managed ddos service - service...
TRANSCRIPT
Managed DDoS Service – Service Description and SLA
Created by: Ian Nice
Document Version: 2.1
Document Publication Date: 1st June 2017
Document Classification: Public
NCC Group | Page 2 Document Version 2.1 – 01/06/2017
Copyright and Confidentiality Statements
This document is Copyright NCC Group. All rights reserved.
The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission of NCC Group.
The information in this document is subject to change without notice. NCC Group shall not be liable for any damages resulting from technical errors or omissions which may be present in this document, or from use of this document.
This document is an unpublished work protected by the United Kingdom copyright laws and is proprietary to NCC Group. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than authorised employees, authorised users, or licensees of NCC Group without the prior written consent of NCC Group is prohibited.
Control Information
Customer Name
Document Title Managed DDoS Service – Service Description and SLA
Version 2.1
Publication Date 01/06/2017
Prepared By Ian Nice
Classification Commercial in Confidence
Version Date Author QA Change Summary
1.6 01/07/2015 Ian Nice Lee Driver Removed Juniper references
2.0 18/05/2016 Ian Nice Lee Driver Migration to NCC Group service description format.
2.1 01/06/2017 John Saunders Jon Shallow Grammar corrections
NCC Group | Page 3 Document Version 2.1 – 01/06/2017
1. Introduction
Purpose
The purpose of this document is to set out a clear description of the NCC Group Managed DDoS protection service, and the capabilities delivered to customers.
Service overview
Denial-of-service (DOS) or distributed denial-of-service (DDOS) attacks are an attempt to make a machine, application or network resource unavailable to its intended users by overwhelming the resource with valid and invalid requests. The nature of DDoS attacks have evolved over recent years to be highly complex; and can be used in isolation, or as a component within a series of events used by an attacker to breach a networks integrity.
The service is designed to stop DOS and DDOS attacks and respond to changing network conditions. Should the NCC Group Distributed Denial of Service Secure (DDOS Secure) technology identify an unusual trend in traffic activity or that a protected service’s performance begins to degrade, an alert will be generated and the solution can optionally automatically take defensive steps to resist against resource exhaustion.
Analysts in NCC Group 24/7 Security Operations Centre (SOC) will monitor alarms generated by the platform and undertake agreed remediation actions, which can include DDOS Secure local traffic cleaning and using BGP Flowspec to send notification to your ISP to block traffic. Our analysists will also escalate incidents to you, using a pre-agreed escalation process for all incident notifications.
Figure 1 – Managed DDOS Protection Service
The managed service is underpinned by NCC Group DDOS Secure technology which provides DDoS protection mechanisms. If a protected server is subjected to a DOS attack then its ability to serve valid traffic will be affected; for example, the TCP backlog queues may reach its capacity and the server may start to drop network traffic. This drop in performance is identified by DDOS Secure and defensive measures can be applied.
At this point only those IP Addresses with a good behavioural pattern will receive a sufficiently high rating to be allowed to communicate with the protected device. Using this approach, NCC Group DDOS Secure actively defends against network traffic based flood attacks.
NCC Group | Page 4 Document Version 2.1 – 01/06/2017
Overview Table 1 shows the key features of the managed DDoS protection service:
Description Feature
Design, installation and configuration
Service initiation meeting
Site to SOC VPN implementation
On premise DDOS protection
24/7 security monitoring
Around the clock health monitoring
Support for issue resolution
Vendor ticket management
Proactive patching and upgrade
Service reporting
Configuration backup and restore
Access to managed service portal
Monthly service reporting
Table 1 - Service features
Supported platforms
The NCC Group managed DDoS protection service supports virtual and appliance based installations of:
NCC Group DDOS Secure
Juniper DDOS Secure (now known as NCC Group DDOS Secure)
2. Service commissioning
This section describes the service commission phase for the managed DDoS protection service.
Design, installation and configuration
NCC Group maintains a structured approach to service design and delivery, which is determined by the network design and applications that are being protected by the service. This might include discussion of high availability requirements, network throughput and device placement. NCC Group professional services engineers will work with the customer to design solution and implement the DDOS Secure configuration and rule set.
Figure 2 - Commissioning
Our professional service team will also work with the customer to agree how the defensive
NCC Group | Page 5 Document Version 2.1 – 01/06/2017
technologies should react when an attack is identified. The DDOS Secure appliances can provide automatic delivery of defensive techniques, or can simply alarm the NCC Group SOC so that our customers to make informed decisions.
