After contributing to the early success of my first startup, Prolexic Technologies, I embarked on a new venture: architecting and building Zenedge's first physical infrastructure network from the ground up. Our goal was ambitious—to create a robust defense against Distributed Denial of Service (DDoS) attacks within a short period of time. We started with a rudimentary plan: the make and model of routers, switches, and mitigation devices were clear, but the rest was up to us. Imagine designing an entire router configuration in a text editor, referencing old configs from the earliest DDoS defenses, and stripping inefficiencies to create a lean, automated network design.
The stakes couldn't have been higher. A potential customer was under active DDoS attack, and as a startup, we were all in. My co-founder, Fausto Lendeborg, and I seized the opportunity to bring our design to life. Equipment was already staged at CoreSite's iconic One Wilshire building in Los Angeles, so we packed our tools and dove headfirst into the challenge. For three intense days, we worked non-stop, racking, stacking, cabling, and configuring hardware, taking short naps on the data center floor. Meanwhile, my phone buzzed incessantly with updates from the customer, anxiously awaiting our solution.
By the third day, we had external connectivity and an out-of-band management setup. Another week of negotiations with a transit provider finally brought internet connectivity online. Then came the moment of truth. I generated test attack traffic from my laptop, and we watched in awe as our mitigation gear sprang to life, showcasing those beautiful red and green graphs—red for blocked attack traffic and green for legitimate flows. We were elated! With a GRE tunnel established to the customer's network, we successfully mitigated our first attack.
That initial success left me feeling unstoppable. Fausto and I pressed forward, refining our design for complete customer automation and scaling Zenedge's infrastructure to support a comprehensive security portfolio. I brought in Jaimin Patel, a trusted colleague, and together we built ten scrubbing centers across the globe within two years. At the time, I thought, David, you can do it all.
But life has a way of humbling us. Six years ago, Zenedge was acquired by Oracle, marking my first foray into the world of large enterprises and the cloud business.
A humbling introduction to the cloud
Just a week post-acquisition, I found myself in Oracle's Seattle office, sitting across from Oracle Cloud Infrastructure (OCI) architects—people who had built the infrastructures for Google, AWS, and Microsoft. As I listened to them speak, I was overwhelmed. It felt like I'd been dropped into a room where everyone spoke fluent Mandarin while I was armed only with rudimentary phrases. I was slated to present Zenedge's architecture, automation, and design, yet all I wanted to do was run.
In that moment, I turned to a strategy that has always worked for me: I took a mental step back. I imagined myself soaring above the room, beyond the earth, out into the vastness of the galaxy, gaining an "eagle eye view" of my surroundings. This shift in perspective reminded me of an analogy I hold dear: a mouse sees only the weeds and grass around it, but an eagle can look down from above, spotting the mouse and devising a clear path forward.
When I returned to the room, I approached the situation differently. Picking out keywords and concepts from the conversation, I pieced together a narrative. Despite my nerves, I stood up and delivered an overview of Zenedge's network. To my surprise, the architects were intrigued, asking questions about our customer automation techniques—flawed as they might have been, they still offered innovative approaches worth exploring.
This moment, along with many other similar experiences, sparked a transformative realization: large organizations often suffer from silos, where teams focus so narrowly on their tasks that they lose sight of the bigger picture. My "eagle eye view" helped me break through that limitation.
The Power of Perspective
There's a popular video that resonates deeply with me. It begins with a woman lying on the grass, zooming into her retina to reveal an intricate universe within—molecules, atoms, and nuclei—before panning out to showcase the Earth, the galaxy, and the universe at large. It's a stunning reminder of interconnectedness, both vast and intimate.
This concept of "worlds within worlds" mirrors the relationships within organizations. Just as every molecule and galaxy are part of a greater whole, so too are individuals, teams, and systems within a company. Visibility and connection are crucial, not just for efficiency but for innovation and resilience.
Bridging Silos with Unified Security
In the next section, I'll explore how this principle applies to network security. From edge visibility to IAM (Identity and Access Management), centralizing logs and behavioral data for analysis, and leveraging AI and machine learning, the key lies in creating automated solutions that seamlessly integrate every layer of an organization's security landscape. Together, we'll examine how unifying these layers not only mitigates risks dynamically but fosters the cohesiveness organizations need to thrive in an increasingly complex world.
