Corero Network Security First Line of Defense Overview

FIRST LINE OF DEFENSE Corero Network Security First Line of Defense Overview Products and Services that Protect Against DDoS Attacks and Cyber Threats EXECUTIVE SUMMARY Any organization conducting business online faces tremendous risk from Distributed Denial of Service (DDoS) attacks and cyber threats emerging from raw Internet traffic. For complete protection from these threats, businesses require a First Line of Defense that prevents outages, assures uptime for legitimate users, provides insight into evolving threats and extends the life of their critical infrastructure. This document provides an overview of how Corero Network Security is the trusted advisor for protecting the online integrity of your business with its First Line of Defense products and services. The Corero First Line of Defense solutions are deployed at the point(s) of raw Internet connectivity and in front of the critical infrastructure requiring protection. The Corero SmartWall Threat Defense System (TDS) ensures advanced DDoS and cyber threat protection in scalable increments of 10 Gbps, is built on a next generation multicore processing architecture, and provides comprehensive attack visibility and network forensics. With the Corero SmartWall TDS, hosting providers, enterprises, service providers, and MSSPs can not only protect their own data centers but also deliver value-added managed security services to their customers. Learn more about Corero products and services at www.corero.com. SOLUTION OVERVIEW

1 About Corero Network Security 3 2 Customers Protected by the Corero First Line of Defense 3 3 The Need for Protection from the Internet 4 4 The First Line of Defense 5 4.1 Advanced DDoS Protection 6 4.2 Comprehensive Visibility 7 4.2.1 Network Level Visibility 7 4.2.2 Security Visibility 8 4.2.3 Threat Intelligence 9 4.2.4 Drilldown Capabilities 9 4.2.5 Sampled SFlow Network Statistics 10 4.3 Next Generation Architecture 10 4.3.1 Do-No-Harm Protection 11 4.3.2 Modularity and Scalability 11 4.3.3 Unified Provisioning 12 4.3.4 NFV/SDN and Cloud Ready 13 5 The Corero First Line of Defense Product Line 13 5.1 Network Threat Defense Appliance 14 5.2 Network Bypass Appliance 15 5.3 Network Forensics Appliance 15 5.4 The Corero Management Server 16 5.5. SecureWatch Analytics Portal 17 6 Example Solutions 18 6.1 First Line of Defense Solutions for Hosting Providers 19 6.2 First Line of Defense Solutions for Enterprises 20 6.3 First Line of Defense Solutions for Service Providers 20 6.4 First Line of Defense Solutions for Managed Security Service Providers 22 *Click a page number to return to the table of contents. First Line of Defense Overview 2

1 ABOUT CORERO NETWORK SECURITY Corero Network Security offers products and services that monitor and mitigate DDoS attacks and cyber threats affecting the Internet facing services of online organizations. The First Line of Defense solutions provide comprehensive protection and turn-key visibility to protect critical infrastructure and online services. Headquartered in Hudson, MA Publicly traded on the London Stock Exchange CNS:LN Over 500 customers across many verticals world-wide First Line of Defense that protects critical infrastructure and online services Advanced DDoS protection built on next generation architecture providing comprehensive visibility 7x24x365 Security Operations Center with state of the art tools and infrastructure 2 CUSTOMERS PROTECTED BY THE CORERO FIRST LINE OF DEFENSE Corero products and services protect hundreds of businesses against the damaging effects of DDoS attacks. Below are a few examples of customers who rely on Corero as their First Line of Defense. Online Gaming I knew I wanted to bring in the Corero First Line of Defense, said Kim. I evaluated other solutions but they did not compare to Corero, which not only stopped the network layer and application DDoS attacks but also detected and blocked other types of unwanted traffic that was hitting us at the perimeter, which we had not been aware of previously. It was a proven solution, which was paramount, as being continuously available is more than business critical for us, it is our business. - James Kim, Sr. Systems Engineer G4Box/SG Interactive Hosted Managed Service Provider Using the Corero First Line of Defense, Hyve is able to protect all systems within its infrastructure. They are inline devices that we ve placed at the very edge of our network, so literally everything that comes into our cloud platform goes through the Corero devices first. Effectively, we are screening all of our clients traffic coming in and going out, according to Madders. The Corero solution gives us this extra layer of defense that most other hosting providers don t offer. Hyve really is at the front of the security curve in the UK. - Jake Madders, Technical Account Manager, Hyve ecommerce The ability to uncover hidden patterns of data, identify emerging vulnerabilities within the massive streams of DDoS attack and security event data, and respond decisively with countermeasures, provides our team with the tools required to better protect our organization against the dynamic cyber threat landscape. - Jay Naik, Assistant Director of Technical Services, Shubert Ticketing First Line of Defense Overview 3

