Security
You need a wholesale provider that’s focused on providing you with the tools to succeed. Our security services are designed to do just that, to provide you with a competitive edge.
A number of the features on offer are complimentary – included by default without charge, for example port scanning (called Pulse Detect) and DDoS protection. Other services, specifically our FortiGate physical and virtual firewalls, come as fully managed solutions for you to sell to your clients.
DDoS
A denial-of-service (DoS) attack floods an IP with traffic, making a website or resource unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers or machines to flood a targeted resource. We will default to the latter acronym going forward.
When it comes to DDoS mitigation there is essentially two main technologies, scrubbing and RTBH (remote triggered black hole):
- Scrubbing – filters bad traffic while letting legitimate traffic through. Scrubbing comes in varying levels of granularity, the most blunt being firewall rules on ISP routers (to redirect, rate limit, or drop traffic), and the most fine being DDoS scrubbing appliances which steer traffic to scrubbing devices (which will in most cases increase latency).
- RTBH – signals to all global Tier 1 and many Tier 2 providers that an IP address is the target of DDoS and that we want them to no longer forward traffic to that address. Whilst this is very effective at preventing DDoS traffic from reaching the intended DDoS target, the DDoS target will be taken offline entirely by the mitigation itself.
In practice, this protects the ISP but not the DDoS target. This method sacrifices one subscriber for the good of the rest. In this scenario, wherever possible, we will give the subscriber a new IP address as fast as possible to get them back online.
Lightwire Business uses a mixture of the above to achieve the best outcome for you and your clients.
When we select our upstream carriers for internet connectivity we evaluate what DDoS capabilities they have as part of the selection process. We believe that an effective DDoS strategy starts as close to the source as possible, partnering with companies with DDoS protection located overseas ensures that malicious traffic doesn’t reach NZ/AU shores is a key part of our design.
To date, our strategy has kept any unwanted traffic being scrubbed offshore before reaching our own network. The reports from the scrubbing appliances year to date show DDoS’s of up to 7Gbps are being scrubbed, with the longest DDoS running over 16 hours.
Our selected partners maintain off shore scrubbing appliances in multiple continents. DDoS attacks are automatically detected in real-time and affected traffic is diverted to the scrubbing appliances if the DDoS surpasses 100Mbit or 10000 packets per second.
The initial automation takes effect in about 2 minutes with automatic firewall rules directing traffic to the scrubbing appliances. If the DDoS attack surpasses the scrubbing appliances threshold, the system automatically switches to RTBH. In which event, Lightwire is notified and will in turn notify any business and offer them the ability to change IP addresses.
For traffic within NZ/AU and exchanges we pair at Lightwire has both RTBH as an option and the ability to steer traffic manually to our partner’s scrubbing appliances.
This is a default service for all Lightwire partners.
We offer an enhanced inline scrubbing service as an optional extra where all of your international traffic will pass through our scrubbing appliances all of the time. Advantages of this are:
- Fast DDoS protection reaction time – 18 seconds or less compared to approx. 30 – 120 seconds
- Layer 3 up to Layer 7 deep packet analysis for detection – protects against more attack types
- Detection of “low and slow” attacks – picks up on attacks that are low volume rather than just high volume “volumetric” attacks
Under this model, you will purchase dedicated bandwidth capacity on our scrubbing appliances and have your clients’ traffic scrubbed 24/7, adding protection for more attack types and lowering protection activation time to 18 seconds or less.
If you’re interested in this option, just get in touch and we can talk pricing and design.
The design we have implemented is solid and tested very well during our DR and failover testing. All the VPN, Firewall and WAN site cutovers have gone smoothly and largely without issue.
Your accounts and development team have also been great, they have been responsive to any queries.
For me it’s reassuring and justifies our decision to move to Lightwire Business. Please pass on my thanks to the team, keep up the great work."
Pulse Detect
We’re always looking to offer a value premium to our partners by offering services that complement your efforts, and in this case we do that through proactively scanning our network for services exposing known vulnerabilities, through non-invasive integrations with industry leading security visibility platforms – and reaching out to our partners when issues are detected.
Through doing this we can provide you with an exposure history of an IP address over time (on request), allowing you to address issues on behalf of, and in consultation with, your clients.
This project, which comes as standard for all internet services we are able to monitor, is in its early stages, but we have big plans.
At present, we capture exposed ports/services, expired bad SSL certificates and potential Common Vulnerabilities and Exposures (CVEs) against monitored customer IP addresses.
As we’re capturing scans daily, we can show a time series view per customer, so you can see the exposure history of an IP address over time.
For now, any action taken based on the data collected is manually handled by our security team – with alerts triggering proactive contact from our team to the listed technical contact for the affected service. Currently, only discovered vulnerabilities are being proactively communicated with customers.
Future iterations of this project will display service, firewall and CVE info against locations/circuits in illume (our customer portal) – as well as generate notifications to tech contacts when:
- New services are discovered
- SSL certs expire or have issues
- Any potential CVEs are initially discovered on a service.
At this point in the service rollout, you will be able to easily view the exposure history, along with service descriptions, open ports by IP address and vulnerability info from inside of Illume.
Managed Physical Firewalls
Using the FortiGate product range, typically a 40F, 60F or 100F, we deploy a physical firewall at each site and use a cloud-based collector to provide reporting and visibility of network security.
Under this model, Lightwire handles the configuration, management and reporting of a number of UTM functions.
Managed Virtual Firewalls
Providing the same feature set as a managed physical device, and also based on a FortiGate design, the virtual firewall model sees NGFW functions provided from inside the Lightwire private cloud using multi-tenancy firewalls to allocate virtual domains per clients.
