Data Sheet Service Provider Enablement Hybrid Implementation Model KEY BENEFITS 1.28Tbps global scrubbing capacity Multi-layered protection Zero capex New revenue stream Hassle-free setup Cloud-based WAFs Instant service providing Enhanced site performance Turn DDoS Pain into Business Gain While most service providers can handle limited DDoS attacks relying on legacy security solutions, such an approach typically fails to guard against large-scale volumetric attacks. Although legacy solutions are essential for basic security, they were not designed for today s DDoS attacks and may, in fact, become bottlenecks themselves. This situation makes it difficult for service providers to honor the zero-downtime commitments they may have made to their customers. And the complexity of maintaining mitigation appliances and providing the necessary training makes for additional challenges. Nexusguard (SPE) is a zero-capex, easy-to-operate solution that enables you to provide customers with essential DDoS protection. Nexusguard s comprehensive solution lets you turn DDoS challenges into an attractive business opportunity, allowing you to expand your service offerings and satisfy customer demands for protection from DDoS and other cyber attacks. Nexusguard delivers carrier-grade DDoS mitigation services through its industry-leading network of globally distributed scrubbing centers. With over 1.28Tbps of mitigation capacity, Nexusguard can handle the world s largest, most complex attacks, and enable you to offer a flexible and scalable security solution that provides exceptional value to your customers.
Zero Upfront Cost The Nexusguard SPE program provides the technology, support, and expertise required to deliver DDoS mitigation services in house. With no upfront investment in appliances or cloud-based scrubbing centers, you can immediately cash in on Nexusguard s infrastructure and resources by marketing DDoS mitigation services under your own brand. A New Revenue Stream As a Nexusguard SPE partner, you can tap into the potential of the fast-growing market for DDoS mitigation services. The revenue generated from reselling Nexusguard s services through the program is shared equitably, making it a win-win for both parties. No Hassles, No Complications The state-of-the-art service platform is built, maintained, and operated by Nexusguard, and SPE services are delivered directly to your customers via an automated portal. With easy installation and setup, the turnkey solution provides a powerful competitive advantage by enabling you offer DDoS mitigation services as an integral part of your product portfolio. Beyond DDoS Protection DDoS attacks are a major concern for Internet businesses. But data integrity, confidentiality, and website performance are also key priorities. A solution that addresses both security and performance offers service providers an attractive opportunity for generating recurring revenues for their business. Nexusguard integrates DDoS mitigation, cloud-based Web Application Firewalls (WAFs), caching, and load balancing all in one package. Our multi-dimensional solution protects against sophisticated DDoS attacks and stealthy web application threats without compromising site performance. Lower Latency, Higher Capacity SPE also delivers lower latency and higher capacity for your customers. All traffic going through the cloud is compressed and cached for speedy delivery, which translates into greatly enhanced site performance and a superior user experience. Service Provisioning In Minutes Nexusguard helps you set up and integrate the service. Once installation is completed, you can easily deploy DDoS mitigation services to your customers via the automated Partner Portal. The entire intuitive process takes less than five minutes, allowing you to quickly activate new accounts. 2
To meet growing customer demand, Nexusguard delivers a turnkey, hybrid solution that enables you to quickly launch new DDoS protection services. Hybrid Solution The Nexusguard SPE Hybrid Model combines on-premise and cloud mitigation capacities and functionalities. The solution is ideally suited for customer environments that demand extremely low latency and multi-layered protection. The hybrid implementation automatically selects the appropriate mitigation location and employs the optimal mitigation technique depending on the sources, characteristics, tools, and volume of a given attack. Capable of mitigating over 1.28Tbps of attacks, Nexusguard s Global Cloud consists of scrubbing centers strategically located in San Jose, Miami, Los Angeles, Ashburn (Va.), London, Singapore, Hong Kong, and Taiwan. Such enormous mitigation capacity ensures that Nexusguard can quickly and effectively handle the most threatening DDoS attacks regardless of their size or type, and with no lag time between attack detection and mitigation. Global Scrubbing Center LONDON SAN JOSE LOS ANGELES ASHBURN MIAMI SINGAPORE 3
