Not so long ago, some banks' management would brush off potential risk of an online banking service outage by advising clients to visit their nearest bank branch. Those times are well over, and businesses need to take it into account.
Banks, e-shops, media companies, public administration offices, companies in various businesses – they are all aware that in this digital age, an outage of their web services can cause considerable damage.
It is not difficult to imagine what a web outage due to a large DDoS attack can do to the business of a leading e-shop that processes tens of thousands of orders daily. Not just direct financial impact is of concern; good reputation and customers’ loyalty are at stake, too.
SWAN is the second largest Internet connectivity provider for corporate customers in Slovakia, so it is not surprising that its customers have been increasingly vocal with concerns about protecting their network infrastructure from the growing risk and number of threats. Most also wanted to enhance their network visibility to be able to identify anomalies and technical issues, and to improve overall network functioning.
SWAN has been able to detect DDoS attacks, however, the actual ability to protect their clients was not satisfactory. Limited options applied to additional services, too, such as providing overviews of activity in customers’ networks. The company wanted to address all these issues with a smart integrated solution, and Flowmon with F5 were a perfect fit.
„Since Internet connectivity became a commodity, SWAN has been looking for ways to offer extra valueadded service to customers to strengthen their loyalty and enlarge our customer base. As a result of our efforts, we are able to provide advanced protection of network infrastructure to top companies as well as medium enterprises who also need to protect themselves from security risks and DDoS attacks.”, Augustín Revák, CTO.
The company started developing a solution that would enable its customers to easily monitor data flow in their networks, analyze network activities, and protect themselves from DDoS attacks. These attacks flood the network infrastructure so that web, servers, or Internet connection are slowed down or brought down altogether.
SWAN decided to employ a solution developed by Flowmon Networks and F5 Networks, companies that provide optimal price-to-value technologies for network monitoring and analysis. Flowmon Collector collects and stores statistics on network activity and, thanks to advanced analysis of protected segments, provides very fast DDoS attack warnings. If a DDoS attack is detected, Flowmon notifies the BIG IP AFM device by F5 to start attack mitigation. At the same time, Flowmon instructs network routers to re-route any traffic for the protected segment to the F5 mitigation device. Instant configuration of the device enables fast attack cleanup, throwing away all malicious traffic, and allowing only legitimate content to be delivered. As soon as the attack is over, Flowmon restores the traffic to its original route and deletes the temporary configuration of the F5 device.
Evaluation of the project took several months, which included considerable amount of integration work, adjusting the technology, optimizing the entire flow, tailoring it to fit the customers' strict demands, and allowing them to choose their preferred level of the service.
„At the beginning of the project, there were no native options to combine Flowmon and F5 technologies. Both providers had to cooperate and proceed step-by-step to develop functional integration. The result of their joint effort can be now used by many customers around the world,“ says Augustín Revák of the SWAN company.
There are three levels of the service to choose from. Within four months after release, the solution was in use by twenty of the operator's customers from a variety of businesses such as banks, media companies, and public administration. Naturally, SWAN made use of the solution for its own network protection and monitoring, too.
The basic service level includes network monitoring, DDoS attack detection, reporting, automated notifications, and support. In case of a DDoS attack, simple mitigation via RTBH method is available, throwing away all traffic and protecting the customer's infrastructure from overflooding.
This level employs BGP Flowspec and a dynamic attack signature that identifies malicious traffic and instructs routers to dispose of it. That way, customers do not lose the traffic that did not match the attack signature. The dynamic signature is also continuously updated and the mitigation strategy modified to reflect the current attack type and form, even if it changes during the attack.
The most advanced level of protection combines BGP Flowspec with rerouting any malicious traffic to the F5 BIG IP AFM for precise cleaning. Native integration of Flowmon Networks and F5 Networks makes a fully automated attack response possible, including automatic configuration of the mitigation device for instant attack defusing.
„We are not the only operator in Slovakia who offers DDoS attack protection, however, the Network Control solution that we are using offers exceptional adaptability and the added value of good data flow visibility, allowing customers to see what is happening in their networks. It has made the job of our network monitoring experts and security team much easier,“ concludes A. Revák of SWAN.
Thanks to the advanced technology in use, SWAN registers several major attacks a day. On specific occasions, such as elections or big sports events, the number grows significantly.
„As the number of sophisticated threats is growing and legislation tightening, network protection is going to be an even more pressing matter for enterprises,“ says Roman Čupka, Country Manager for Slovakia and Principal Consultant CEE at Flowmon Networks.
Obviously, as more and more customers use the Network Control service, the operator’s income increases. However, CTO Augustín Revák points out that while the growing revenue is nice, it is the above-standard service that can convince customers for long-term commitment that remains the key objective.
Customers appreciate the cyber-attack protection as well as improved network visibility provided by Flowmon technology. „Thanks to better visibility, customers get a very good overview of what is happening in their networks. They can easily find causes of network overload, non-standard application responses, or excessive data downloading,“ adds R. Čupka.
Based on the network activity analysis, customers can then take steps to prevent problems and optimize the network sources usage. The Managed Security service provided by SWAN allows restricting access to specific applications or Internet services that overload the network, thus saving resources for unnecessary link capacity upgrades.
Michal Kaprinay, Operational Infrastructure Manager at the National Agency for Network and Electronic Services, sums up the value of the DDoS attack prevention service: “In the past, we would use internal tools and capacities that weren't enough to fight off sophisticated volumetric DDoS attacks. SWAN enabled us to identify and avert attacks very effectively through its Network Control service while saving our internal resources. On top of that, we can now use a real-time network visibility environment, enhanced with analysis of security and operational issues for better troubleshooting. This made our overall system administration more effective, enabling us to provide critical services to other entities in much better quality.”
Based on subsequent customer enquiries, SWAN is now developing a Network Control service enhancement that should include an additional feature based on Flowmon ADS anomaly detection and behavioral analysis of suspicious network activity.
The service enhancement shall provide customers with even more detailed visibility into their networks, allowing them to detect specific and undefined threats, for example, by finding data packets that are not supposed to be present in the network at all, or by revealing forbidden data flows. At the same time, Flowmon ADS shall automate and improve the process of identifying network issues, which should make things considerably easier for network administrators as well as for customers.