Move your DMZ to the cloud for effective DDoS mitigation, argue Nostra’s Griffin and Kane
10 February 2016 | 0
When your organisation is forced to mitigate against DDoS threats, like many other organisations you will look to “Hosted DDoS Mitigation Specialists” who offer to “clean” your network traffic in their data centre which consists of larger more powerful servers and huge bandwidth connectivity, and then forward the “clean” traffic to your on-premises infrastructure.
This all sounds very promising and there are a lot of companies who can provide this type of service for you. However, it is not the answer. The trouble is that this type of service also depends heavily upon your own bandwidth and connectivity capabilities. You may be required to increase your own broadband packages, thus increasing your reoccurring monthly expenditure. You may also require a dedicated connection to the data centre and a possible router upgrade to facilitate the solution. Alternatively, you may choose to purchase a set of highly available Tier 1 Firewalls with built in DDoS options to mitigate the risk on premise. As a result, your on-premises infrastructure may see clean traffic. However, your connection to the Internet is still filled with malicious requests that cannot get through your Firewall but still consume your bandwidth. This means that even if you have a Tier 1 firewall solution, internally your connectivity still suffers.
Organisations are also looking to content delivery partners in the cloud to handle their site content. Its primarily static content as a minimum but this does present problems for some dynamic content. The trouble with content delivery is the price point is aimed at those who are already serving content to very large bodies of users. The cloud-based protection also brings with it its own issues with compatibility of systems.
Could more bandwidth prevent DDoS? A public facing network connection with large bandwidth capabilities is always going to be able to handle more bad requests. More bandwidth simply means more pressure on your load balancer configurations and physical on premise infrastructure as they now have to stand up against increased illegitimate requests. By opening up the “flood gates” you actually increase the risk of your infrastructure failing and your business going offline.
For example, a typical network’s internet connection will have bandwidth limits at obvious points, 100Mb/sec, 1 Gb/sec. The BBC reported that “More than 200 of the reported attacks in 2015 summoned over 100 gigabits per second (Gbps) of traffic, with the largest of these clocking in at a very concerning 500 Gbps”. That is 5,000 times more than the standard SME bandwidth limit and 500 times more than the advanced Enterprise bandwidth capabilities.
“The solution is to move your organisation’s DMZ onto Microsoft Azure. You keep control of your network security, mitigate risk, improve cybersecurity governance and compliance, and provide monitoring and analytic reporting whilst leveraging your existing ICT investments”
The solution is to move your organisation’s DMZ onto Microsoft Azure. You keep control of your network security, mitigate risk, improve cybersecurity governance and compliance, and provide monitoring and analytic reporting whilst leveraging your existing ICT investments. Microsoft Azure is built on the same Hyper-V technology utilised by millions of organisations worldwide and is designed to be an extension of your existing ICT infrastructure.
Most organisations consider Microsoft Azure for virtual machines to run specific server roles in addition to their existing on premise infrastructure. These Azure VMs are often isolated from the rest of the network and operate as standalone web servers, app servers, development servers etc. What these organisations and many don’t realise is that Azure is much more than just a large Hyper-V cluster in the sky from which you can purchase virtual machines. There is a unique marketplace with a huge portfolio of products that offers Tier 1 technologies across different IT layers. NginX Plus is a marketplace offering that is a ready to roll Linux Virtual Appliance preloaded with NginX Plus for advanced load balancing and content delivery solutions. Web Application Firewall (WAF) from providers such as F5, Checkpoint, Barracuda, and Riverbed that allow you to integrate a virtual environment with your own.
Hardware firewalls as a virtual appliance in Azure? Yes, you could build a replica of your entire on premise infrastructure in the Microsoft cloud.
By moving your DMZ to Azure to mitigate risk including DDoS, you can create a virtual environment where checkpoint provides visibility across your entire estate including the edge of the cloud, has web application filtering by Barracuda, and is load balanced by F5 and pre-cached. The solution can be further filtered and served by NginX and the dynamic content that has not been cached is WAN optimised by Riverbed appliances and served out from a VPN connection in the head office with reduced latency.
If your organisation is under constant threat or responds to ad-hoc demands of large events, additional virtual machines can be spun up with ease manually or on a dynamic scaling policy to shrink and grow with demand, allowing you full control over your systems and budget. You only pay for additional services when your organisation requires them. Even in the case of a brutal highly targeted attack, by being able to setup a global distributed dynamic virtual environment it is very easy to have an attack in one country that is not affecting global reach.
Microsoft also protect Azure both from internal and external threats, although they do not disclose the means by which they do this — to prevent targeted attacks circumventing the non-disclosed policies. This means that there is an additional safeguard against DDoS, on top of the global size of the Azure cloud, dynamic scaling, global data centre positioning for endpoints, IPsec VPN connections and network and security appliances native in the Azure cloud.
At Nostra, we don’t spend all day talking about today’s IT problems, we spend it resolving them. Simplify Your IT.
Pádraigh Griffin is head of data infrastructure and Joseph Kane is senior networking and security engineer with Nostra