| A Total Network Threat Mitigation Solution for Service Providers: GenieATM + Cisco Guard |
Executive Summary |
CUSTOMER
|
| |
China Telecom — Jinhua Telecom |
| |
SECTOR |
| |
ISP |
|
| CUSTOMER NEEDS |
| • |
Timely detect network security threats |
| • |
Effectively mitigate network security threats |
| • |
Abundant normal and anomalous traffic analysis |
| • |
Carrier-grade network scale, performance and reliability |
|
| SOLUTION |
| • |
GenieNRM GenieATM |
| • |
Cisco Guard |
|
| VALUES |
|
Network managers can cost-effectively address the large-scale network threat problems, and hence increase its customer satisfaction and market competitiveness. |
|
|
| 1. Introduction |
| |
The most important task for service providers is making the bandwidth available to their subscribers.Nowadays service providers are facing constant and growing threats to ensure their bandwidth availability and performance. The most intimidating threats to a service provider's bandwidth availability are the Distributed Denial of Service (DDoS) attacks. DDoS attacks paralyze Internet systems by overwhelming servers, network links, and network devices (routers, switches, firewalls, etc.) One emerging way of generating DDoS attacks, BotNets (a.k.a. zombie army), is using a number of infected computers (their owners are unaware of it) to mimic the behavior of legitimate users and create connections to other computers (usually the DDoS victims) on the Internet. Given the general geographic dispersal of botnets, it becomes very difficult to identify a pattern of offending machines, and the sheer volume of IP addresses makes it not suitable to the filtering of individual cases. According to a number of network security reports, DDoS attacks propagated by botnets – not viruses, worms, nor spam – currently pose the biggest threat to the Internet.
Different security tools of DDoS protection exist. These include firewalls, IDP (Intrusion Detection Prevention), ACL (Access Control List) in routers or switches, etc. However, each of these products not only has its advantages but also limitations. These conventional perimeter security tools although important components of an overall security strategy do not by themselves provide comprehensive DDoS protection, especially in the service providers' network environments. Therefore, defending against the current DDoS threatening Internet availability requires a more purpose-built architecture that includes the ability to specifically detect and mitigate the increasingly threats, and there comes the solution of GenieATM & Cisco Guard. |
| |
| 2. Service Provider Use Cases — Jinhua Telecom |
| |
China Telecommunications Corporation (China Telecom) is an extra-large state-owned telecom operator. As a principal telecom enterprise and the greatest basic telecom operator of China, China Telecom owns the global largest fixed-line telephone network that covers the cities and towns as well as the rural areas of China. Member units of China Telecom include 31 provincial (municipal and autonomous regional) enterprises which provide telecom services nationwide. Zhejiang provincial enterprise is one of the largest provincial enterprises of China Telecom, and Jinhua Telecom is the city-level subsidiary company which has the largest Internet access business of Zhejiang provincial enterprise.
The Jinhua Telecom's total bandwidth of its network exists to the Internet is as high as 30Gbps and network links of 2.5G or 10G are commonplace in its network infrastructure. When more and more malicious traffic is generated by DDoS attacks in Jinhua Telecom's network, traditional in-line based network security products failed to address Jinhua Telecom's need in DDoS threat mitigation. The in-line security products themselves have become the victims of the DDoS attacks because they are not able to detect and filter anomaly traffic in such a high-speed network environment. In addition to the solution performance issue, the total deployment cost of the link-based security devices is formidable for a large scale network like Jinhua Telecom. Furthermore, when facing network security incidents, the network managers requires not only mitigate the problems timely, the afterwards forensics is also important. In order to conduct insightful forensic work, accurate information of the anomaly traffic is critical. However, conventional security products usually do nothing more than blocking the detected attacks.
In response to the identified network security challenges, the network managers of Jinhu Telecom were looking for an advanced network security protection and traffic analysis solution, which shall not only detect the network threats, mitigate the problems automatically, providing abundant traffic information, but also be able to support the attacking traffic scale up to multi-gigabit. After a careful survey of solutions, Jinhua Telecom decided to deploy the solution of GenieATM & Cisco Guard for addressing the network security needs. |
| |
| 3. Solution Overview |
| |
Taking on DDoS attacks requires a new approach that not only detects the increasingly complicated, sophisticated and deceptive attacks, but also mitigates the impacts of the attacks to ensure network resource availability.
DDoS Detection: GenieATM
GenieATM is an innovative Network Behavior Anomaly Detection system, which leverages a combination of the flow data, SNMP queries, and BGP routing messages to create a behavior-based system that profiles the ‘traffic patterns.' The normal traffic models are built and maintained for the network infrastructures and subscriber networks, respectively. Once the normal network behavior is “learned,” the variation detected will be considered anomalous, and hence tracked and acted on.
The GenieATM built-in Anomaly Traffic Detection engine quickly detects network attacks originated from both internal and external networks, promptly locates suspicious attackers and victims. After the detection, GenieATM alerts the detected threats, provide detailed reports on the incidents, and notify the mitigation device, Cisco Guard, for suspicious traffic treatment.
DDoS Mitigation: Cisco Guard
Cisco Guard is a high-performance DDoS attack mitigation device that is deployed upstream at either the ISP data center or at the perimeter of a large enterprise to protect both the network and data center resources. When the Cisco Guard is notified by GenieATM that a target is under attack, traffic destined for the target is diverted to the Guard(s) associated with the targeted device. The traffic is then subjected to analysis and filtering process designed to remove all malicious traffic while allowing legitimate traffic to be injected back into the routing infrastructure to continue its way to the target uninterruptedly.