This setup process might include:
Setup of initial alerting options from the DDOS Secure Appliances
Setup of management access from the NCC Group SOC
Configuration to allow any known penetration testing networks configured
Configuration and CHARM boosting of any preferred administration client, or networks
Setup of access control list for traffic by protocol per host
Configuration of maximum connections per server/per IP
Configuration of maximum connections per second per server/per IP
Configuration of backlog queue per server/per IP
Configuration or port or IP bandwidth limits
Configuration of port or IP packets per second
Configuration of DDOS Secure thresholds for alerting
Configuration of network interface speeds
Establishment of threat response limits
Configuration of BGP Flowspec to enable up stream blocking to protect your network link (where supported by your ISP)
Configuration of the optional cloud based scrubbing service.
Service initiation meeting
Following completion of the initial service setup tasks, the NCC Group service management team will arrange a service initiation meeting. The aim of this meeting is to provide a smooth transition into live service of the client’s service. The meeting will be attended by the client and NCC Group service manager, who will be responsible for the ongoing management.
Following the meeting these documents will be agreed:
Client contact and escalation matrix
Authentication passphrase
Contact and escalation matrix
Incident handling and escalation procedure
Service reporting schedule.
Process for gaining approval to work with Clients ISP to mitigate attacks.
Site to SOC VPN implementation
NCC Group will work with the customer to implement resilient site to site Internet Protocol Security (IPSEC) VPNs. NCC Group will provide customer hardware and installation support where required (as specified in the customer order form or proposal document). The VPN establishment allows the commencement of the managed service and is used for forwarding of events to the SOC.
3. Service features
On premise DDoS protection
A typical DDOS outage occurs when resources are unable to handle the volume of connection requests at a particular time. This might be through an induced malicious attack using a botnet or it could be a legitimate ‘flash crowd’ effect during peak traffic periods. To the end user there is no difference; at best degradation in response times, at worst, a disruption in the resources availability resulting in an outage with potentially serious repercussions.
The managed DDoS protection service is underpinned by on premise deployed NCC Group DDoS secure technology, which provides DDoS detection and defence capabilities.
NCC Group | Page 6 Document Version 2.1 – 01/06/2017
Figure 3 - DDOS Secure Detection
More details of the NCC Group DDoS secure technology can be found in the DDoS Datasheet, available from your account manager on request.
BGP Flowspec ISP Notifications The DDOS Secure on-premise solution is installed on the customers’ network, and is designed to identify DDoS traffic patterns and provide defensive capabilities. However, the challenge with an on-premise DDoS mitigation solution is that it cannot prevent volumetric attacks from saturating the customer’s Internet bandwidth capacity. Whilst targeted attacks focused on a specific server may only utilise a relatively small amount of available network bandwidth, often modern attacks may use a very large number of attacking machines which can saturate the entire bandwidth of the organisations.
The DDOS Secure appliance supports injecting BGP Flow Spec which can provide upstream information to your ISP to enable ISP filters using the BGP protocol. With Flowspec, the SOC has the ability to make granular decisions about what traffic to ask the ISP to drop. By operating with FlowSpec mitigation, routers within the ISP can be instructed to add Access Control List (ACL) blocks to prevent or limit traffic from specific IP Addresses from traversing your ISP link, effectively black-holing volumetric attack traffic at the ISP.
The NCC Group DDOS Secure appliance supports two BGP Flowspec ACL injection modes which can be configured by NCC Group professional service consultants during initial setup. The appliance can automatically inject BGP Flowspec ACLs to the ISP to ask for the traffic to be dropped when an attack is detected. Alternatively, the DDOS Secure can simply provide recommended Flowspec ACLs which have to be manually approved using the DDOS Secure interface by analysts in the NCC Group SOC, once an appropriate approval have been received from your security team.
NCC Group | Page 7 Document Version 2.1 – 01/06/2017
Figure 4 - BGP Flowspec Volumetric Protection
Note: Not all Internet Service Providers (ISPs) support BGP Flowspec ACL requests. NCC Group professional services team will work with your network engineers and your ISP to identify if this service feature can be enabled.
24/7 security monitoring
When unusual traffic patterns are detected by the DDOS Secure appliance, an alarm will be raised to the NCC Group 24/7 SOC for triage. Security events will be escalated to the customer in line with the escalation process defined during the service initiation meeting and governed by the security triage SLA.
Where possible, NCC Group analysts will also use correlation logic to attempt to identify attackers who have attacked any of our other Managed DDoS prevention customers. We use this information to raise the severity of attacks when they begin, and provide context to allow us to quickly focus on high severity threats.
Where specified within the device configuration, NCC Group analysts will evaluate the events reported by the DDOS Secure appliance and work with you to take appropriate action to reduce the effects of either attack or excess traffic on the protected systems. Any actions recommended will be based on best practice and the Security Analysts professional opinion and will be based upon:
Severity of the attack
Nature of the attack
Information from other DDOS Secure devices
Professional experience of other events.
