COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC.

| CONFIDENTIAL & PROPRIETARY 1

NETSCOUT Arbor Edge Defense
Technical Training 6.4
Your Name
Your Title

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

Objectives

At the conclusion of this unit you should understand how to:

• Describe AED Hardware (overview)
• Describe AED Licensing
• Describe Deployment Models

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

Scenario: Customer Is Under Attack

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. 4

Issue & Context

• A large stock trade Website is suffering intermittent DDoS attacks

- They estimate each hour of downtime it is costing them $50K+!
• The site is hosted in an external Data Center
- When attack traffic goes over a certain threshold, the Data Center blocks
ALL traffic to their domain to prevent collateral damage
• Customer doesn’t fully understand what is happening
- Firewall is taken down most of the time the attack is active
• They cannot get access to the firewall console to gather information
• We have been called to help them understand what is going on
and recommend a solution to the problem

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Issue: Customer Under Attack

• A large stock trade Website is suffering intermittent DDoS attacks

DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

Action: Analyze Environment, Propose

• Understand the customer’s web infrastructure and services running over it

• Discuss possible solution design alternatives to mitigate the DDoS attack using
Arbor AED
• Propose a design to identify and mitigate the attack

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

AED Hardware Overview

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. 8

Arbor AED Physical Interfaces
Arbor AED uses separate interfaces for:
• Management • Protection • Console Serial Port
- CLI (via SSH) - Traffic that needs - Command
- Graphical Interface (via HTTS) to be protected line access
- Other management

ISP

ISP

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

 2600 – 3x1Gbps (Bakır/Fiber) / 1x10G – Fiber
(Protection)
2800 – 2x10G
APS/AED-2600 – 100Mbps – 20Gbps
APS/AED-2800 – 10Gbps- 40Gbps

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

 Management Interfaces
2800

• 2 Integrated Copper GE ports

- 1000base-T, 100base-TX, 10base-T
- Full or half duplex
Serial
- Configurable auto-negotiation
- RJ45 (8P8C) Connectors on motherboard
2800
• Jack “1” is configured as mgt0
• Jack “2” is configured as mgt1

11
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11
AED Protection Interfaces: 1 GE Copper

Back of AED 28xx Mixed Interface

• Selected quad port 10G cards are always installed in slot 6
• For 2800 2nd 10G card is always installed in slot 1
- Shipped in this configuration from factory and not optional
• Additional 1G ports Slot Numbering
- Installed in slot 7 6 1

7 5 4 2

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

Arbor AED 2800 Appliance Options

• One of the following is required & installed

in slot 6:
- 4 x 10G LR
- 4 x 10G SR
Protection • Optionally, you can add
Interface Options - + 4 x 10G LR
(Total of 12) - + 4 x 10G SR
- + 4 x 1G Fiber SX
- + 4 x 1G Fiber LX
- + 4 x 1G Copper

Power Supply
AC or DC
Options
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
Arbor AED 2600 Appliance Options
• If one of the following is installed in slot 6:
- 4 x 10G LR
- 4 x 10G SR
- Optionally, you can add
• + 4 x 1G Fiber SX
Protection • + 4 x 1G Fiber LX
Interface Options • + 4 x 1G Copper
(Total of 12) • + 8 x 1G Fiber SX
• + 8 x 1G Fiber LX
• + 8 x 1G Copper
• 4 x 1G copper or fiber SX or fiber LX
• 8 x 1G copper or fiber SX or fiber LX
• 12 x 1G copper or fiber SX or fiber LX

Power Supply
AC or DC
Options
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
Protection Interfaces: Port Names

Rear View of AED

ext0 int0 ext1 int1 ext2 int2 ext3 int3

ext4 int4 ext5 int5

• 4 x 10G SR LC Connectors
• 4 x 10G LR LC Connectors
• 4x 1G Copper
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
Throughput License Options
Appliance Arbor License NETSCOUT License

vAED 50Mbps up to 1 Gbps

AED-2600-100M: 100 Mbps

AED-2600-250M: 250 Mbps
AED-2600-500M: 500 Mbps
AED-2600-1G: 1 Gbps
AED 2600 AED-2600-2G: 2 Gbps E-026XX-02XXX
AED-2600-5G: 5 Gbps E-026XX-05XXX
AED-2600-10G: 10 Gbps E-026XX-10XXX
AED-2600-15G: 15 Gbps
AED-2600-20G: 20 Gbps
NOTE: NETSCOUT
SKUs are still being AED-2800-10G: 10 Gbps
AED-2800-20G: 20 Gbps
added AED 2800
AED-2800-30G: 30 Gbps
AED-2800-40G: 40 Gbps

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16

AED Appliance License: Box Sticker

• Production units have a permanent license printed on the appliance.

• License keys for Demo and Spare devices should be requested from ATAC
- You will need to provide the device’s Serial Number

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

AED Deployment

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. 18

AED Deployment Modes Overview

• Deployment modes:
- Monitor
- Inline Bridged
- Inline Routed (L3 - vAED Only)
• In the monitor mode, AED does not forward traffic or analyze outbound traffic. Monitor
mode is deployed via a SPAN or Tap out of band from
the network
• In the Inline Bridged mode and Inline Routed mode, AED acts as a physical connection
between two end points and can be configured to block attack traffic.
- In the inline bridged mode, AED forwards all of the traffic that passes the
mitigation rules.
- In the inline routed mode, vAED forwards all of the traffic that passes the mitigation rules, if a valid
route is configured to the destination network.