DDoS mitigation at the edge
Network security, particularly DDoS mitigation at the edge, has historically been treated as a standalone function, often disconnected from broader security efforts. This approach stems from the nature of DDoS traffic:
Inbound Traffic
Generated by botnets or infected hosts outside the network, targeting internal resources. The goal is to mitigate this traffic at the network edge to prevent collateral damage to core infrastructure. Techniques include:
- Rate limiting
- Access control lists (ACLs)
- Flowspec
- Advanced mitigation techniques:
- SYN authentication challenges
- Behavioral analysis
- Anomaly detection
- Geo-IP blacklisting
- Threat intelligence feed blacklisting
These devices inspect traffic at layers 3 and 4 of the OSI model (IP and protocol levels), dropping malicious traffic while forwarding legitimate traffic to the intended destination.
Outbound Traffic
Originates from infected internal hosts, often part of a botnet or engaged in malicious activity such as data exfiltration or spam generation. Mitigation focuses on identifying and dropping this traffic as close to the source as possible—typically at the host NIC, vNIC, Smart NIC, or at the distribution or access layer—to minimize downstream impact.
These differences in traffic direction dictate the application of countermeasures and often require separate teams to manage them. This segregation marks the start of siloed ownership in network security.
Asymmetry in traffic handling
Effective DDoS mitigation relies on asymmetric traffic handling, which means traffic does not necessarily follow the same path inbound and outbound. This flexibility enables the network to "peel away" bad traffic while preserving legitimate flows. However, this approach also introduces challenges:
Asymmetry and the OSI Model
Distributed handling limits mitigation to IP (layer 3) and protocol-level (layer 4) filtering. Advanced mitigations that require application-layer inspection (layer 7) often depend on symmetry, as stateful inspection devices need to see both directions of a session.
Web Application Firewalls (WAFs)
WAFs add another layer of security, designed for symmetrical traffic inspection and equipped to handle encrypted workloads through integrated certificate management. These devices inspect traffic at the application layer (layer 7), targeting vulnerabilities identified in the OWASP Top Ten, such as SQL injection and cross-site scripting (XSS).
WAF Constraints
- Port Limitations: They typically operate on public-facing ports (e.g., port 80 for HTTP and port 443 for HTTPS)
- Hardware Requirements: They rely on high-performance hardware or virtual appliances to process encrypted traffic efficiently
- Siloed Management: Mitigation dashboards and logging are often siloed, separate from other security systems
Expanding the Security Scope
Beyond DDoS and WAF applications, modern network security encompasses a broad range of functions, including:
Authentication and Access Control
Internal and external authentication for remote clients using overlay services such as VPNs or SD-WAN. Identity and Access Management (IAM) systems ensure secure user and device authentication.
Compliance and Governance
Adherence to standards like PCI-DSS, HIPAA, GDPR, and SOC 2.
Endpoint Security
Monitoring and managing the devices that connect to the network to ensure they comply with security policies.
Data Security
Encryption, data loss prevention (DLP), and secure data transfers.
Centralized Logging and Incident Response
A separate silo often handles centralized logging and event management. Security Information and Event Management (SIEM) platforms like Splunk or QRadar aggregate logs from across the network, providing a unified view of activity.
Detection and Response Teams (DART)
Responsible for analyzing threats and responding proactively.
Incident Response Playbooks
Predefined actions to manage and mitigate security incidents effectively.
The Problem with Silos
The siloed nature of systems—such as DDoS protection, WAFs, IAM, SIEM, and endpoint security—creates gaps in visibility and coordination. Each team focuses on its own domain, but the lack of integration hampers the organization's ability to respond dynamically to evolving threats.
Toward Unified Cohesiveness
To overcome these challenges, organizations need to embrace a holistic approach to network security. This includes:
Visibility Across Layers
From edge traffic inspection to internal authentication logs, a comprehensive view is essential.
Centralized Data Repositories
Logs, behavioral data, and metrics should feed into a single source of truth.
AI and Machine Learning
Leveraging advanced analytics, like User and Entity Behavior Analytics (UEBA) and Threat Intelligence Integration, enables predictive and dynamic responses.
Automation
Implementing Security Orchestration, Automation, and Response (SOAR) tools ensures real-time responses with minimal manual intervention, increasing efficiency and accuracy.
The Bigger Picture
Security is not just about tools and technologies; it's about breaking down silos and fostering cohesiveness across teams.
Thank you for reading! Connect with me on LinkedIn to discuss network security challenges or schedule a call to explore how we can help strengthen your organization's security posture.