dynamic threat mitigation

TODAY, NETWORK ATTACKS ARE INCREASING in sophistication, exploiting vulnerabilities in the network and applications, and damaging or altering network resources. These attacks can compromise network security and directly affect the subscribers utilizing the network infrastructure. Service providers must be able to identify and take corrective action on subscribers that are infected with computer worms or viruses or on subscribers that behave maliciously with abusive applications.

Such a solution consists of a sophisticated application-layer intrusion detection and prevention (IDP) system coupled with dynamic service policy enforcement to offer automated attack detection and mitigation. This enables service providers to protect the network infrastructure and offer a value-added service to residential users, small and medium businesses, and even medium-to-large enterprises.

Most service providers have managed security service offerings and recognize this area as one of important revenue potential. According to Frost & Sullivan, the global managed security market will grow significantly over the next few years, reaching a market size of $2.5 billion in 2008.

To tap into this growing market, service providers need to be able to differentiate their security service offerings from those of their competitors to better ensure customer retention and continued revenue generation. A dynamic threat mitigation solution can give service providers exactly the kind of competitive edge they need with easily customized tools that can be tailored to meet customers’ needs.

Currently, service providers implement network intrusion detection systems to help secure the network infrastructure. These solutions offer the ability to inspect passively packets that traverse the network, but offer little in terms of immediate attack mitigation. Network operators are inundated with false alarms and large log files that require expensive manual intervention to examine and correct. Even once an attack or infected user has been identified, there is no quick, easy method to correlate the attack with the specific subscriber on the network and then enable the user to remedy the problem.

The optimal solution is one that can provide the network operator with the following:

• immediate identification of the source of a virus or worm
• a quick, dynamic way to isolate that user from infecting other users or resources in the network
• the capability to restore a user to a healthy state

The dynamic threat mitigation solution combines the power of advanced detection and prevention with dynamic policy creation and enforcement on the network edge routers.

In conjunction with the network elements, these components work together to identify suspicious traffic, act to confirm whether the traffic is malicious, and then take action to block, or redirect that traffic from the production network.

Click to Enlarge

With this solution, service providers have the ability to identify cost-effectively attacks on a per-user or per-application basis and to mitigate these attacks quickly and effectively. Service providers can offer value-added, highly differentiated network protection services to their enterprise and residential customers.

The example above illustrates how routing platforms and IDP devices along with an intelligent policy server work together to identify a subscriber infected with a virus or worm. The integrated products work to quarantine that subscriber to prevent subsequent infections of other subscribers and to protect network resources.

The IDP device is located directly in the subscriber data path so it is able to identify any worms, viruses or abusive applications that originate from the subscriber. The IDP device processes all subscriber traffic on the network or it can be configured to process groups of users over predefined, scheduled periods of time.

Once a problem has been identified by the IDP device, a message is sent to the policy server. The policy server performs several actions to mitigate the effect of the infected traffic on the network by applying a policy to the routing platform in the network to redirect the infected subscriber to a captive Web-based portal. The portal notifies the user of the problem and recommends appropriate ways for the user to take corrective action — for example, download a newer antivirus signature to a system. Once the virus has been removed from the user’s system, new policy is enforced to allow the user to resume his or her normal activities.