Rethinking Security: Corsa Red Armor Network Security Enforcement
-
Upload
corsa-technology -
Category
Technology
-
view
111 -
download
3
Transcript of Rethinking Security: Corsa Red Armor Network Security Enforcement
Red Armor
Network Security EnforcementRethinking Network-Based Security
To Protect against DDoS Attacks
• Perfectly simple high performance infrastructure– Purpose-built high capacity networks
– Our architecture and advanced features set us apart
• Product Innovation with market-leading support
• Customers use this for rapid service creation and delivery within their networks– ISP, SP, IX, CDNs, hosting providers and NREN customers worldwide
– Very large networks: Each moving >50Petabytes of data per month
A Bad Trend in DDoS Attacks
BBC – 602Gbps31/12/2015
Krebs – 665Gbps20/09/2016
OVH – 1Tbps20/09/2016
Dyn – 1.2Tbps21/10/2016
Incapsula– 650Gbps@ 150Mpps21/12/2016
Mirai Botnet
Leet Botnet
NWH Botnet
Anatomy of DDoS Attacks
>90% of Attack Traffic is Volumetric
Verisign Oct.2016
“IoT denial of service attacks ….will be orders of magnitude greater than what we have seen.
The 2016 IoT DDoS attacks were…merely designed to calibrate their weaponized software.
2017 will see serious internet outages.”
2017 – Tip of the Iceberg
Today’s Network Security
Scrubbing Center
Traditional Router-Based
Security for high volume networks
Insufficient performance against escalating intensity of attacks: huge # attack sources, massive increase in attack size, multiplying attack types
Mitigation is not keeping pace with detection and analysis
Cost prohibitive
Not line-rate
Limitedscale
Restrictedplacement
Inadequateevolution
Toocomplex
Red Armor NSE7000 Series
• Installs in 10 minutes within existing architectures
• Operates as a bump on the wire
• Interoperates with every DDoS detection technology
• Provides 100G line rate enforcement at a fraction of the cost
Red Armor Turbo Charges Network Security
Separation of Network Security Functions
An evolved security architecture:
• Best-of-breed Analysis
• Best-of-breed Inspection
• Line-rate Enforcement
Mitigation/ Enforcement
Inspection
Analysis
Line-rate Enforcement
Red Armor: Network Security Enforcement
64 Byte line-rate performance: 100Gbps @ 150 Mpps
Ultimate precision to protect both network and customer
No performance penalty with small packets or number of rules
Responsive to evolving security threats
Universal Solution
Fits in any existing architecture
Distributed or centralized with ability to scale up AND scale out
Link best of breed inspection and analysis with best enforcement
Performance monitoring and reporting for every rule
Right-Sized Economics
Simplified enforcement
Affordable for building truly distributed defence
Ability to scale security with scaling the network
No software licensing fees or transceiver lock in
Universal enforcement for any size volumetric DDoS attack
Network Security Enforcement for DDoS
BGP Flow Spec
NetFlow Data
Analysis/Detection
Bump in the wire
Red Armor Line Rate EnforcementAny existing
DDoS detectionsuch as
Network Routing
Add to existing architecture No shared resources with routing No degradation of performance
based on packet size No degradation of performance
based on # of rules
Red Armor – How It Works
• Enforcement broken down into simple security rules
• Packets parsed and matched on any field at L3 and L4
– TCP Flags, SYN in addition to IP src/dstand TCP/UDP src/dst
• Rules can be programmed via BGP FlowSpec, REST API or OpenFlow
• Real-time per rule statistics for extremely granular performance monitoring and reporting
EnforcementRules
AcceptDropRate-limitDSCP Remark
NSE Performance: RFC2544 Test
Traffic composition:100% 64byte packets
Traffic rate:100Gbps
Performance result:150Mpps at 100Gbps
Red Armor NSE7000 Series
• Installs in 10 minutes and is additive to existing architectures
• Operates as a bump on the wire
• Interoperates with every DDoS detection technology
• Provides 100G line rate enforcement at a fraction of the cost
Red Armor Turbo Charges Network Security
Red Armor