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

AED Deployment Modes In The UI

• Monitor mode appears as “Monitor”. Monitor Mode

- Active / Inactive sub modes are not supported

• Inline deployment modes appear as “Inline Bridged” (Inline) and “Inline Routed”
(L3)
- Both modes will support Active/Inactive sub modes
Inline Mode Layer 3 Mode

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20

INLINE Deployment Mode Use Case
ISP

ISP

Inline Deployment Mode - Detection & Mitigation

• Fits numerous data center on-site
deployment scenarios • Preferred northbound, protecting
other security / application devices
- Inline deployment mode with hardware bypass
- FW
- Inline Inactive deployment sub-mode to do threat - WAF
detection only and to gain confidence
in the configuration - IPS/IDS
- Load balancers
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21
MONITOR Deployment Mode Use Case
ISP

Link Tap / PFS/

Port Span

ISP

Monitor Deployment Mode - for Detection Only

• Typically used during proof of concept trials and tests
• Can be used if organization forbids inline deployment
• In this mode Arbor AED can:
- Detect attacks and bots Potentially, this mode can be used
- Report on traffic that would be dropped in production environment in
in in-line active mode conjunction with cloud signaling
- Initiate cloud signaling
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22
INLINE Deployment Mode Alternative
ISP

ISP

Inline Deployment Mode - Upstream Router Protection

• Recommended for cases of:
- Software router (that is, router performing packet switching via CPU)
- Firewalls used as routers
- Routers with integrated stateful security (built-in firewall or IPS)

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

Bypass

• All protection interfaces offer • Protection interfaces will go into

Hardware Bypass Hardware Bypass on
- HW Bypass mode requires no power - Reboot
- HW Bypass uses internal switch between - Loss of power
interface pairs
- Interface control logic crash or failure
• Switch is held in “normal” mode by Bypass
- Loss of motherboard connectivity
timer
- Operating system crash
• Arbor AED code resets interface Bypass
timers every second • Protection interfaces will go into
• HW Bypass triggered if timer runs Software Bypass when
2 seconds with no reset
- Arbor AED services are stopped
- Note:
HW Bypass
Hardwarecan be disabled
Bypass via CLI
not available with vAED
- SW Bypass can be disabled via CLI

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

Bypass Operation Notes (1 of 3)

• Make sure Ethernet port speed/duplex settings are synchronized

on all four interfaces
- For example: Router, ext_x, int_x, Firewall
• Test Hardware Bypass operation before moving to production
- Make sure routing protocols running over Arbor AED protection interfaces
do not start re-convergence based on link flap
• The Arbor service must be running to make any changes to Bypass configuration
• Bypass settings apply only to AED appliances deployed in the Inline mode
• Bypass is enabled by default

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Bypass Operation Notes (2 of 3)

• To view the configuration and status of both Hardware and Software Bypass
/ services aed bypass show
• Hardware Bypass configuration
/ services aed bypass fail open/closed
- Configures how the protection interfaces will fail
– “open” = bypass on fail
– “closed” = disconnect on fail

/ services aed bypass force open/closed

- Manually & Immediately force the protection interfaces into bypass operation
– “open” = bypass on fail
– “closed” = disconnect on fail
– Hardware bypass takes precedence when an appliance is already in soft bypass mode
COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26
Bypass Operation Notes (3 of 3)

• Hardware Bypass Configuration (cont.)

/ services aed bypass disable
- Manually disables all of the hardware bypass features
- Warning: Network traffic may be dropped if a system failure occurs when hardware bypass is not
configured, and software bypass is disabled.
• Software Bypass Configuration
/ services aed bypass software disable/enable
- Enable/disable software bypass

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

Link State Propagation

• AED mirrors link status between interfaces

of a protection port pair in inline mode
- Improved failover if only one link in a pair fails
• Enabled by default

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28

Link State Propagation Timeouts

• Overview
- Timeouts for Link State Propagation can now be configured for:
• Interface Down – the amount of time the AED waits after one interface in a pair goes down
before it disconnects the other interface
• Interface Up – the amount of time the AED waits after the original down interface reconnects
before it restores the other interface
• Default timeout period = 5 seconds
• Valid range 0 – 5 seconds where 0 = as quick as possible

Note: Not supported on vAED

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29
On-Board Inspection - HSM

Protection against
DDoS attacks
encrypted by
SSL3, TLS1,
TLS1.1, TLS1.2 • FIPS 140 certified SSL acceleration cards
- Available with new appliances
- Existing appliances are field upgradeable
• Performance
- AED 2800: up to 5 Gbps of decryption
- AED 2600: up to 750 Mbps of decryption

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

Onboard Inspection - CAM

• Non-FIPS compliant
• Available with new appliances
• Existing appliances are field
upgradeable

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

Unit Summary

In this unit we have learned how to:

• Describe AED Hardware (overview)
• Describe AED Licensing
• Describe Deployment Models

COPYRIGHT © 2020 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32