Juniper Networks has updated its distributed denial-of-service, or DDoS, protection product, DDoS Secure, which will now integrate with enterprise routers and service provider infrastructures to better mitigate a variety of DDoS attacks, without impacting user experience. The tighter integration between routers and the standalone Juniper security appliance will distribute DDoS defense intelligence closer to the point of attack and allow enterprises and service providers to mitigate DDoS attacks before services are impacted.
Juniper DDoS Secure distributes security intelligence throughout the network
Network attacks are becoming more sophisticated and harder to identify, especially for large enterprises and service providers with increasingly complicated networks. Juniper's DDoS Secure is a standalone physical or virtual device deployed between the routing and firewall layer. It continuously monitors inbound and outbound traffic, as well as the health of an application. The appliance is now able to extend its security functionality and intelligence to network nodes close to the attack surface, like Juniper MX Series routers or other routers using border gateway protocol (BGP) Flowspec and GPRS Tunneling Protocol. DDoS Secure can determine if an attack is underway at the network or application layer, and communicate that information to the routers closest to the attack, which can then act as distributed enforcement points, said Paul Scanlon, director of product management for Juniper.
"DDoS attacks are getting too big for many traditional security methods and tools to effectively handle," Scanlon said. "[DDoS Secure] is a very intelligent system, and now we are able to propagate that information to routers to address what are becoming these massive attacks that are outstripping the capabilities of traditional anti-DDoS technologies and methodologies. We need to leverage the network as a [problem-solver], and not just a transport system."
Traditional DDoS mitigation and protection approaches often offload traffic to a segmented, "scrubbing center" or cloud provider that filters out malicious traffic, but volumetric attacks are now exceeding the capacity of those scrubbing centers. DDoS Secure can mitigate an attack locally, but the BGP Flowspec protocol allows filter rules to be integrated directly into the routers, giving the routers the intelligence they need to take action on the attack. "If you're hit with a volumetric attack that outstrips your local capacity, you can propagate filters up into the network that will strip off the excess traffic out to the border, so you won't get hit in your data center by the large attack," Scanlon said. "This is also reducing the time between detection and mitigation of an event significantly."
"While most enterprises do have a relationship with a DDoS mitigation service provider and can route harmful traffic to the third-party, having the on-premise security appliance is important because every time a provider protects you from an attack, you get charged," said Jeff Wilson, principal analyst for Campbell, California-based Infonetics Research. "If you buy a box, you pay for a box once, so it can be cost-effective." Some businesses are also faced with regulatory restrictions and traffic isn't allowed to be moved to a cloud provider, he said.
In addition to volumetric attacks, DDoS Secure will also help protect enterprise and service provider networks from other attack methods -- including inside-out Domain Name System reflection and amplification attacks -- and protect users from botnet-infected devices, Juniper said.
While the system will be able to act as autonomously as possible, IT administrators will also be able to see traffic and threat logs and any action DDoS Secure took. The system can also notify an administrator before a rule or action is pushed out into the network, giving the enterprise or service provider the ability to verify the security actions to avoid any misconfigurations, Juniper's Scanlon said.
Juniper security: A hybrid approach to tackling DDoS attacks
While some businesses may be able to get away with just having a security appliance on-premise for mitigating DDoS attacks, some choose to offload traffic completely to a service provider for scrubbing. But thorough DDoS mitigation requires a hybrid approach, Infonetics' Wilson said. "For the best protection, you really want to [coordinate] on-premise mitigation [with] the ability to move over to the cloud when it gets too big," he said.
Juniper recently partnered with hosted DDoS mitigation provider Verisign for integration between its DDoS Secure appliance and Verisign's DDoS protection service.
"Because it's not uncommon for attacks to be 10, 20, 100 gigs or larger, even with the Juniper device installed in your network, it's not going to have the processing power to stop that kind of attack," Wilson said. That's where enterprises can take advantage of the coordination between Juniper Secure and Verisign. "Juniper recognized that it's critical to have a powerful appliance with a hybrid service to best serve its large customers."
Juniper updates network and security manager
DDoS mitigation a key component in network security
Supporting BYOD with Juniper Secure Access SSL VPN