)
1200/2500/3x00/4x00
Central Console for Visibilityand Threat Management
Arbor Peakflow SP Architecture
Consists of five types of appliances: 1) Peakflow SP Collector Platform (CP) appliances in the peering edgeor backbone; 2) Peakflow SP Flow Sensor (FS) appliances in the customer aggregation edge; 3) Peakflow SPBusiness Intelligence (BI) appliances to increase scalability and add redundancy for managing critical businessobjects; 4) Peakflow SP Portal Interface (PI) appliances to increase the scale, redundancy and profitability ofArbor-based managed services; and 5) Peakflow SP Threat Management System (TMS) appliances deployedin any part of the network to surgically mitigate network threats.
Peakflow SP meets the key requirements of a comprehensive DDoS solution by providing:
- Ability to stop both volumetric and application-layer DDoS attacks: Peakflow SP provides the tools to diagnoseand stop both high-bandwidth DDoS attacks as well as targeted application-layer DDoS targets.
- True “distributed” DoS attack detection: Peakflow SP offers true distributed anomaly detection rather than simplepoint-based detection.
- Multiple methods of threat detection and mitigation: Peakflow SP provides multiple attack detection techniques.These range from statistical anomaly detection and threshold-based flood detection to fingerprint-based detectionbased on the global intelligence in Arbor’s Threat Level Analysis System (ATLAS®).4
- Scalability to handle all-size threats: Peakflow SP can detect threats of all sizes by leveraging flow technology inexisting network infrastructure equipment. The solution can also stop any-size threat by supporting an array of ArborPeakflow Threat Management System (“TMS”) appliances that provide surgical mitigation ranging from 1 Gbps to 40 Gbps (see below).
- Multiple deployment options: Peakflow SP can be deployed out-of-band where attack traffic is diverted to the TMSappliances. The solution can also be deployed in-line or passively.
- Managed service enablers: Peakflow SP offers a full range of enablers that help ISPs launch network-based serviceofferings to their customers.
- Industry expertise backed by a market leader: Arbor Networks is a leading provider of security and network management solutions for global business networks, including more than 70 percent of the world’s ISPs and many of the largest enterprise networks in use today.
Securing Data Centers: A Unique Opportunity for ISPs
6
Per
form
ance
(Gbp
s)
DeploymentSMALL PROVIDERDEDICATED CUSTOMERSMALL POPS
40
30
20
10
9
8
7
6
5
4
3
2
1
0
LARGE PROVIDERREGIONAL SCRUBBING CENTER
LARGE POPS
3100 and 3110 3100 10 Gbps, 3U, 2 x 10 GigE ports
3110 10 Gbps, 3U, 2 x 10 GigE ports + 10 x 1 GigE ports
4000 4 x APM (40 Gbps)3 x APM (30 Gbps)2 x APM (20 Gbps)
8 x 10 GigE ports, 6U, 1 x APM (10 Gbps)
2500 2.5 Gbps, 2U, 6 x 1 GigE ports, NEBS certified
1200 1.5 Gbps, 1U, 4 x 1 GigE ports
3050 5 Gbps (software upgrade to 10 Gbps), 3U,
2 x 10 GigE ports + 10 x 1 GigE ports
Multiple deployment options for Peakflow SP TMS
4 atlas.arbornetworks.com
Conclusion
DDoS attacks are continuing to rise, and both public and private datacenters are prime targets. Today’s data center operators are seekingsolutions to this pressing problem. ISPs have a unique opportunity torespond by offering valuable network- and edge-based services thatprotect their customers’ data centers against DDoS attacks and driveincremental revenue. Peakflow SP is a proven platform that enablesISPs to develop unique managed DDoS protection services and helpsolve this growing threat.
Securing Data Centers: A Unique Opportunity for ISPs
7
For more information about the Peakflow SPsolution, visit the Arbor Networks Web siteat www.arbornetworks.com/peakflowsp orcontact an Arbor Networks representativeat www.arbornetworks.com/contact.
Copyright ©1999-2010 Arbor Networks, Inc.All rights reserved. Arbor Networks, the
Arbor Networks logo, Peakflow and ATLASare all trademarks of Arbor Networks, Inc.
All other brands may be the trademarksof their respective owners.
WP/SDC/0810
Corporate Headquarters
6 Omni WayChelmsford, Massachusetts 01824
Toll Free USA +1 866 212 7267T +1 978 703 6600F +1 978 250 1905
Europe
T +44 208 622 3108
Asia Pacific
T +65 6299 0695
www.arbornetworks.comAbout Arbor NetworksArbor Networks is a leading provider of secure service control solutions for global business networks.Its customers include a majority of the world’s ISPs and many large enterprises. Arbor solutions deliverbest-in-class network security and visibility, along with the power to improve profitability by deployingdifferentiated, revenue-generating services. By employing flow-based and deep packet inspection (DPI)technologies, Arbor solutions measure and protect the entire network—from the network core to thebroadband edge. Arbor also maintains the world’s first globally scoped threat analysis network—ATLAS—which uses technology embedded in the world’s largest ISP networks to sense and reporton comprehensive worldwide threat intelligence.
