ERT Premium

Welcome Guide

Radware Emergency Response Team

Page | 1
 Table of Contents
ABOUT THIS DOCUMENT .......................................................................................................................... 3
INTRODUCTION TO THE ERT PREMIUM SERVICE ................................................................................. 3
INITIAL DEPLOYMENT PROCESS OF DEFENSEPRO CPE .................................................................... 3
PREREQUISITES ........................................................................................................................................ 4
FILLING OUT THE ERT PREMIUM SETUP FORM........................................................................................... 4
Customer Contact Procedure Section ............................................................................................. 4
VPN and Firewall Piercing ............................................................................................................... 5
ERT PREMIUM ROUTINE ............................................................................................................................ 6
ERT PREMIUM CUSTOMERS CONTACT POINTS .......................................................................................... 7
ERT HOTLINE ........................................................................................................................................... 7
MONTHLY REPORT .................................................................................................................................... 8

Page | 2
About This Document
This document is intended for Radware's Emergency Response Team (ERT) Premium
customers.

Introduction to the ERT Premium Service

The ERT Premium service package is comprised of the following services:
 24/7 monitoring of the customer’s service
 Real-time response to any threat detected
 Direct “hot-line” access
 Diverting the traffic when encountering a volumetric attack
 Sending the customer a summary of each real-time attack case
 Sending the customer a monthly report containing all threats
 Periodically reviewing the network-security configuration

Initial Deployment Process of DefensePro CPE

The goal of the DefensePro customer-premises equipment (CPE) deployment process is to
implement and fine-tune the initial security configuration.
The steps are generally as follows:
1. Prerequisites
All relevant DefensePro units must be fully connected. See full requirements under ERT
Premium Prerequisites below. This is done by the customer, integrator and Radware field
engineers.
2. The customer sends ERT the completed ERT Premium Setup Form.
3. ERT studies the completed ERT Premium Setup Form.
4. ERT sets up a conference call with the customer to discuss considerations.
5. An initial DefensePro CPE deployment is implemented with the Report-Only action.
6. ERT studies the security events and performs fine tuning.
7. ERT recommends protections that should be set to the Block-and-Report action. ERT will
describe the advantages and disadvantages of each modification. For example, if Web
Challenges are moved to Block-and-Report, then the advantage is that HTTP floods will be
blocked. The disadvantage of moving Web Challenges to Block-and-Report is that certain
legitimate scripts may be blocked temporarily when under attack.
8. The customer approves/rejects/comments on ERT recommendations. The customer may
simply request that ERT continue to monitor before making a decision.
9. ERT implements the agreed-upon modifications. When certain modifications are considered
to be more hazardous, ERT will implement those modifications during maintenance
windows.
Page | 3
10. ERT carefully monitors for false-positive and overall efficiency.
11. The customer carefully monitors the network and reports to ERT regarding any suspicious
event.

Prerequisites
Before the process can begin the device has to be fully connected including:
 DefensePro is wired and receiving traffic.
 Customer Vision is connected to all relevant DefensePros.
 Network policies are configured.

Filling Out the ERT Premium Setup Form

This section augments instructions in some sections of the ERT Premium Setup Form.
The ERT Premium Setup Form provides ERT with the required information regarding the
customer network environment, and enables ERT to properly configure and fine-tune all its
systems so as to provide you with the best protection and service.
Each new ERT Premium customer must fill out the form, which is a necessary step in the
Radware ERT Premium boarding process.

Customer Contact Procedure Section

In the ERT Premium Setup Form, in the section “Customer Contact Procedure,” you specify the
step-by-step instructions that the ERT 24/7 team will follow when ERT detects an on-going
attack.
Notes:
 ERT personnel will follow your instructions, but may make recommendations based on its
best practices.
 It is very important to be precise in your instructions. ERT members are instructed to follow
these instructions to the letter.
ERT divides the security events into three risk severities: HIGH, MED, and LOW. The following
table describes, according to risk severity, the method that ERT uses to contact you.

Risk Contact Method

HIGH Typically, ERT contacts customer by phone.

MED Typically, ERT contacts customer by e-mail.

LOW No immediate contact. First, ERT investigates and contacts the customer only if the
risk escalates.

Page | 4
Here is an example of instructions provided by an example customer, called DummyPay at
www.dummypay.com.

HIGH 1. Send email notification to noc@dummypay.com.

2. Phone DummyPay NOC team at +1-555-555555.
3. If there is no answer, call DummyPay Manager mobile at +1-555-6666666.
4. If there is no answer, leave a voice message.

MED 1. Send email notification to noc@dummypay.com.

