[c-nsp] Opinions of DDoS appliances, other techniques, most notably Cisco Guard

Rob Shakir rjs at eng.gxn.net
Mon Mar 30 10:48:34 EDT 2009 

Hi,

We have a deployed Riverhead/Cisco Guard + Detector platform, that I've been
working reasonably closely with over the last 6-9 months. We run the appliances,
rather than the 6500/7600 modules, and are pretty happy with how they function.
I think that the major issue with this platform right now is the fact that it's
got quite a limited life left.

The appliances went EoS on 29th December 2008, but it doesn't look like there's
going to be any useful support past 29th of September this year -- perhaps a bit
quick to kill of a bunch of products like this? 

The Appliances work in ways that the modules don't necessarily, we don't really
want shared-fate of filtering appliances with other 6500/7600, and we deploy
one Detector for 2 or more 6500 chassis -- it doesn't make sense to have one per
chassis from either a technical or financial point-of-view.

On Mon, Mar 16, 2009 at 12:39:57AM +0800, Roland Dobbins wrote:
>
> On Mar 15, 2009, at 11:54 PM, Drew Weaver wrote:
>
>> Also, without a dedicated DDoS system deployed, what is the most  
>> reliable/fastest way to determine the destination(s) of the attacks  
>> (SNMP, NetFlow, etc)?
>
> With or without a dedicated DDoS mitigation system, NetFlow-based  
> anomaly-detection is generally considered to be the most scalable  
> solution which provides network visibility of inbound/outbound/ 
> crossbound traffic.

The problem here (as I've already voiced with my Cisco AM and another security
person from Cisco) is that the boxes that we're currently running (as a UK SP)
don't reliably produce NetFlow data. If you have 7600/6500 in place currently,
it's quite difficult to look at the NetFlow-based detectors as anywhere near as
reliable as mirroring traffic with SPAN.

When I discussed this, the (albeit tongue-in-cheek) suggestion was 'buy ASR...',
I guess there's more benefit to looking at optical taps, or NetFlow probes here.

The Riverhead platform of Appliances and Detectors are good -- and definitely
aid being able to mitigate attacks coming into the network. As mentioned in this
thread, they are best at mitigating flood attacks that exceed the specified
threshold -- but their overall performance is much better than trying to detect
and mitigate attacks manually. Even if the Guard can't necessarily protect your
kit in some cases, there's additional data that one can acquire from the Guard
to be able to take further mitigation measures.

I'd be really interested to hear about what other Guard-type appliances people
are deploying - and how people are working around the 6500/7600 limitations with
NetFlow.

Thanks,
Rob

-- 
Rob Shakir                      <rjs at eng.gxn.net>
Network Development Engineer    GX Networks/Vialtus Solutions
ddi: +44208 587 6077            mob: +44797 155 4098
pgp: 0xc07e6deb                 nic-hdl: RJS-RIPE

This email is subject to: http//www.vialtus.com/disclaimer.html

More information about the cisco-nsp mailing list