In the event that an attack is ongoing, NCC Group engineers will apply approved configuration changes to the DDOS Secure appliance which will be implemented in an expedient manner, in line with the security triage – target remediation SLA. In the event that the Customer’s ISP has the capability to support up-stream blocking and NCC Group SOC has received explicit authority to block a specific attack, we will work with the ISP to block significant attacks up-stream to prevent bandwidth exhaustion attacks. This may include use of Border Gateway Protocol (BGP) Flowspec to request that the ISP black-hole of some internet addresses.
Important note: The response times set out in our SLAs apply to remediation settings being applied to the DDoS Secure appliance or requesting a change from the Customer’s ISP. Actual remediation of DDoS is reliant on the appliance, ISP and BGP peering time on the Internet and is therefore out of scope of the SLA.
NCC Group | Page 8 Document Version 2.1 – 01/06/2017
During the period of the managed service contract, the NCC Group SOC will work with the customer to provide ongoing baselining of the configuration, and tune out alerts associated with approved activities such as vulnerability scans or application testing. By working with the customer to tune the system, the SOC are working to keep false positive alerts to a minimum, allowing customers to focus on genuine high severity incidents when they occur.
Around the clock health monitoring
Our 24/7 SOC will monitor the appliance to validate that it is operating within normal boundaries. Our service will monitor:
Device throughput
DDOS Secure availability
Network, CPU and Memory capacity.
All incidents of this type will be classified using the ticket severity levels and SLA targets defined in the health, availability and capacity monitoring SLA section
Support for issue resolution
In the event that a DDoS system availability or performance incident is identified by our availability monitoring solution, NCC Group administrators will work to begin remote remediation of that incident.
All incidents of this type will be classified using the ticket severity levels and SLA targets defined in the health, availability and capacity monitoring SLA section. Please note: where hardware support is required, the health, availability and capacity monitoring SLA shall not apply.
In some instances the NCC Group SOC will contact the customer to ask for the appliance power and network connections to be checked. In the event of hardware replacement, the customer shall be responsible for receiving, installing and applying a basic configuration to the device with remote support from an NCC Group engineer. We will then apply the latest configuration backup remotely and restore service.
Proactive patching and upgrade
In the event of a software upgrade becoming available, NCC Group managed service customers will receive a notification, containing details of the changes available in the software. Customers can then request the update to be applied by opening a change ticket on the NCC Group managed service portal.
NCC Group will prioritise the installation of any security or vulnerability related patch(es), these shall be applied by our engineers in agreement with the client.
NCC Group engineers will follow internal managed service change and release procedures, with full regression built into each change wherever practical; the customer will be responsible for completion of with any internal change management processes required.
Service reporting
The service will be reported on monthly, and is distributed via the managed service portal. The report is split in to two sections, described below:
Service Health The service health section gives customers an indication of service availability and performance and capacity broken down by device. The following table shows the reports generated as part of the service:
NCC Group | Page 9 Document Version 2.1 – 01/06/2017
Report section Frequency of production
Monitoring period Report description
Device Health Monthly / Real-Time Dashboard
30 seconds Report shows key measurements of capacity on system resources over the previous calendar month:
Memory usage
Data throughput
CPU utilisation
Availability Monthly / Real-Time Dashboard
30 seconds Report shows key measurements of availability of managed device(s) over the previous calendar month
Recorded Tickets Monthly / Real-Time Dashboard
n/a Report details all tickets logged for the client over the previous calendar month.
Table 2 - Service reporting
Threat Analysis The threat analysis section gives a summary of how the on-premise DDOS Secure equipment has been protecting the customer over the reporting period. This includes:
Threat Analysis
Attack status
Throughput vs dropped - Please note that is a device is in analyse mode, no traffic has been dropped. This is an indication of what action would have taken place if the device was in defensive mode
Top worst offenders
Top incidents.
All reports are distributed via the managed service portal.
Configuration backup and restore
Before any change to configuration, NCC Group engineers will make a configuration backup in line with a change management process; the device configuration settings are stored in the NCC Group managed services Configuration Management Database (CMDB) using version control. In the event of hardware failure or a change needs backing out then the previous version can be restored from the NCC Group CMDB.
Secure Client Portal Customers will have access to the NCC Group managed service portal, which will shows health and security alarms sent to the SOC for analysis. Customers can and review events, statistics and incidents.
NCC Group | Page 10 Document Version 2.1 – 01/06/2017
In addition to ticket status, customers also get access to a near real time DDOS Secure dashboard which shows significant alarms and attack status information, as well as information on availability, throughput and performance.
Figure 6 – DDOS Dashboard
4. Service boundaries
The following section outlines features that are not in scope of the managed service.
Not Included
Hardware costs and maintenance unless otherwise specified in the customer order form or proposal
SOC interactions with systems outside of the in scope DDoS appliances and management systems
Changes to the deployment architecture, once the service has been deployed.
