[c-nsp] Anomaly Detection Module/Anomaly Guard Module

Byrd, William will-lists at collier-byrd.net
Thu Oct 8 17:36:19 EDT 2009


As I am in the process of wrapping up an Arbor Peakflow SP deployment right
now I'd whole heartedly agree with this statement. A few things I'd strongly
recommend to anyone deploying this with Cisco gear keep in mind however:

- You're not getting TCP flags off of 6500/7600 routers
- The Supervisors for 6500/7600 routers do not currently generate Netflow
for MPLS switched packets (majority of this SP's traffic)
- Netflow in general on the 6500/7600 routers isn't wonderful. You'll
probably need to be running pretty new code to get any kind of worthwhile
Netflow data
- If you purchase the Arbor TMS you might have to do a lot of work with it
to get it installed and mitigating attacks in a way that works on your
network. The TMS is amazingly flexible however so you have a lot of
different options for this.

Caveats listed above aside the Arbor support staff and in particular our
Sales Engineer have been wonderful and amazingly responsive. My Sales
Engineer has worked with me as late as 11:30 - 12:00 EST on getting our
deployment up and running. (12 - 14 hour days. Mind blown.)

If you're seriously looking into buying a security product I'd throw my
suggestion behind the Peakflow SP solution. Arbor really has incredible
support. Cisco could stand to learn a few lessons from them on how to run a
Support organization.

-Will (No I do not work for Arbor)

On Thu, Oct 8, 2009 at 5:05 PM, Scott Granados <gsgranados at comcast.net>wrote:

> Arbor Networks has some great products in this area.
>
> ----- Original Message ----- From: "Jared Mauch" <jared at puck.nether.net>
> To: "Justin Shore" <justin at justinshore.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, October 08, 2009 1:59 PM
> Subject: Re: [c-nsp] Anomaly Detection Module/Anomaly Guard Module
>
>
>
>
>> On Oct 8, 2009, at 4:50 PM, Justin Shore wrote:
>>
>>  Drew Weaver wrote:
>>>
>>>> I was wondering if anyone has any experience working with the Cisco  ADM
>>>> AGM modules for the 6500s and how they compare with external  appliance
>>>> based solutions for DDoS mitigation.
>>>> Anyone have any opinions on these?
>>>> It seems like it would be nice to just drop these into a few  systems
>>>> but I'm just trying to avoid caveats that mitigate (pun  intended) the
>>>> usefulness of these products.
>>>>
>>>
>>> If you try to buy the LCs your account team should try to convince  you
>>> to go with the appliances instead.  My account team told me that  they LCs
>>> are being terminated at some point in the future and  replaced with the
>>> appliances so if you buy the LCs today you will  most likely run into
>>> software limitations down the road as  appliances get all the good stuff and
>>> the LCs get bug fixes only (at  some point in their life at least). I'd go
>>> with the appliances.
>>>
>>
>> There have been a number of different rumors floating around related  to
>> this that I've heard.  I certainly would avoid investing in  something that
>> does not have a clear roadmap.  If they can't present  you roadmap slides,
>> panic?
>>
>> Either way, there are other solutions in this space as well.
>>
>> - Jared
>>
>


More information about the cisco-nsp mailing list