Security
We’re a wholesale provider focused on helping you grow
Our security services give you a competitive edge, with key features included at no extra cost
DDoS
A denial-of-service (DoS) attack floods an IP with traffic, making a website or resource unavailable. A distributed denial-of-service (DDoS) attack is a DoS attack that uses multiple computers or machines to flood a targeted resource. We will default to the latter acronym going forward.
When it comes to DDoS mitigation there is essentially two main technologies, scrubbing and RTBH (remote triggered black hole):
- Scrubbing – filters bad traffic while letting legitimate traffic through. Scrubbing comes in varying levels of granularity, the most blunt being firewall rules on ISP routers (to redirect, rate limit, or drop traffic), and the most fine being DDoS scrubbing appliances which steer traffic to scrubbing devices (which will in most cases increase latency).
- RTBH – signals to all global Tier 1 and many Tier 2 providers that an IP address is the target of DDoS and that we want them to no longer forward traffic to that address. Whilst this is very effective at preventing DDoS traffic from reaching the intended DDoS target, the DDoS target will be taken offline entirely by the mitigation itself.
In practice, this protects the ISP but not the DDoS target. This method sacrifices one subscriber for the good of the rest. In this scenario, wherever possible, we will give the subscriber a new IP address as fast as possible to get them back online.
Lightwire Business uses a mixture of the above to achieve the best outcome for you and your clients.
When we select our upstream carriers for internet connectivity we evaluate what DDoS capabilities they have as part of the selection process. We believe that an effective DDoS strategy starts as close to the source as possible, partnering with companies with DDoS protection located overseas ensures that malicious traffic doesn’t reach NZ/AU shores is a key part of our design.
To date, our strategy has kept any unwanted traffic being scrubbed offshore before reaching our own network. The reports from the scrubbing appliances year to date show DDoS’s of up to 7Gbps are being scrubbed, with the longest DDoS running over 16 hours.
Our selected partners maintain off shore scrubbing appliances in multiple continents. DDoS attacks are automatically detected in real-time and affected traffic is diverted to the scrubbing appliances if the DDoS surpasses 100Mbit or 10000 packets per second.
The initial automation takes effect in about 2 minutes with automatic firewall rules directing traffic to the scrubbing appliances. If the DDoS attack surpasses the scrubbing appliances threshold, the system automatically switches to RTBH. In which event, Lightwire is notified and will in turn notify any business and offer them the ability to change IP addresses.
For traffic within NZ/AU and exchanges we pair at Lightwire has both RTBH as an option and the ability to steer traffic manually to our partner’s scrubbing appliances.
This is a default service for all Lightwire partners.
We offer an enhanced inline scrubbing service as an optional extra where all of your international traffic will pass through our scrubbing appliances all of the time. Advantages of this are:
- Fast DDoS protection reaction time – 18 seconds or less compared to approx. 30 – 120 seconds
- Layer 3 up to Layer 7 deep packet analysis for detection – protects against more attack types
- Detection of “low and slow” attacks – picks up on attacks that are low volume rather than just high volume “volumetric” attacks
Under this model, you will purchase dedicated bandwidth capacity on our scrubbing appliances and have your clients’ traffic scrubbed 24/7, adding protection for more attack types and lowering protection activation time to 18 seconds or less.
If you’re interested in this option, just get in touch and we can talk pricing and design.
The design we have implemented is solid and tested very well during our DR and failover testing. All the VPN, Firewall and WAN site cutovers have gone smoothly and largely without issue.
Your accounts and development team have also been great, they have been responsive to any queries.
For me it’s reassuring and justifies our decision to move to Lightwire Business. Please pass on my thanks to the team, keep up the great work."
Pulse Detect
We’re always working to deliver value that goes beyond expectations — providing tools and services that enhance your security posture and support your efforts.
Pulse Detect, available exclusively through our Partner Portal, illume, gives you clear visibility into publicly available vulnerability data tied to your infrastructure. This includes open ports and potential Common Vulnerabilities and Exposures (CVEs) linked to your public IPs — the same information adversaries are scanning for.
Powered by trusted third-party scanning services and refreshed weekly, the Pulse Detect dashboard delivers a high-level, human-readable summary of your exposure, so you can take action with confidence and clarity.
You see what they see — before it becomes a problem.
Managed Physical Firewalls
Using the FortiGate product range, typically a 40F, 60F or 100F, we deploy a physical firewall at each site and use a cloud-based collector to provide reporting and visibility of network security.
Under this model, Lightwire handles the configuration, management and reporting of a number of UTM functions.
Managed Virtual Firewalls
Providing the same feature set as a managed physical device, and also based on a FortiGate design, the virtual firewall model sees NGFW functions provided from inside the Lightwire private cloud using multi-tenancy firewalls to allocate virtual domains per clients.
