2. Andrisoft Wanguard Overview

Andrisoft Wanguard is an award-winning enterprise-grade software solution designed to monitor and protect large WAN networks against volumetric DDoS attacks.

Unforeseen traffic patterns affect user satisfaction and clog costly transit links. Providing reliable network services is imperative for the success of today’s organizations. As the business cost of network malfunctions continues to increase, rapid identification and mitigation of network performance and reliability threats become critical to meet expected SLAs and network availability requirements. Such threats include distributed denial-of-service attacks, SYN floods, NTP amplification attacks, generic UDP or ICMP floods, and many more. Wanguard’s network-wide surveillance of complex, multilayer, switched or routed environments together with its unique combination of features is specifically designed to meet the challenge of pinpointing and resolving any such threats.

2.1. Key Features & Benefits

FULL NETWORK VISIBILITY – Supports all major IP traffic monitoring technologies: packet sniffing, NetFlow version 5, 7 and 9; sFlow version 4 and 5; IPFIX and SNMP

COMPREHENSIVE DDOS DETECTION – Leverages an innovative traffic anomaly detection engine that quickly detects volumetric attacks by profiling the online behavior of users and by comparing over 130 live traffic parameters against user-defined thresholds

ON-PREMISE DDOS MITIGATION – Protects networks by using BGP blackhole routing or Flowspec; protects services by cleaning malicious traffic using packet-scrubbing servers deployed in-line or out-of-line

FAST, SCALABLE & ROBUST – Designed to run on commodity server hardware by leveraging high-speed packet capturing technologies such as DPDK, PF_RING Vanilla, PF_RING ZC, and Netmap. Can run as a cluster with its software components distributed across multiple servers

POWERFUL REACTION TOOLS – Executes predefined actions which automate the reaction to attacks: sends notification emails, announces prefixes in BGP, generates SNMP traps, modifies ACLs, and runs scripts that have access to hundreds of internal parameters via an easy-to-use API

DETAILED FORENSICS – Captures samples of packets and saves flows for the forensic investigation of each attack. Detailed attack reports can be emailed to you, the affected customer, or the attacker’s ISP

ENTERPRISE-GRADE WEB CONSOLE – Provides consolidated management and reporting through a highly-configurable multi-tenant web portal with customizable dashboards, user roles, and remote authentication

PACKET SNIFFER – Saves packet dumps using a distributed packet sniffer that can be deployed on different network entry points. Displays packet details in a Wireshark-like web interface

FLOW COLLECTOR – Contains a fully-featured NetFlow, sFlow, and IPFIX collector that saves flow data in a compressed format for long-term storage. Flows can easily be searched, filtered, sorted, and exported

COMPLEX ANALYTICS – Generates complex reports with aggregated data for hosts, departments, interfaces, applications, ports, protocols, countries, autonomous systems, and more

REAL-TIME REPORTING – Bandwidth graphs are animated and have a short-term accuracy of just 5 seconds

HISTORICAL REPORTING – You can view reports from the last 5 seconds to the previous 15 years by selecting any custom time frame. Bandwidth histograms could contain 95th-percentile values for burstable billing

SCHEDULED REPORTING – Generates PDF and HTML reports and sends them automatically by email to the interested parties at pre-configured intervals of time

COMPLETE REST API – All configurations and collected data can be easily queried and referenced via a fully-featured RESTful API which exposes hundreds of internal parameters, anomaly data, graphs, and tops

THE LOWEST TCO – It is the most affordable on-premise DDoS detection and mitigation software solution on the market

All configurations are stored in an SQL database that is easy to query, backup and restore.

2.2. Software Components

Wanguard Sensor provides traffic anomaly detection, bandwidth monitoring, and traffic accounting. The collected information allows you to generate complex traffic reports, graphs, and tops; instantly pin down the cause of network incidents; automate the reaction to attacks; understand patterns in application performance, and make the right capacity planning decisions.

Wanguard Filter generates filtering rules that offer detailed information about attackers and isolate the malicious traffic received by the attacked destinations. It can scrub off abnormal traffic in a granular manner without impacting the user experience or resulting in downtime.

Wanguard Console is a multi-tenant web graphical user interface that functions as the administrative core of the software. It offers single-point management and reporting by consolidating the data from all Wanguard Sensors, Wansight Sensors, and Wanguard Filters deployed within the network.

For brevity, Wanguard Sensor is sometimes referred to as the Sensor, Wanguard Filter as the Filter, and Wanguard Console as the Console.

2.3. Wanguard and Wansight

A Wanguard license activates all features of the software. If you don’t need traffic anomaly detection, you can use a Wansight license which will enable only the traffic monitoring features of the software while being around 40% cheaper. The licensing is done for each software component used so that you can mix Wansight Sensor with Wanguard Sensor and Wanguard Filter.