3 THE NEED FOR PROTECTION FROM THE INTERNET Shown below is a small sample of DDoS attacks during 2013-2014 that affected a variety of industries. Total Attack Bandwidth Gbps Source: Digital Attack Map (digitalattackmap.com) 400 300 AUG 9 2013 DEC 31 2013 MAJOR HOSTING SITES MAR 29 2014 200 100 JUN 1 JUL 1 AUG 1 SEP 1 OCT 1 NOV 1 DEC 1 JAN 1 2014 JUNE 21 2013 DEC 4 2013 FEB 1 MAR 1 APR 1 MAY 1 JUN 1 JUL 1 MAR 17 2014 JUNE 23 2014 HONG KONG VOTING SITES Data shown represents the top ~2% of reported attacks Figure 1 - DDoS attacks on a wide range of industry verticals during 2013-2014 As an online business, be it an e-commerce provider, social media company, financial institution, hosting provider, gaming company, or government entity, you are at a risk of a DDoS attack that can bring your business to a screeching halt in a matter of minutes. This means lost revenues, damaged reputation, and dissatisfied customers. Online businesses need protection from raw Internet traffic with a First Line of Defense that: Prevents network/service outages by blocking attacks in real time Assures that legitimate customers can access the business online services Provides insight into attacks and evolving threats Extends the effective life of their existing security investments First Line of Defense Overview 4

4 THE FIRST LINE OF DEFENSE The most effective way to protect from DDoS attacks and cyber threats is to monitor and mitigate the point(s) of raw Internet connectivity. For enterprises, this means deploying a First Line of Defense at the edge of their network and in front of the firewalls. For hosting providers, it is at the edge of their data centers. In the service provider cloud, it is at the peering points and the distribution points. In the Cloud Service providers, IT hosting and Cloud providers On Premises Enterprises financial services, e-commerce providers, gaming, education Internet 10 Gbps IPS/APT Internet SERVICE PROVIDER SLB/ADC WAF Protected Critical Infrastructure and Services 2 Gbps Figure 2 - First Line of Defense deployment scenarios for the most effective protection form the Internet The Corero First Line of Defense products are comprised of a family of purpose-built network security appliances, deployed at the data center edge or in a service provider cloud to inspect raw Internet traffic for DDoS attacks and cyber threats and subsequently protect downstream critical infrastructure, services and customers. The Corero First Line of Defense protection against DDoS attacks and cyber threats adheres to the following principles: Advanced DDoS protection Comprehensive visibility Built on a next generation architecture First Line of Defense Overview 5

4.1 ADVANCED DDOS PROTECTION Advanced DDoS protection requires granular policy controls to enable systematic treatment of raw Internet traffic and distinguish legitimate traffic from suspicious/malicious traffic. The First Line of Defense, solution provides protection against the following: Volumetric DDoS (TCP, UDP, ICMP, HTTP, DNS) IP reputation (Whitelist, backlist, dynamic) Reflective DDoS (DNS/NTP/SNMP amplification) Low and slow resource exhaustion (Slowloris, slowread) Advanced evasion (Fragmentation, segmentation) Corero First Line of Defense ATTACKS & TECHNIQUES Network Level DDoS Reflective Amplified DDoS Fragmented Packet DDoS Application Layer DDoS Specially Crafted Packet SYN, TCP, UDP, ICMP Floods DNS, NTP, SNMP, QOTD Floods Overlapping, Missing, Too Many Low and Slow, App Scripts Stack, Protocol, Buffer THREAT LANDSCAPE CORERO FIRST LINE OF DEFENSE Traditional Border Infrastructure Critical Network Services Other Security Technologies Online Business Integrity Total System Failures Investment Productivity Public Image Lines of Business Escalating Costs Figure 3 - DDoS attack and cyber threat landscape and associated business impacts The Corero First Line of Defense solution provides protection for the entire spectrum of DDoS attacks and cyber threats, assuring that traditional border infrastructure and critical network services stay up to maintain the online business integrity of Internet facing services they deliver. First Line of Defense Overview 6

