Cisco NGN DDoS Strategy
Most of you should know what DDoS is what it can be a pain in the ass especially when all of your resources are being held up. DDoS are among the toughest to defend because of the large amount of bad traffic hogging up the network resources. Well, as always, Cisco is one company that is constantly seeking improvement on their products and they came up with Cisco Traffic Anomaly Detector and Cisco Guard.
How it works is that the Traffic Anomaly Detector actually does it job by creating a network traffic baseline of a zone. A zone can be a a farm of servers or IP addresses belonging to a network or subnet. This can be done by using a SPAN port on a switch to collect all the traffic and present it to the Anomaly Detector. Following that, you would have to perform threshold tuning and apply certain policies to protect the zone from being DDos. This can be done with the CLI or the web interface. I always prefer to use the CLI because of their rich and powerful features set. But as for visual effects like a graph to see if the traffic exceeds the threshold, a web interface can be deployed. I've got to say that this time round, Cisco has picked up on their security as they deployed SSH and SSL for remote connections. For using the web interface, a new command call service wbm needs to be enabled on the device along with an ACL like permit wbm 192.168.1.1 255.255.255.0 and permit ssh 192.168.1.1 255.255.255.0 to limit the configuration of the device only to certain IP addresses. Of course there are more commands like setting the filters, GUARD_zone, DETECTOR_zone and some others and i am only mentioning the basics.
So what happens when your network is under attack? The Anomaly Detector is smart enough to pass this "bad" traffic to the Cisco Guard and what this Guard does is it actually removes the "bad" traffic and reinject "good" traffic back to the attack zone, so that the zone can continue to function normally. The Guard itself has anti-DDoS mechanism build in it to prevent itself from being a DDoS target. As with the anomaly detector, settings need to be configured for the Guard. These will include zone creation, guard zone filters, zone traffic diversion and activating the zone protection. Most of these configurations must be done in CLI and as with the anomaly detector, it comes with web interface.
Personally, I don't think it is difficult to configure the Guard or the Anomaly Detector. It would be fun if i am given such an opportunity. Well, the above are just simple explaination of how the Next Generation Network DDoS stragety is going to be. Of course, you can still employ the old fashion of using a DDoS signature or IDS, but we are entering a whole new millenium of exciting features from Cisco and why not? Ya, i know you guys will say about the cost, but its always good to know new security features from Cisco. :)