Protect Your Network Infrastructure and Subscribers from Online Threats, and Build a Network That Fights Back
The Network Protection capability of Sandvine's Network Security Product allows communications service providers (CSPs) to identify a wide range of network threats in real time for reporting and mitigation to deliver the following key benefits:
Lowered Support Costs
Reduce support calls and retain customers by blocking service-impacting malicious activity, and engage subscribers to help remove associated malware
Create Service Differentiation
Offer value-added security services to subscribers and businesses
Understand the threat landscape with detailed historic and real-time cyber security threat reporting
By addressing outbound email spam, CSPs can avoid the costs and headaches associated with inclusion on blacklists
Block Bad Traffic. Protect the Good.
The Network Protection feature of Sandvine’s Network Security product helps protect both subscribers and operators from within the CSP network, by increasing the cost for attackers while preventing threats from ever reaching the subscriber’s front door. With Network Security, CSPs can rapidly implement a wide range of valuable cyber security use cases residential, business, and Internet of Things (IoT) customers, including:
Key Features of Network Protection
Sandvine QuickSand protects networks using "decoy and deception" techniques to hinder malicious attackers by materially increasing the costs of the attacks and preventing their success. Sandvine's QuickSand achieves this by using multiple techniques, including:
- Network Scale Tarpitting: Slows down the propagation of attacks and malicious activity by acknowledging requests made by malicious actors with information that falsely suggests progress while the attack is actually being mitigated
- Dynamic Vulnerability Masking: Identifies subscribers and servers that are running vulnerable software versions, and leverages Sandvine's SandScript capabilities to dynamically lead the potential attacker to believe that the secure version of the software is running instead, thereby preventing the attack before it starts
Threats are detected using policies that can be tailored for individual subscribers and subscriber classes (e.g., individual business customers), including:
- Single-origin or distributed denial of service attacks: SYN flood, flow flood, bandwidth, reflector
- Outbound spam: email spam using the CSP’s mail servers (protocol-based port locks can also be applied to prevent connections to remote email servers)
- Malware scanning: address and port scans
Behavioral signatures: attack detection is not reliant on specific attack signatures (so the network is always protected against zero-day attacks); instead, attacks are identified through behavioral signatures based on (in part):
- Multi-factor analysis: detections include analysis of measurements of source IPs, source ports, destination IPs, destination ports, and transport protocol; different attack detections rely on different thresholds and ratios applied to different factors; outbound email detection is based on analysis of a multitude of email-specific factors
- Sampling thresholds: configurable sampling thresholds, over configurable periods of time, and intelligent normalization
Once threats are detected, a range of actions can be taken, including: block, flow rate-limit, BGP flow spec (well-suited for ‘scrubbing’ use cases), mark, divert, and tee to file. These can be applied with varying degrees of automation.
- Alarm: notify operations personnel about threatening activity
- Manually block: monitor detected threats and selectively block, in real-time and as needed
- Automatically block: automatically take action to limit or block detected threats
The Sandvine platform scales to support the world’s largest networks, so your network-based attack defense works no matter your bandwidth volume. Network Protection is specifically designed to perform in carrier-grade environments, and can handle large-volume attacks greater than 1 terabit per second.
Security events are logged and can be used for audit purposes or examined for business and operational intelligence. Historic reports are available within Sandvine’s Network Demographics reporting interface, and Sandvine’s Control Center provides real-time visibility into ongoing threats for operational analysis.