4.2 COMPREHENSIVE VISIBILITY For comprehensive visibility, the First Line of Defense solution produces sophisticated security feeds in the form of network and security events, sample network statistics, and threat intelligence detailing malicious sources and targeted assets. The raw data produced by the Corero First Line of Defense solution can be categorized into network level events, security level events, and sample network statistics using SFlow. When these unique data feeds are analyzed by the Corero analytics and reporting engine, they enable comprehensive real-time and historical visibility into DDoS attacks and other cyber threat activity. Through summarized as well as deep dive analysis of the raw data, operators can create detailed real-time or scheduled reports to track attack trends and measure the defense effectiveness of the Corero First Line of Defense deployments. Critical event alerts, data and statistical information pertaining to attacks and threats are accessible through the reporting engine user interface. Corero First Line of Defense Security Events Threat Intelligence System Health Data Forensics Data Network Statistics VALUABLE RAW DATA Powerful Analytics Engine Virtual SOC Portal 10:00 PM ACTIONABLE SECURITY ANALYTICS & VISUALIZATION Real-time Dashboards Historical Reporting Powered by Behavioral Analysis Forensic Analysis Figure 4 - Turn-Key DDoS visibility and analytics with the Corero First Line of Defense solutions Security and network operators can utilize this engine to identify victims of attacks, where perpetrators of attacks are originating from, and what types of attacks are being experienced. Through this engine, operators have visibility into which of the defense mechanism(s) are triggered or can be configured to defeat the corresponding attacks. 4.2.1 NETWORK LEVEL VISIBILITY At regular intervals, the Corero First Line of Defense solutions generate events on network statistics that includes the following: Receive and transmit bit rates on the Internet facing and protected interfaces Packet per second rates on these interfaces IP flow setup rates for TCP, UDP, ICMP, other IP flows These statistics provide leading indicators of any unusual activity or deviations from the base line. The following figures are examples of network activity statistics of a hosting data center during a DDoS attack. First Line of Defense Overview 7

Network Visibility Figure 5 - Network level visibility provides the leading indicators of a DDoS attack 4.2.2 SECURITY VISIBILITY As malicious and suspicious traffic is blocked, the following security related visibility is provided by the Corero First Line of Defense solution: Breakdown of the blocked attack traffic by policy rules enforced Absolute (PPS view) and relative (% view) views of the rule breakdown Actual blocked or detected rules with descriptions and counts per time interval Figures 6 and 7 are examples of security dashboards that the Corero First Line of Defense solutions produce to provide comprehensive security visibility. Security Visibility Figure 6 - NTP Monlist requests cause unsolicited responses that are amplified and result in a volumetric DDoS attack First Line of Defense Overview 8

Security Visibility Figure 7 - A TCP SYN flood attack causes exhaustion of network resources 4.2.3 THREAT INTELLIGENCE Corero provides visibility via threat intelligence organized by blocked clients, targeted servers, and victim ports. Specifically, the threat intelligence is comprised of the following: Blocked IP addresses due to IP Reputation/Geolocation/Shunning Blocked IP addresses based on the dynamic IP reputation assigned by the Corero First Line of Defense Victim server IP addresses targeted and ports being used by malicious traffic for attacks This level of visibility provides insight into who is attacking and from where, using which attack vectors, and targeting which of the protected servers. 4.2.4 DRILLDOWN CAPABILITIES The Corero analytics dashboard also provides the ability to drill down into specific events with filtering controls for rules, targeted server IP address, client IP address, client/server port, IP protocol, etc. The drilldown screens also show raw syslog events that contain up to 200 bytes of the packet payload for each rule that generates a security event. First Line of Defense Overview 9