2. Investigate the case.
3. If the case is found to be at HIGH risk, follow the HIGH risk procedure.

VPN and Firewall Piercing

ERT Premium customers are being monitored constantly by security and network systems,
during routine and attacks ERT makes modification on the customers on premises equipment.
This remote action requires ERT Premium customers to allow remote connectivity.
Customer can chose between two plans to support that:
 VPN
 SNMPv3

VPN
For VPN setup contact us at ert-soc@radware.com to coordinate VPN setup. We will involve
our ERT-NOC team in the process.

SNMPv3
To allow Radware to remotely access your equipment open your firewall and any other relevant
network entity. In the firewall you will need to configure
 Customer IPs – include all DefensePro and Vision IP as follows.
 Radware IPs – include the IPs specified in the ' Radware IPs Table' below accordingly to
you location.
 Protocol, ports and direction – according to the ' Protocol, Ports and Direction Table'
below.

Radware IPs Table

Scrubbing Center IPs

US 38.104.206.101

Page | 5
 38.104.206.102

EMEA 149.6.43.75
149.6.43.78

Protocol, Ports and Direction Table

Customer  Radware UDP 69 TFTP

UDP 162 SNMPTRAP
UDP 514 SYSLOG
UDP 2088 IRP
UDP 2093 SRP
ICMP

Radware  Customer TCP 80 HTTP

TCP 443 HTTPS
UDP 161 SNMP
TCP 22 SSH
ICMP

ERT Premium General Routine

The ERT Premium routine comprises the following:
 ERT Premium Customers Contact Points
 ERT Hotline
 Monthly Report

Page | 6
ERT Premium Customers Contact Points
Note: Radware Technical Support updates ERT on any incoming requests.
The following table describes the procedure for ERT Premium customers to contact Radware:
Issue Type Examples Contact Point Contact Methods
Technical support APSolute Vision is not Radware Technical Technical support
responding. Support

Cannot access DefensePro.

Query how to grant
privileges to users.
Security Ongoing attack. ERT ERT-
Forensic request. SOC@radware.com

Are we protected against the ERT Hotline

latest threat? (emergencies)

DefensePipe service GRE tunnel is down.

Request to modify the
router.
Miscellaneous

ERT Hotline
ERT Premium customers are entitled to continuous phone access directly to ERT. This is
referred as the ERT Hotline. The ERT Hotline ensures the fastest response and guarantees that
we meet the SLA.
If there is any problem with the hotline, contact Radware Technical Support by phone.
Important: In case of emergency, use the hotline to immediate access ERT ,; do not only send
an email to the ERT or Radware Technical Support. Only the hotline guarantees an immediate
response.
Issues that are not urgent can and should be addressed by email.
ERT Premium customers receive a hotline access code and code numbers in the following
format.

Code <Given for each individual customer>

Primary number 1-201-785-3295

Secondary number 1-201-785-3296

Page | 7
Monthly Report
As part of the routine procedure, ERT sends a monthly report to the customer. ERT sends each
report by the 10th of each month. The report covers the previous calendar month. The report
lists the attacks occurred and includes the ERT’s analysis and security insights.
Along with the monthly report, ERT conducts a conversation with the customer.

Maintenance Activities
ERT Premium customer configuration is not static and often changes occur. The changes
include:
 Network and policy configuration
 Security configuration
 Software version and signature file
The changes occur for various reasons that acts as the trigger for those configuration including:
 Additional or modified customers assets and services
 New security threats
 Feedback learned from previous attack experienced by this customer or by another
customer
 New protections released in new software version or bug fixes.

ERT Premium Mitigation Routine

Monitor Activity
ERT constantly monitor all ERT Premium assets for attacks using the following inputs:
 Security alerts generated by the DefensePros on customer premises
 Device info such as bandwidth, packets-per-second, connection-per-seconds and
concurrent connections generated by the DefensePros on customer premises
 Pipe utilization measurements
 Health checks

Attack Detection & Analysis

The attacks are processed and filter by SIEM and SIEM like applications to indicate to ERT on
new events of interest. Those events are being forwarded in real-time to the ERT-SOC which is
a 24x7x364 team. The ERT analyst will then analyze the event to determine if it is an attack or
benign activity.

Page | 8
The ERT analyst will contact the customer according to the 'Customer Contact Procedure'

Attack Mitigation
If an attack is on-going the ERT will verify that the mitigation is effective. If not the ERT will
reinforce the mitigation.
During prolong attacks campaigns ERT will report to the customer periodically and at least once
a day. The report will include the attack vectors and mitigation efforts. In very intensive attack
campaigns ERT will report more often and may always keep an open bridge with the customer.
Note that some customer are permanently under certain attack vector in which case there is no
special reporting by ERT unless the attack breaks its pattern.

Summary Report
Once the attack is over ERT will send a summary. For most attacks a summary email will be
sent including:
 Attack Analysis
 Mitigation Actions
 Future Recommendations
For sever attack campaigns a detailed PDF report will be sent.

Page | 9