Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
2
Replies

Threat Containment across MPLS links

tyagi.v
Level 1
Level 1

‎11-26-2018 08:43 PM

Hi ,

 

As per the enclosed topology we want to restrict ransomware or other kind of threat to spread across different office locations through MPLS links , what are the best solution for this kind of environment ?

 

Vijay

Labels:
Preview file
235 KB
0 Helpful
2 Replies 2

asiergd
Level 1
Level 1

‎12-04-2018 07:33 AM - edited ‎12-04-2018 07:41 AM

Hi tyagi.v,
There are many questions about your environment, but if there is BGP in place you can deploy BGP flowspec in order to mitigate some problems.
If you know the flow details (L3/L4 information, addresses, port numbers, protocol, etc...) of the threat you can deploy policies to discard or rate limit that flows in hundreds of devices in seconds. The action is done from central site (controller, do not worry more later).
The solution is scalable and no other protocol must be deployed. You need to add another address family to BGP.
Basically BGP flowspec is formed by a controller(s), clients and RR (RR is optional).
The controller can be another device, for example an IOS-XR, although there are other solutions like exabgp.
The clients can be PE devices running IOS, IOS-XE or IOS-XR, take into account IOS-(XE), XR version releases.
Cisco documentation hosts great information and configuration guides about bgp flowspec at each IOS, IOS-XE/XR version.
Good luck.

0 Helpful

Adam Vitkovsky
Level 3
Level 3

‎12-05-2018 01:17 AM - edited ‎12-05-2018 01:24 AM

Hi,

I suggest you talk to your MPLS providers as they might already have a solution for you.

What you’re looking for is a solution based on IntrusionDetectionSystem/IntrusionPreventionSystem IDS/IPS from Palo Alto or Arbor, etc…

This system will be trained on your usual network traffic baseline and will report and potentially block any anomalies or deviations.  These vendors provide tons of signatures and keep on adding new ones on a daily bases allowing the device to spot and react to countless types of malicious traffic.

Then you have three options:

  1. either buy a small IDS/IPS unit for each one of your sites -will most likely not cost in.
  2. or make all traffic between sites to go through one or couple central locations with a large IDS/IPS in each -might need to change your VPN setup to hub-and-spoke
  3. similar to 3 -but you won’t buy the IDS/IPS HW yourself but would rather rent it as a service from your MPLS providers

 

Note: for 1 and 2 you’d also need to pay recurring fee to the vendor for support so you get the latest updates, so I think it makes to just rent it as a service from your MPLS providers then you don’t need to worry about a thing and you’d have someone to shout at if things go south.

 

Actually I forgot to mention going with IDS/IPS that’s just one option -providing centralized control of what enters or leaves a site.

However proper security is deployed in a layered approach (like an onion), so there are other (more distributed) measures like proper security software on your company PCs, latest patches, etc..(makes it harder if you have BYOD policy, but still doable). Services protecting your emails (like Mimecast for example, etc..)

 

adam

 

netconsultings.com

::carrier-class solutions for the telecommunications industry::  

adam
0 Helpful
Customers Also Viewed These Support Documents