4.2.5 SAMPLE SFLOW NETWORK STATISTICS Each minute, the Corero First Line of Defense products generate an IP S-flow sampling of traffic to produce the important top reports about: Source IPs Destination IPs Source ports Destination ports TTL (time-to-live) Packet lengths Protected host groups These top reports can provide additional data to analyze and determine if security policy changes are required. Sample SFlow Statistics Screen Shots Figure 8 - SFlow statistics provide insight into deviations from normal baseline behavior 4.3 NEXT GENERATION ARCHITECTURE Businesses look to invest in technologies that not only solve the challenges of today, but are also built to scale with the growing needs of the business. This is especially true when investing in DDoS and cyber threat protection; where existing threats evolve and new threats are developed constantly. The First Line of Defense solution is built on architectural concepts that provide best of breed protection today as well as future proofing for tomorrow. The Corero First Line of Defense solution is built on a next generation architecture that assures the following: Modular for flexible deployment in multiple environments Scalable to address future growth Unified provisioning for efficient deployments Ready for the NFV/SDN/Cloud ecosystem deployments First Line of Defense Overview 10

4.3.1 DO-NO-HARM PROTECTION Legacy DDoS solutions have significant challenges related to providing false positives, a problem which limits their deployment to out-of-band scrubbing center approaches. The Corero First Line of Defense solution is architected to completely eliminate false positives and is therefore suitable for inline deployments on mission-critical networks. This type of deployment allows instantaneous detection and mitigation of DDoS attacks, whereas the response times of scrubbing center approaches are measured in hours. The way Corero provides instant DDoS mitigation without false positives is through do-no-harm protection, an approach that ensures that only the traffic that is deemed bad with certainty is blocked. If there is any uncertainty on whether the traffic is good or bad, it will not get dropped. This ensures that legitimate traffic always gets through even when the raw traffic surges in case of a DDoS attack, as shown below. Do-No-Harm Architecture Good traffic Good traffic Never Dropped Known Bad Suspicious Known Good Inspect/Drop per Active Rules Inspect/Drop/Transmit per Customer Policy Protect and Transmit Figure 9 Do-no-harm protection ensures good traffic will always get though The figure above demonstrates how raw Internet traffic is processed by Corero in a do-no-harm fashion. Under most circumstances the First Line of Defense solution has the ability to distinguish between good and bad traffic within all of the raw Internet traffic. However, in certain cases when the system observes a spike in the raw Internet traffic (e.g. due to a DDoS attack), some traffic goes through the system as unknown to assure that the good traffic is not dropped. 4.3.2 MODULARITY AND SCALABILITY The Corero First Line of Defense solutions have modular scalability in order to meet higher bandwidth requirements or increased customer growth in provider environments. The basic building block of the First Line of Defense solution provides protection for up to 10 Gbps with inspection rates of up to 30 Million packets per second. If more than 10 Gbps of inspection is required, the solution easily scales to 40 Gbps, 160 Gbps, and beyond by adding additional appliances in 10 Gbps increments. First Line of Defense Overview 11

Scalable Multi-Gigabit Deployment in Modular Increments of 10 Gbps Tens of Customers 10 Gbps 40 Gbps Scaled up with increased bandwidth requirements or growth in the customer base Hundreds of Customers 160 Gbps Thousands of Customers Figure 10 - The Corero SmartWall scales infinitely in increments of 10 Gbps to scale up and meet growth requirements 4.3.3 UNIFIED PROVISIONING The Corero First Line of Defense solutions are managed with carrier grade management tools to ensure unified provisioning and reduce the overall cost of deployment and maintenance. Corero offers multiple management options for configuring, controlling, and monitoring the SmartWall appliances including a flexible Browser-based GUI, a full SSH CLI and powerful REST API that supports open integration with existing management frameworks. Unified Provisioning Automated Provisioning REST API/CLI Event & Alert Reporting Syslog/SNMP Web user Interface Browser CMS CLI/API M Unified Management CLI/API M CMS N N Figure 11 Corero provides carrier grade unified provisioning and reduces overall cost of management First Line of Defense Overview 12

