On May 3, 2013, Lior Cohen and Ehud Doron presented Radware’s SDN-based DefenseFlow DDoS attack mitigation solution during DemoFriday™. Lior has kindly provided answers to all the questions asked during the event. And for those of you who missed the event, the archives are now available.
Here’s a short snippet with the demo for your viewing pleasure. To view the entire DemoFriday™, head on over to the archive page and don’t forget to read our recent interview with Avi Chesla’s, Radware’s CTO.
Q: How is the traffic diverted to DefensePro? Is it through BGP route injection or DNS change?
A: Traffic diversion is an inherent capability of the DefenseFlow Application and the Radware Intelligent Network Attack Mitigation Solution. As DefenseFlow determines that certain traffic flows can potentially consist of a network attack, DefenseFlow will program the SDN controller to instantaneously direct the network to divert all suspicious traffic to the DefensePro appliances for cleansing. This approach is significantly faster than route convergence or DNS change propagation.
Q: If DefenseFlow is taking the flow information, what the significance of SDN here ?
A: SDN is a paradigm that exhibits a single and consistent representation of the entire network through the network controller. Through the northbound API of the SDN controller, an application like DefenseFlow can program the network in real-time to both monitor and divert traffic. More significantly, because of SDN, DefenseFlow is able to obtain information pertaining to the complete network from the network controller, allowing for more pervasive and comprehensive attack detection than any flow related statistics collection mechanism employed today.
Q: Is the DefensePro appliance on-premises or it will be in the cloud (scrubbing centers)? Is there any DefenseFlow agent deployed on the premise or is the flow information directly sent to DefenseFlow in the cloud?
A: The DefensePro Appliance can reside in any location convenient for the customer, as long as SDN can be used to appropriately divert network flows to it. However, the DefenseFlow application should be topologically as close possible to the SDN controller so it can efficiently obtain flow statistics from the controller. The deployment topologies for Radware Intelligent Network Attack Mitigation are very flexible and adapt well to just about any network.
Q: In a cloud deployment, is there any option to install DefenseFlow on premise to collect flow information locally and analyze?
A: Yes. The only pre-requisite here is that the cloud network elements (likely an overlay portion of it) are controlled by the on-premise SDN controller, from which statistics can be collected and traffic be diverted.
Q: What is the difference between collecting flow information on SDN and collecting flow information from flow collectors available in the market?
A: The key difference is that by leveraging SDN, the attack mitigation solution can expand beyond just passively collecting information, to actively diverting suspicious traffic into security devices and blocking traffic as close as possible to its origin by leveraging the network. Traffic diversion in the SDN realm is faster and attack mitigation is more efficient. Furthermore, collecting flow statistics in SDN does not impair the high performance of the network devices, ensuring customers get the performance they paid for.
Q: Which controllers do you support?
A: Our plans are to support the following SDN controllers within Radware’s SDN Applications: Floodlight, OpenDaylight, NEC P-Flow, Big Switch Network controller, NOX & Terma. We will certainly deliver support for additional vendor specific controllers as well if there is customer demand.