Consulting (other than that delivered as the professional services engagement included with the service commissioning phase as detailed in the customer order form or proposal)
Site visits, e.g. to install/cable/rack a RMA replacement
Formal training.
Obligation to provide a function or feature not already present or pre-identified.
Figure 5 - NCC Group managed service portal
NCC Group | Page 11 Document Version 2.1 – 01/06/2017
5. Customer responsibilities
The Customer agrees to inform NCC Group of any network or infrastructure changes that may impact on the service. This might include but is not limited to:
Any projected increases in or abnormal usage of the service outside the established and agreed in this service description, customer order form or proposal.
Any changes that may impact on the service or NCC Group’s ability to operate the service.
Any change that may have an impact on the capacity or throughput of the service or system including changes to bandwidth and logging levels.
Any change that impacts the scope of the managed service and associated licences, including additional users, monitored device or throughput.
The customer shall supply contact details for a primary contact, who will communicate on a regular basis with NCC Group regarding any matter arising in connection with the operation and provision of the service to be provided by NCC Group.
The customer shall be responsible for all customer specific change processes and Change Advisory Boards (CABs), relating to changes and service requests raised.
6. Service variables
The customer order form or proposal document should record the following variable components of service supply:
Service commissioning professional services time
Number of VPN endpoints required and professional service time to configure
Quantity, make and model of each device to be managed
7. Supporting documents
This document should be read in conjunction with the NCC Group Master Service Level Agreement (MSLA) version 2.0 and the customer order form or proposal document.
8. Operating service hours
The NCC Group SOC operates 24 hours a day, 365 days a year. Health, availability and security alarms will be raised as per the service level targets.
9. Service levels
The following section provides an overview of the service level objectives for the managed DDoS protection service. This section should be read in conjunction with the NCC Group Master Service Level Agreement (MSLA) version 2.0.
Service availability
Operational effectiveness of the central NCC Group service (excluding hardware and software deployed to a customer’s site), exclusive of any planned maintenance and /or migration of the service
Objective Target
Service Availability Target 99.9% availability per calendar month
Emergency Outages Target Less than or equal to one Emergency Outage per month
Table 3 - Service availability SLA
NCC Group | Page 12 Document Version 2.1 – 01/06/2017
Health, availability and capacity monitoring
Managed devices are monitored for availability. In the event of an outage, an incident ticket will be created by NCC Group and reported to you according to the pre-agreed incident escalation process. Support target start time are applicable for start of remote remediation only, for hardware related incidents the target fix time is governed by the appliance support agreement.
Severity Description Target response time (24/7)
Support target start time (24/7)
PE – Pending
Un-assessed tickets 15 minutes N/A
L1 – Emergency
Loss of connectivity, total service outage or severe impairment on performance that prevents service from operating within SLA boundaries
15 minutes 1 hour
L2 – Critical Critical component outage which impairs service capabilities or resilience, high severity capacity issue which will lead to an imminent outage
1 hour 4 hours
L3 – Priority Loss of critical event feed from the monitoring system or capacity issue which could affect service in next 72 hours
4 UK working hours
8 UK working hours
L4 - Normal Loss of non-critical event feed from monitoring system or early warning of capacity issues.
8 UK working hours
3 UK working days
Table 4 - Health and availability SLA
Security alert triage
NCC Group SOC analysts will triage and log all relevant and agreed security alarms and shall escalate to the client primary contact in accordance with the timeframes set out below.
Important note: The remediation times set out in the table below apply to remediation settings being applied to the DDoS Secure appliance or requesting a change from the customer’s ISP. Remediation of DDoS is reliant on the appliance, ISP and BGP peering time on the Internet and is therefore out of scope of the SLA.
NCC Group | Page 13 Document Version 2.1 – 01/06/2017
Severity Description Target response time (24/7)
Target remediation time (24/7)
PE – Pending
An incident has occurred, the consequences of which have not been identified – a technician will be allocating the correct severity shortly
15 minutes N/A
L1 – Emergency
A major breach of security has occurred, which requires immediate attention as unauthorised access has been obtained, or a denial-of-service attack has been successful
15 minutes 1 hour
L2 – Critical A high-risk breach of security may have occurred, which requires immediate attention [OR] A protective device has denied legitimate activity and may be preventing critical business activities from occurring
1 hour 4 hours
L3 – Priority
An attempt has been made to breach security, which was unsuccessful either because the attack was not valid, or a protective device denied the activity [OR] A medium-risk breach of security may have occurred, which requires attention [OR] A protective device has denied legitimate activity and may be preventing normal business activities from occurring
4 UK working hours
8 UK working hours
L4 - Normal A low-risk breach of security may have occurred, which requires attention
8 UK working hours
3 UK working days
Table 5 – Security alert triage SLA