4.3.3 UNIFIED PROVISIONING (cont.) The key aspects of the SmartWall s unified provisioning features are: Automated provisioning using REST API or CLI Standardized monitoring and alerting using Syslog and SNMP Web based UI for rich graphical configuration and real-time monitoring With these features, centralized operations of multiple SmartWall appliances can be integrated seamlessly with existing management infrastructures to reduce the overall cost of management, speed up deployments and streamline provisioning. 4.3.4 NFV/SDN AND CLOUD READY As data centers become more virtualized and their traffic gets orchestrated via software defined networking (SDN) concepts, DDoS defense solutions will need to fit into the data centers evolving ecosystem. The Corero First Line of Defense solutions were architected with centralized policy constructs and REST APIs for SDN in mind and can be readily federated with emerging SDN fabric ecosystems for the creation of a more dynamic security layer encompassing robust DDoS mitigation capabilities. This is a significant improvement over legacy DDoS scrubbing center approaches that employ route-injection via BGP Flow- Spec to redirect flows associated to an attack to a remote or local scrubbing center. SDN traffic engineering and flow redirection concepts can be utilized to automate this function without having to touch an already fragile routing environment. Furthermore, SDN-enabled DDoS scrubbing can have the benefit of accepting bi-directionally mirrored traffic to allow the systems to maintain always on, real-time visibility into what s running on the network. In typical legacy DDoS scrubbing centers, the DDoS mitigation appliances sit idle providing no benefit until traffic is redirected to the scrubbing center, via a route injection. Additionally, the Corero First Line of Defense solution use a parallel processing framework that runs today on the purpose-built multi-core processing SmartWall TDS platform. This architecture is perfectly suitable to run as software within a virtualized hypervisor environment and Corero is currently developing virtual DDoS solutions for our customers who wish to deploy in private cloud or VPC environments or carriers that are looking to deploy DDoS mitigation as a virtual network function within an NFV (Network Function Virtualization) ecosystem. This capability will allow data centers to deploy First Line of Defense protection in a much more elastic manner while utilizing economical commercial off-the shelf (COTS) hardware in the future. 5 THE CORERO FIRST LINE OF DEFENSE PRODUCTS For the large enterprises and hosting/service providers, the Corero SmartWall Threat Defense System (TDS) product (http://www.corero.com/products/corero_smartwall_threat_defense_system.html) provides protection in increments of 10Gbps and scales up infinitely to support larger deployments (40 Gbps, 80 Gbps, 160 Gbps and larger). For small to medium sized enterprises, our DDoS Defense System (DDS) product (http://www.corero.com/products/corero_dds.html) protects deployments under 2 Gbps. First Line of Defense Overview 13

5 THE CORERO FIRST LINE OF DEFENSE PRODUCTS (cont.) The Corero SmartWall Threat Defense System is comprised of three appliance types that perform distinct functions and can be configured in a wide range of topologies for flexible deployment. Network Threat Defense appliance Network Bypass appliance Network Forensics appliance The Corero Management Server SecureWatch Analytics Portal All appliances are ¼ rack width and 4 appliances can be accommodated within a single 1RU - in a 19 rack. There is no backplane and each appliance operates independently of other appliances. They are managed centrally as a single entity by the CMS. Each appliance can process up to 10 Gbps @ 30 Mpps of network traffic. A single 19 rack fully loaded with SmartWall TDS appliances could inspect over 1 Tbps of traffic. 5.1 NETWORK THREAT DEFENSE APPLIANCE Disruptions to Internet-facing online services can cripple operations, impact customers and result in major economic losses. The SmartWall Network Threat Defense Appliance is an intelligent, always on platform that inspects traffic, detects threats and blocks attacks against protected network resources. It allows customers the ability to deploy centralized or distributed threat defense solutions via purpose-built network security appliances that provide advanced Layers 3-7 cyber threat protection. SmartWall Network Threat Defense Appliance 10/100/1000 Management Port 10 GbE SFP Mission In 10 GbE SFP Mission Out Future Future Figure 12 - The Corero SmartWall Threat Defense Appliance Provides Advanced DDoS and Cyber Threat Protection A single threat defense appliance provides protection at 10 Gbps (full-duplex) and can process traffic at full line rate for all packet sizes (30 Million packets per second). Multiple appliances can be combined to scale up as bandwidth and inspection requirements increase. For example, four appliances can be deployed in a single 1 RU shelf to deliver a combined 40 Gbps full duplex throughput and 4 RUs of appliances can deliver 160 Gbps of full duplex throughput. First Line of Defense Overview 14

