Partner Technical Training

Arbor APS Design Basics

Partner • Sales • Engineering

APS
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY Release 5.12
Objectives

At the conclusion of this unit you should understand how to:

• Describe Arbor APS Hardware (overview)
• Describe Arbor APS Licensing
• Describe alternative Deployment Models

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 2

SCENARIO:
CUSTOMER UNDER
DDOS ATTACK

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 3

Issue & Context

• A large stock trade Website is suffering intermittent DDoS attacks

• They estimate each hour of downtime it is costing them $50K+!
• The site is hosted in an external Data Center
• When attack traffic goes over a certain threshold, the Data Center blocks
ALL traffic to their domain to prevent collateral damage
• Customer doesn’t fully understand what is happening
• Firewall is taken down most of the time the attack is active
• They cannot get access to the firewall console to gather information
• We have been called to help them understand what is going on
and recommend a solution to the problem

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 4

Issue: Customer Under Attack

• A large stock trade Website is suffering intermittent DDoS attacks

DATA
ISP 1 CENTER

ISP
ISP 2
IPS
Firewall
Load
Balancer

Target
Applications
ISP ‘n’ Attack Traffic & Services

Good Traffic

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 5

Action: Analyze Environment, Propose

• Understand the customer’s web infrastructure and services running over it

• Discuss possible solution design alternatives to mitigate the DDoS attack
using Arbor APS
• Propose a design to identify and mitigate the attack

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 6

ARBOR APS
HARDWARE OVERVIEW

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 7

Arbor APS Physical Interfaces
Arbor APS uses separate interfaces for:
• Management • Protection • Console Serial Port
• CLI (via SSH) • Traffic that needs • Command
• Graphical Interface (via HTTS) to be protected line access
• Other management

ISP

ISP

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 8

 Management Interfaces
2800

• 2 Integrated Copper GE ports

• 1000base-T, 100base-TX, 10base-T
• Full or half duplex
• Configurable auto-negotiation Serial
• RJ45 (8P8C) Connectors on motherboard
2800
• Jack “1” is configured as mgt0
• Jack “2” is configured as mgt1

9 ©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 9

APS Protection Interfaces: 1 GE Copper

Back of APS 28xx Mixed Interface

• Selected quad port 10G cards are always installed in slot 6
• For 2800 2nd 10G card is always installed in slot 1
• Shipped in this configuration from factory and not optional
• Additional 1G ports
Slot Numbering
• Installed in slot 7
6 1

7 5 4 2

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 10

Arbor APS 2800 Appliance Options

• One of the following is required & installed

in slot 6:
• 4 x 10G LR
• 4 x 10G SR
Protection Interface • Optionally, you can add
Options • + 4 x 10G LR
(Total of 12)
• + 4 x 10G SR
• + 4 x 1G Fiber SX
• + 4 x 1G Fiber LX
• + 4 x 1G Copper

Power Supply Options AC or DC

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 11
Arbor APS 2600 Appliance Options
• If one of the following is installed in slot 6:
• 4 x 10G LR
• 4 x 10G SR
• Optionally, you can add
• + 4 x 1G Fiber SX
Protection Interface • + 4 x 1G Fiber LX
Options • + 4 x 1G Copper
(Total of 12) • + 8 x 1G Fiber SX
• + 8 x 1G Fiber LX
• + 8 x 1G Copper
• 4 x 1G copper or fiber SX or fiber LX
• 8 x 1G copper or fiber SX or fiber LX
• 12 x 1G copper or fiber SX or fiber LX

Power Supply Options AC or DC

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 12
Protection Interfaces: Port Names

Rear View of APS

ext0 int0 ext1 int1 ext2 int2 ext3 int3

ext4 int4 ext5 int5

• 4 x 10G SR LC Connectors
• 4 x 10G LR LC Connectors
• 4x 1G Copper
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 13
Throughput License Options
Appliance License

vAPS 50Mbps up to 1 Gbps

APS-2600-100M: 100 Mbps

APS-2600-250M: 250 Mbps
APS-2600-500M: 500 Mbps
APS-2600-1G: 1 Gbps
APS 2600 APS-2600-2G: 2 Gbps
APS-2600-5G: 5 Gbps
APS-2600-10G: 10 Gbps
APS-2600-15G: 15 Gbps
APS-2600-20G: 20 Gbps

APS-2800-10G: 10 Gbps
APS-2800-20G: 20 Gbps
APS 2800
APS-2800-30G: 30 Gbps
APS-2800-40G: 40 Gbps
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 14
APS Appliance License: Box Sticker

• Production units have permanent license printed on the appliance.

• License keys for Demo and Spare devices should be requested from ATAC
• You will need to provide the device’s Serial Number

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 15

ARBOR APS APPLIANCE
DEPLOYMENT

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 16

Arbor APS Deployment Modes
• Arbor APS deployment modes:
• Monitor
• Inline Bridged
• Inline Routed (L3 - vAPS Only)
• In the monitor mode, APS does not forward traffic or analyze outbound
traffic. Monitor mode is deployed via a SPAN or Tap out of band from
the network
• In the Inline Bridged mode and Inline Routed mode, APS acts as a
physical connection between two end points and can be configured to
block attack traffic.
• In the inline bridged mode, APS forwards all of the traffic that passes the
mitigation rules.
• In the inline routed mode, vAPS forwards all of the traffic that passes the
mitigation rules, if a valid route is configured to the destination network.
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 17
Arbor APS Deployment Modes