The following section in this application note takes a real-site test in a city-region network for example to explain how ISPs can deploy the GenieATM & Cisco Guard total solution to protect key customers, backbones, ISP links and data centers from DDoS attacks. |
| |
4. Deployment and Usage Examples |
| |
In this project, Jinhua Telecom deployed one GenieATM Controller, one GenieATM Collector and one GenieATM MSP Collector. The GenieATM systems collect traffic flows exported from the routers in Junhua Telecom's network exits, network backbone and the aggregation layer. In Jinhua Telecom's Cleaning Center, there deployed a Cisco router installed with three Cisco Guard module cards. The deployment and operation is illustrated in Figure 1. The major difference of this GenieATM + Cisco Guard solution from other network attack prevention solutions is its "off-line" approach, unlike other products' "in-line" mode. The GenieATM + Cisco Guard solution protects the whole network via a "detect", "divert", "clean" and "redirect" steps.
One single Cisco Anomaly Guard Module (AGM) card can support up to 3Gbps traffic, but it supports "device clustering" capability. The clustering capability enables multiple AGM cards to load-balance the huge attacking traffic generated by a security threat. In the Jinhua Telecom project, three AGM cards are deployed and the clustering function enabled, and hence the solution can mitigate up to 9Gbps anomaly traffic mitigation, which is far beyond other in-line network security protection solutions' capability. |
Figure 1: GenieATM + Cisco Guard Deployment and Operation
The network mangers of Jinhua Telecom can configure and operate the solution through Web GUI of the GenieATM and Cisco Guard systems. Via GenieATM’s Web UI, network managers not only can easily configure and operate the GenieATM system, but also get abundant real-time and historical analysis reports for both anomalous and normal network traffic.
The followings illustrate the usage of the GenieATM+Cisco Guard solution:
Figure 2 is a report example of GenieATM's real-time Summary of all the detected incidents happened in the past 24 hours. It allows Jinhua Telecom network managers to understand what's happening on their network. In the following example, we can see GenieATM had found several on-going anomalous activities. The network managers can click on those incidents they feel interested to get further details of the selected anomaly (see Figure 3.)
Figure 2: Real-time Summary Console
In the example in figure 3, we can see from the anomaly report that the detected anomaly is an UDP flooding attack, which lasted about 8 minutes, the severity level of the threat is Red (high), and the attacking direction is initiated from the internal network of Jinhua Telecom. The summary report also identified the attacking path and the IP addresses of the attacker and victims. Apart from the detailed anomaly reports, GenieATM also provides statistic reports of all the detected anomalies (see Figure 4.) The statistics can provide network managers the overall understanding of their own network security.
Figure 3: Detail Anomaly Report
Figure 4: Anomaly Events Statistic Report
In addition to the real-time anomaly detection reports, Jinhua Telecom network managers also use GenieATM to mitigate suspicious anomaly traffic automatically. GenieATM can be configured to trigger Cisco Guard automatically and to divert the detected anomalous traffic to Cisco Guard. After Cisco Guard cleans malicious traffic, the legitimate traffic will be redirected back to their original destinations without impacts.
GenieATM system provides logs of all the anomaly mitigation processes (see Figure 5.) This allows network managers to understand all the anomaly mitigation activity details of a detected anomaly, such as the ID of the detected anomaly, the victim IP address(es), the traffic cleaning device, the legitimate traffic volume in the incident, the malicious traffic volume, the time the incident was detected and also the current status of the incident. A network manager can click on the incident he's interested in to get further detailed information of a specific mitigation activity (see Figure 6.)
Figure 5: Anomaly Mitigation Summary Report
Figure 6: Anomaly Mitigation Report
In the example of Figure 6, we can see there is a detected anomaly which has 1.26Gbps total traffic volume. After diverting the suspicious traffic to the Cisco Guard, the malicious traffic (about 97% of the suspicious traffic) is blocked, and the benign traffic (3% of the suspicious traffic) is redirected back to its original targets. Through the complete anomaly detection and mitigation process of GenieATM + Cisco Guard solution, the attacking traffic previously might have caused network congestion and failure will be filtered effectively, and the benign traffic will be left intact for normal service operations. |
| |
5. Conclusion
The GenieATM & Cisco Guard solution offers premier DDoS attack detection, mitigation and reporting capabilities. As attacks are detected by GenieATM, it signals the interior routing infrastructure to redirect all traffic destined for the attack target to a Cisco Guard for traffic cleaning. The Cisco Guard scrubs attack traffic and then re-injects cleaned traffic back to the destined site.
The superiority of this solution to “in-line” DDoS solutions can be concluded in many ways:
|
(1) |
The data collection points, the GenieATM Controller/Collectors, and the Cisco Guard(s) are all placed via IP routing mechanisms, and hence the solution is as resilient and available as an IP network. No single-point-of-failure concern incurred; |
(2) |
For reliability and availability, in-line DDoS solutions require redundant pairs of devices individually deployed at each mitigation point which increase the solution cost without real gain in value. Furthermore, the management costs of in-line solutions are significantly increased for provisioning and maintaining the devices located at different points in the network; |
(3) |
The distributed architecture gives GenieATM access to all the data from network-wide, producing better heuristics and allowing earlier attack identification and mitigation. |
| |
About GenieNRM
Genie Network Resource Management Inc. (“GenieNRM”) is the leading provider in Asia Pacific of solutions for Telecom/SP and enterprise customers to ensure IP networks’ efficiency, accuracy and quality. Through ongoing technology innovations, GenieNRM’s solutions have been deployed successfully for a wide range of representative companies from varied market sectors, such as Chunghwa Telecom, China Telecom, China Unicom, China Netcom, China Mobile, UMC, AsusTek, MediaTek, Hannstar, China Commercial Bank, etc. For more information, please visit http://www.genienrm.com |
|
|
|