5.2 NETWORK BYPASS APPLIANCE Network connectivity is a key consideration for maintaining an always on Internet presence. The Corero SmartWall Network Bypass appliance provides organizations with 100% network connectivity protection to eliminate Internet downtime in case of power or equipment failures and during planned maintenance or equipment upgrade windows. SmartWall Network Bypass Appliance 10/100/1000 Management Port 10 GbE Optical Bypass (External) 10 GbE Optical Bypass (Internal) 10 GbE SFP to Threat Defense or Forensics Appliance 10 GbE SFP to Threat Defense or Forensics Appliance Figure 13 - The Corero SmartWall Network Bypass Appliance Ensures Uninterrupted Network Connectivity The SmartWall Network Bypass appliance delivers transparent 10 Gbps full-duplex performance for network bypass, monitor or insertion. It has two passive fiber ports for 10 Gbps of zero power optical bypass and two active 10 Gbps SFP+ ports for monitoring and active inline processing and has redundant power supplies for additional failure protection. The appliance supports automatic bypass on a power failure as well as failure of any adjacent threat defense appliances (detected through a robust high-availability heartbeat mechanism). In addition, the following configurable protection modes are supported: Administrative bypass for planned maintenance Monitor mode for detection and reporting of security events Inline mode for inserting passing traffic to adjacent threat defense appliances for inspection In a production environment, the most common mode of operation is inline. 5.3 NETWORK FORENSICS APPLIANCE For detailed forensics analysis, Corero has developed a 10 Gbps PCAP appliance that captures and stores packets to iscsi storage. Packet captures are saved in the commonly used.pcap format and can be retrieved through search queries for detailed forensic analysis. First Line of Defense Overview 15

SmartWall Network Forensics Appliance 10/100/1000 Management Port 10 GbE SFP Mission In 10 GbE SFP Mission Out 10 GbE SFP for Forensics iscsi 10 GbE SFP for Forensics iscsi Figure 14 - The Corero SmartWall Network Forensics Appliance Provides 10 Gbps packet capture for complete visibility 5.4 THE CORERO MANAGEMENT SERVER The Corero Management Server (CMS) is the central management point for all Threat Defense System provisioning, policy management, and event reporting. The CMS is capable of managing large numbers of SmartWall Threat Defense deployments from a single point. The Corero Management Server Figure 15 Corero Management Server provides carrier grade unified provisioning and reduces overall cost of management First Line of Defense Overview 16

5.4 THE CORERO MANAGEMENT SERVER (cont.) Below are a few highlights of the CMS. Provisioning from a web-based GUI, CLI, and REST API Monitoring using Syslog, SNMP, and REST API Active/standby high-availability (HA) configuration accessible via a common virtual IP address Unified policy configuration and management of all threat defense, bypass, and forensics appliances: o o o o Group clients into specific client groups (for example known clients vs. unknown clients) Group servers into protected server groups (HTTP, SSL, DNS, NTP, FTP, and more ) Apply security policies to traffic going from any client group - to any server group Map server groups to different customer groups for customer-by-customer reporting CMS also facilitates real-time threat updates from the Corero Threat Update Service and pushes them to the threat update appliances for enforcement. Threat updates include Protection Packs (security updates with protection against the latest threats) as well as Intelligence Packs (database of IP address reputation and geolocation). 5.5 SecureWatch ANALYTICS PORTAL Corero has developed SecureWatch Analytics, a web-based portal that provides turn-key visibility into DDoS attacks and cyber threats in the form of comprehensive security dashboards based on DDoS tailored security feeds from the Corero First Line of Defense products. Corero SecureWatch Analytics is included with the purchase of the Corero First Line of Defense products, as part of an organization s DDoS defense investment. The portal transforms the sophisticated Corero security feeds into dashboards of actionable security intelligence. SecureWatch Analytics Figure 16 Corero SecureWatch Analytics provides turn-key visibility and analytics First Line of Defense Overview 17