On-premise and cloud mitigation work in tandem and complement each other in their detection and mitigation efforts. How It Works Domestic attacks are first mitigated at the on-premise facility, followed by failover to the cloud if the size of the attack exceeds a pre-determined threshold. Because on-premise protection automatically and immediately comes into force once an attack is detected, it can significantly reduce latency. On the other front, an attack from abroad is handled by the scrubbing center closest to its source. The on-premise infrastructure and cloud work in tandem and complement each other in their detection and mitigation efforts. On-premise and cloud devices also share intelligence about an attack in order to accelerate and enhance mitigation once an attack reaches the cloud. After scrubbing, clean traffic is routed back to your network and attack reports are generated automatically for on-the-fly analysis. Hybrid Solution In-Country Traffic Legitimate Traffic Attack Traffic SPE Partner Cloud Legitimate Traffic Backend Web Server Global Traffic Attack Traffic Global Cloud HIGHLIGHTED FEATURES 1.28Tbps mitigation capacity Protection against attacks on network Layers 3, 4, and 7 Protection beyond HTTP/HTTPS (including protection against hacking into web applications) Site acceleration supported by load-balancing across all active backend servers Dynamic and static content caching, boosted by in-memory cache to reduce I/O 4
Technology and Features Comprehensive Filtering DDoS Mitigation Caching and Load Balancing Visibility and Control Web Application Firewall (WAF) Auto-Recovery Comprehensive Filtering Preventing dynamic DDoS attacks requires real-time, comprehensive, and meticulous detection and action. Nexusguard guards against attack traffic through multiple layers of inspection to deliver fast, clean traffic. Deep Packet Inspection (DPI) Deep packet inspection is used to direct, filter, and log IP-based applications and traffic based on the content of a packet s header or payload, regardless of the protocol or application type. Flexible Content Filtering Nexusguard continuously monitors application traffic for unusual behavior. Using its proprietary pattern recognition and analysis system, Nexusguard deters morphing HTTP flood attacks by adapting flexible content filters to rapidly counter evasive actions. Web Application Firewall (WAF) Web Application Firewalls enable heuristic-based, intelligent, and accurate detection and mitigation of web application-based attacks. Caching & Compression, Acceleration & Optimization If any malicious traffic slips through the net, Nexusguard s vast caching capacity absorbs it. With multiple layers of protection working seamlessly behind the scene, legitimate visitors will never notice if a site is under attack. Adaptive Filtering By learning baseline protocols and patterns of an ongoing attack, adaptive filtering can more accurately identify and filter out abnormal and unusual traffic. 5
DDoS Mitigation Designed to deliver a perfect balance of protection and performance for public-facing websites, Nexusguard s best-in-class SPE solution offers a wealth of features and benefits: Volumetric DDoS Mitigation Nexusguard s volumetric DDoS mitigation solution is built on state-of-art technology. Issues concerning IP spoofing and high-volume DDoS attacks are solved in an innovative, reliable way. Application DDoS Mitigation Application DDoS attacks (aka Layer 7 attacks) are increasingly popular with attackers due to their cost effectiveness. Such attacks generally consume less bandwidth and are stealthier in nature when compared to volumetric attacks. Application attacks are difficult to detect because a connection has already been established and is frequently encrypted (HTTPS/SSL), and therefore requests may appear to be from legitimate users. Nexusguard s solution offers total defense against application DDoS attacks that attempt to exhaust the resources of web applications and servers. HIGHLIGHTED FEATURES Anti-reflection uses attack fingerprints to avoid sending reflected DDoS traffic. By collecting and analyzing attack patterns, the technology differentiates real users and drops requests from botnets without interrupting web services. No bandwidth abuse powered by a proprietary spoofing detection algorithm, our volumetric DDoS mitigation never sends abusing traffic. Zero user impact identifies popular attack fingerprints using Big Data correlation analysis from systems, networks, and industry types, and stops DDoS attacks without affecting real users. OS fingerprint ensures proper user experience with fewer false positives by collecting and analyzing different attack patterns from an OS and TCP/IP stack perspective. Auto mitigation learns and analyzes user patterns and behaviors, which are then used to formulate mitigation policies. HIGHLIGHTED FEATURES Anti-bot defense comprises Protocol ID, Browser ID, and Challenge ID to distinguish between humans and bots. This three-pronged approach analyzes and traces HTTP protocols, checks browser behavior patterns, and challenges suspicious traffic requests to create a more effective defense front. Smart AI mitigates DDoS attacks with much greater accuracy. Smart AI identifies visitors using a unique, encrypted tracking tag that prevents users behind proxies from being mistaken for bots. In addition, a smart, state-monitoring machine adjusts filter settings automatically for different circumstances, effectively keeping legitimate users undisturbed. Web API protection protects API servers from DDoS attacks. Through a virtual throttling system, API calls are controlled at the API server s normal processing rate to ensure service availability. Coupled with GeoIP control, malicious API calls from suspicious regions are blocked at the edge, preventing further impact on API servers.