• In the web UI, monitor mode appears as “Monitor”. Active / Inactive are
not supported
Monitor Mode

• In the web UI, the inline deployment modes appear as “Inline Bridged”
(Inline) and “Inline Routed” (L3)
• Both modes will support Active/Inactive sub modes

Inline Mode Layer 3 Mode

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 18

Arbor APS Deployment Modes

• Typically, monitor mode is used for trial implementation. Monitor mode can also be
used if your organization forbids the inline deployment. For example, you can use
APS to detect the traffic on-premises but no mitigation will occur
• Typically, the Inline Bridged and Inline Routed mode (L3) are used in an active
implementation. In an active implementation, APS mitigates attacks in addition to
monitoring traffic and detecting attacks.
• Arbor APS can also be used in Inline Inactive mode. In this mode APS will analyze
traffic and detects attacks without performing mitigations.
• The inactive protection mode is similar to the monitor mode. Like the monitor mode,
the inactive protection mode typically is used for trial implementations.

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 19

MONITOR Deployment mode
ISP

Link Tap /
Port Span

ISP

Monitor Deployment Mode - for Detection Only

• Typically used during proof of concept trials and tests.

• In this mode Arbor APS can:
• Detect attacks and bots Potentially, this mode can be used
in production environment in
• Report on traffic that would be dropped conjunction with cloud signaling
in in-line active mode
• Initiate cloud signaling

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 20

INLINE Deployment Mode
ISP

ISP

Inline Deployment Mode - Detection & Mitigation

• Fits numerous data center on-site • Preferred northbound, protecting

deployment scenarios other security / application devices
• Inline deployment mode with hardware bypass • FW
• Inline Inactive deployment sub-mode to do • WAF
threat detection only and to gain confidence • IPS/IDS
in the configuration
• Load balancers
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 21
INLINE Deployment Mode (Alternative)
ISP

ISP

Inline Deployment Mode - Upstream Router Protection

• Recommended for cases of:

• Software router (that is, router performing packet switching via CPU)
• Firewalls used as routers
• Routers with integrated stateful security (built-in firewall or IPS)

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 22

Bypass
• All protection interfaces offer • Protection interfaces will go into
Hardware Bypass Hardware Bypass on
• HW Bypass mode requires no power • Reboot
• HW Bypass uses internal switch between • Loss of power
interface pairs • Interface control logic crash or failure
• Switch is held in “normal” mode by • Loss of motherboard connectivity
Bypass timer
• Operating system crash
• Arbor APS code resets interface
Bypass timers every second • Protection interfaces will go into
• HW Bypass triggered if timer runs Software Bypass when
2 seconds with no reset • Arbor APS services are stopped
• HW Bypass can be disabled via CLI • SW Bypass can be disabled via CLI

Note: Hardware Bypass not available with vAPS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 23

Bypass Operation Notes (1 of 3)
• Make sure Ethernet port speed/duplex settings are synchronized
on all four interfaces
• For example: Router, ext_x, int_x, Firewall
• Test Hardware Bypass operation before moving to production
• Make sure routing protocols running over Arbor APS protection interfaces
do not start re-convergence based on link flap
• The Arbor service must be running to make any changes to Bypass
configuration
• Bypass settings apply only to APS appliances deployed in the Inline mode
• Bypass is enabled by default

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 24

Bypass Operation Notes (2 of 3)
• To view the configuration and status of both the Hardware and Software
Bypass
• services aps bypass show
• Hardware Bypass configuration
• services aps bypass fail open/closed
• Configures how the protection interfaces will fail
• “open” = bypass on fail
• “closed” = disconnect on fail
• services aps bypass force open/closed
• Manually & Immediately force the protection interfaces into bypass operation
• “open” = bypass on fail
• “closed” = disconnect on fail
• Hardware bypass takes precedence when an appliance is already
in soft bypass mode
©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 25
Bypass Operation Notes (3 of 3)
• Hardware Bypass Configuration (cont.)
• services aps bypass disable
• Manually disables all of the hardware bypass features
• Warning: Network traffic may be dropped if a system failure occurs when hardware
bypass is not configured and software bypass is disabled.
• Software Bypass Configuration
• services aps bypass software disable/enable
• Enable/disable software bypass

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 26

Link Status Propagation
• Arbor APS mirrors link status between interfaces
of a protection port pair in inline mode
• Improved failover if only one link in a pair fails
• Enabled by default

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 27

Configuring Link State Propagation Timeouts
• Overview
• Timeouts for Link State Propagation can now be configured for:
• Interface Down – the amount of time the APS waits after one interface in a pair
goes down before it disconnects the other interface
• Interface Up – the amount of time the APS waits after the original down interface
reconnects before it restores the other interface
• Default timeout period = 5 seconds
• Valid range 1 – 5 seconds

Note: Not supported on vAPS

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 28

On-Board Inspection
Protection against
DDoS attacks
encrypted by
SSL3, TLS1,
TLS1.1, TLS1.2 • FIPS 140 certified SSL acceleration cards
• Available with new appliances
• Existing appliances are field upgradeable
• Performance
• APS 2800: up to 5 Gbps of decryption
• APS 2600: up to 750 Mbps of decryption

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 29

Unit Summary

In this unit we have learned how to:

• Describe Arbor APS Hardware (overview)
• Describe Arbor APS Licensing
• Describe alternative Deployment Models

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 30

Q&A / THANK YOU

©2017 ARBOR® CONFIDENTIAL & PROPRIETARY 31