5.5 SecureWatch ANALYTICS PORTAL (cont.) In addition, Corero has packaged these dashboards as an app called DDoS Analytics for Corero SmartWall TDS on Splunk (http://apps.splunk.com/app/1835/) for customers and partners to use within their own Splunk installation. This enables customized analytics and reporting capabilities for customers looking for an added level of sophistication. SecureWatch Analytics Figure 17 - DDoS Analytics app for Corero SmartWall enables customized analytics and reporting capabilities using Splunk With this enhanced visibility into suspicious or malicious traffic permeating customer networks, SecureWatch Analytics or DDoS Analytics for Corero SmartWall can be leveraged as a comprehensive virtual Security Operations Center (SOC) by Corero partners and providers to deliver new revenue streams in the form of managed security services to the enterprise, such as 24x7 monitoring, alerting and reporting. 6 EXAMPLE SOLUTIONS The Corero First Line of Defense solutions are designed to be deployed into a broad array of environments where threats emanate from raw Internet connectivity of bandwidth ranging from 1 and 10 Gbps to n x 10 Gbps. This broad range enables deployments in enterprises, hosting data centers, and in service providers, where there may be multiple points of Internet connectivity. In order to handle traffic flow through multiple points of Internet connectivity, the Corero solutions support both symmetric and asymmetric traffic flows, with per server group configuration of one of the following three possible flow scenarios: Symmetric flows - Both the client requests and the server responses always traverse the same path Strictly asymmetric flows - The client and server requests never traverse the same path Random asymmetric flows- There is no predictability in the paths take by requests or responses As for traffic types, the deployments provide inspection for IPv4 and IPv6 traffic, 802.1q and 802.1q Q-n-Q framing as well as peering environments which require the use of MPLS. The following sections provide examples of the First Line of Defense solutions and deployments for hosting providers, enterprises, service providers, and MSSPs. First Line of Defense Overview 18

6.1 FIRST LINE OF DEFENSE SOLUTIONS FOR HOSTING PROVIDERS Hosting providers need to ensure 24x7 Internet connectivity to their diverse set of hosted clients. But hosting providers with a diverse clientele are especially susceptible to DDoS attacks and cyber threats because an attack on a single client can compromise connectivity of multiple clients. Additionally, compromised hosted servers can be used by attackers as powerful attack sources, making the hosting provider part of a botnet. Hosting providers also need to secure their own infrastructure because the resulting damage from a DDoS attack on a hosting provider can be costly downtime, dissatisfied users, and an impaired brand. Unfortunately, traditional security solutions like firewalls are ineffective against advanced cyber-threats and can in fact become the target of such attacks themselves. What hosting providers need is a First Line of Defense solution which is always on to ensure business continuity of their hosted clients Internet facing services and applications. Corero provides this solution with SmartWall Threat Defense, a game-changing technology consisting of state-of-the-art threat defense and comprehensive network forensics. Solutions for Hosting Providers Provider s Data Center Infrastructure Attackers First Line of Defense Data Center VMs, Web Servers, DB Servers Internet X IPS Router 1 Router 2 SLB Hosted Customers Protected with Paid Threat Defense Services Good Users WAF Customer T Customer Q Customer N Figure 18 - The Corero First Line of Defense protects critical data center infrastructure of the hosting providers and allows them to offer threat defense as a service to their hosted customers SmartWall Threat Defense System is a scalable services-oriented security platform deployed at the hosting provider s Internet edge and is designed to be modular and scalable to meet the high performance and evolving protection requirements of modern hosting data centers. SmartWall Threat Defense can also provide hosting providers with a revenue generation opportunity by enabling them to offer First Line of Defense as a service to their hosted clients. The Corero SmartWall TDS delivers to Hosting Providers and Datacenter operators the ability to offer comprehensive DDoS and cyber threat protection to their hosted customers as an extension of their current service offerings, improving their overall value proposition and providing an opportunity to offer differentiated value added security services. First Line of Defense Overview 19

6.2 FIRST LINE OF DEFENSE SOLUTIONS FOR ENTERPRISES Today s enterprises are heavily dependent on their online presence, whether it is for generating revenues, ensuring high employee productivity, or providing superb customer experience. Ubiquitous connectivity also makes enterprises susceptible to DDoS attacks and cyber threats from around the world, resulting in costly downtime, lost productivity, brand damage and denial of service to an enterprise s legitimate users. Unfortunately, traditional security solutions like firewalls are ineffective against advanced cyber-threats and can in fact become the target of such attacks themselves. What enterprises need is a First Line of Defense solution which is always on to ensure business continuity of their Internet facing services and applications. Solution for the Enterprise Attackers First Line of Defense Firewall NGFW Protected Enterprise Infrastructure Internet X IPS/APT Router SLB WAF Figure 19 - The Corero First Line of Defense protects enterprise infrastructure and eliminates downtime The Corero First Line of Defense products are deployed between the Internet and the enterprise firewall and are designed to be modular and scalable to meet the high performance and evolving protection requirements of modern enterprise s mission critical infrastructure. 6.3 FIRST LINE OF DEFENSE SOLUTIONS FOR SERVICE PROVIDERS Service providers are the backbone of the Internet, providing multi-gigabit connectivity to every enterprise, data center, and cloud provider on the Internet. All of these online entities are targets of DDoS attacks and cyber threats from around the world. Hence, service providers are subject to carrying enormous amount of unwanted traffic in their networks, which affects performance and service levels delivered to their customers. Moreover, many service provider customers are not prepared to combat these advanced threats by themselves and are often looking for protection with a minimum upfront investment. This presents a significant revenue generating opportunity for service providers who can offer managed security solutions to their customers. These services can range from managed threat defense, network behavior analysis and reporting, and forensics analysis for regulatory compliance. What service providers need is a First Line of Defense platform which can not only protect their own networks but also act as a revenue generating service platform. The same platform can also be used to perform historical analysis of traffic flowing through their networks for sharing mitigation intelligence among serviced customers and for future capacity planning of the provider network. First Line of Defense Overview 20