SSL Attack Mitigation As part of Nexusguard s total anti-ddos solution, we also support SSL-encrypted attack mitigation. Our SSL certification management follows the PCI Data Security Standard and ISO 27001. In doing so, our scrubbing centers become the intermediary for all incoming traffic to your websites, including SSL traffic. We offer three SSL traffic-handling options to maximize DDoS mitigation and minimize false-negatives. Offloading SSL traffic is decrypted at our scrubbing centers and returned to your web servers in clear-text format. This method relieves your servers of processing heavy encrypting/decrypting traffic via SSL, thereby improving server performance. Caching and Load Balancing During peacetime, your customers have little tolerance for slow loading pages and website downtime. Leveraging our Global Cloud infrastructure, Nexusguard s goal is to deliver pages without a glitch and deliver them fast. The solution s dynamic and static content caching mechanism offloads excessive HTTP requests from the server. All traffic going through the cloud is compressed and cached for speedy delivery. The load-sharing traffic services support multiple backend configurations. Automatic, backend failover is also implemented in the event of a backend server failure. Bridging SSL traffic is decrypted at our s crubbing centers and re-encrypted when sent back to your servers. As data is SSL-encrypted en route, this method offers the highest level of security. Forwarding SSL traffic is forwarded to your web servers directly without decryption in between. 7
Visibility and Control Nexusguard s SPE Partner Portal allows you to monitor customers from a consolidated dashboard. You can quickly see which customers are under attack and get details in real time or with an historical view from the event timeline. Access to attack size, duration, clean bandwidth, attack source, botnet request numbers, and request statistics are available in any event view. Besides high visibility, ease of customer management is another benefit of the Partner Portal. Configuration change, policy tuning, and site monitoring are all available in the Customer View. 8
Web Application Firewall (WAF) DDoS tactics are increasingly incorporated into larger malicious incidents, often serving as a distraction or smokescreen to cover more sophisticated attacks on web applications. In fact, a DDoS attack may well be a prelude to a more severe event. That s why it s critical to have a comprehensive solution that can protect websites and digital assets from all kinds of attacks and data breaches. Better yet, Nexusguard s 24x7 team of security experts at our Security Operations Center (SOC) constantly monitor and tune the WAF in order to protect your customers from evolving threats. Also, because we centrally manage the WAF platform, we analyze latest attack patterns from our large pool of customers, fine-tuning the platform to reduce false positives and improve detection rates. Nexusguard SPE features a cloud-based WAF as a service module that protects your customers applications against a wide range of threats and malicious attacks, such as brute force attacks, SQL injections, cross-site scripting, and more. Until recently, WAFs were only available as expensive hardware appliances, affordable only to large organizations. Today, Nexusguard s web-based WAF offers a cost-effective security solution, making it a compelling feature for you to attract new customers and lock in existing business. Depending on your customer s needs, Nexusguard s WAF platform can be deployed in basic or advanced modes: Basic mode monitors traffic and provides WAF protection with basic rule-sets to protect most websites. Advanced mode monitors traffic and provides WAF protection with customizable rule-sets to protect mission-critical websites. The analytics generated by the WAF project a clear picture of various applications, and provide crucial information about any data that needs to be secured as well as recommendations for fine tuning security rules. HIGHLIGHTED FEATURES Cutting-edge technology cloud-based WAF technology blocks application layer attacks with positive and negative security features. 24x7 monitoring and tuning our SOC constantly monitors and tunes the WAF to protect customer websites from evolving threats. Turnkey solution without capex costs offered as a part of our monthly service plans with no capital expenses or complex integration required. High detection rates and low false positives analyzes latest attack patterns from a large pool of customers, resulting in better detection and fewer false positives. Protect against OWASP top 10 threats - protects web application from SQL injection, cross-site scripting, OS command injection and other OWASP top 10 threats. Auto-Recovery Nexusguard s Global Cloud and the partner cloud are equipped with an auto-recovery Traffic Director. The Traffic Director can detect device failures, daemon failures, ISP issues and IDC outages, and automatically swing out traffic to seamlessly recover service without being noticed by users. 9
Deployment Workflow Here is a typical workflow for deploying Nexusguard SPE in the Hybrid Model: Project Kick-off SPE hardware and software development Partner Portal deployment UAT Training Preparation for product launch Introduction to Nexusguard s project team Project briefing on development, administration, customer portal, and service modules for end-customers Hardware purchase and delivery Hardware installation and setup Software deployment Develop a development plan Agree on deployment timeline Implement and verify the trial portal UAT plan UAT testing UAT sign-off SPE sales training SPE product training SPE operational training Customer packaging and pricing Business plans and forecasts Marketing plans and marketing collateral Invoicing and payment process Partnership agreement sign-off 10
SPE Partner Support Business Support In addition to the benefits you are entitled to as a Nexusguard Partner, several support resources are available to help you operate and grow your DDoS protection services: Business planning and management support Press release and marketing content support Enablement toolkits Program onboarding and operational training Updates on the latest cyber threats Technical Support & Emergency Service The SPE program offers 24x7 real-time monitoring of your customers websites. Whenever a threat emerges, it is immediately handled by our SOC, with a Nexusguard security expert always ready to address your security concerns. If further support is required, you can reach our technical support team at any time. 11
Data Sheet Founded in 2008, Nexusguard is the global leader in fighting malicious internet attacks. Nexusguard protects clients against a multitude of threats, including distributed denial of service (DDoS) attacks, to ensure uninterrupted internet service. Nexusguard provides comprehensive, highly customized solutions for customers of all sizes, across a range of industries, and also enables turnkey anti-ddos solutions for service providers. Nexusguard delivers on its promise to maximize peace of mind by minimizing threats. Headquartered in San Francisco, Nexusguard s network of security experts extends globally. Twitter twitter.com/nexusguard Facebook facebook.com/nxg.pr LinkedIn linkedin.com/company/nexusguard nexusguard.com contact@nexusguard.com 20150413-EN-US