Solutions for Service Providers SERVICE PROVIDER ENTERPRISE ENTERPRISE SERVICE PROVIDER SERVICE PROVIDER ENTERPRISE SERVICE PROVIDER ENTERPRISE ENTERPRISE HOSTING PROVIDERS & DATA CENTERS ENTERPRISE ENTERPRISE ENTERPRISE HOSTED SITES CO/LO PRIVATE CLOUDS Figure 20 - Service providers can deploy SmartWall TDS in a modular and scalable fashion SmartWall TDS is a services-oriented security platform that service providers can deploy at the edge of their cloud to not only protect their own mission critical infrastructure but also leverage it to deliver revenue generating managed security services, including always on, threat protection and visibility for their enterprise customers. First Line of Defense Overview 21

6.4 FIRST LINE OF DEFENSE SOLUTIONS FOR MANAGED SECURITY SERVICE PROVIDERS MSSPs provide outsourced security services to small to medium sized businesses (SMBs). Just like large enterprises, SMBs are vulnerable to DDoS attacks and cyber threats from around the world, resulting in costly downtime, lost productivity, brand damage and denial of service to their legitimate users. Unfortunately, SMBs are not prepared to combat these advanced threats by themselves and are often looking for protection with a minimum upfront investment. This presents a significant revenue generating opportunity for MSSPs who can offer managed security solutions to their customers. These services can range from managed threat defense, network behavior analysis and reporting, and forensics analysis for regulatory compliance. What MSSPs need is a First Line of Defense platform which can be easily installed and remotely managed. Corero provides this platform with its SmartWall Threat Defense System, a services-oriented security platform that SMBs can deploy at their Internet edge for protecting their mission critical infrastructure and delegate its management to MSSPs. Solutions for Service Providers Attackers Good Users Internet MSSP SOC X Protected Customer Infrastructure Customer 1 Protected Customer Infrastructure Customer 2 MSSP SOC remotely provides always on Managed Threat Defense service to SMBs Protected Customer Infrastructure Customer N Figure 21 - The Corero First Line of Defense solutions allow MSSPs to expand their services portfolio with managed threat defense services for small to medium sized businesses Further, using the Corero SecureWatch Analytics as a blue print, MSSPs can take a proactive stance with the customers they are protecting. Using SecureWatch Analytics as their virtual Security Operations Center (SOC), the MSSPs can deliver valueadded managed security services to SMBs who don t have the security expertise or the upfront capital investment to get the protection on their own. ABOUT CORERO NETWORK SECURITY Corero Network Security, an organization s First Line of Defense against DDoS attacks and cyber threats, is a pioneer in global network security. Corero products and services provide online enterprises, service providers, hosting providers, and Managed Security Service Providers with an additional layer of security capable of inspecting Internet traffic and enforcing real-time access and monitoring policies designed to match the needs of the protected business. Corero technology enhances any defense-in-depth security architecture with a scalable, flexible and responsive defense against DDoS attacks and cyber threats before they reach the targeted IT infrastructure allowing online services to perform as intended. For more information, visit www.corero.com. Corporate Headquarters EMEA Headquarters 1 Cabot Road Regus House, Highbridge, Oxford Road Hudson, MA 01749 USA Uxbridge, England Phone: +1.978.212.1500 UB8 1HR, UK Web: www.corero.com Phone: +44.0.1895.876579 Copyright 2014 Corero Network Security, Inc. All rights reserved. 867-5309-001 First Line of Defense Overview 22