The Strategic Vision: Beyond Traditional Security
As a primary Internet Service Provider (ISP), VNET operates at the heart of the digital landscape, managing massive volumes of traffic and safeguarding critical data for thousands of customers. Traditional security solutions often struggle with the sheer scale of 100G networks, leading to bottlenecks or “blind spots” where threats can hide.
The VTPP was designed to eliminate these compromises. Its primary purpose is to provide unparalleled visibility and control. By leveraging advanced data collection and real-time analytics, the platform allows VNET to identify and mitigate threats—from simple DDoS attacks to sophisticated zero-day exploits—before they can disrupt services. This project is not just about defense; it’s about creating a flexible and scalable foundation that evolves alongside the ever-changing threat landscape. The goal is to deliver enhanced visibility and control over security environments, providing real-time threat detection and analytics that enable timely responses to potential security incidents.
High-Level Architecture: The CyberSec Base
The VTPP architecture is built on a modular philosophy centered around independent CyberSec Bases. This design ensures that security is never a single point of failure and can scale geographically as the network expands. Each CyberSec Base is composed of two main components: sensor nodes and search nodes.
Key Architectural Components:
- Sensor Nodes: These are the “eyes” of the system, strategically deployed across network segments to capture traffic patterns, logs, and security events at line-rate speeds. These nodes are designed to handle the enormous data throughput of a 100G network, ensuring comprehensive data collection and minimal packet loss.
- Search Nodes: These represent the “brains” of the operation, where data is normalized, enriched, and stored using high-performance indexing for instant retrieval. They utilize advanced algorithms to conduct real-time threat analysis and correlation.
- Manager Nodes: These are the central “orchestrators” that manage IDS rules, aggregate alerts from search nodes, and provide a unified management interface for security teams.
Figure 1 illustrates the robust interconnection between VNET’s Edge Connection Points, Primary and Backup Data Centers, and the distributed CyberSec Bases (A, B, C, and D).
By separating these functions, the VTPP can handle enormous data throughput while maintaining minimal packet loss. Furthermore, the system integrates with VNET’s existing Fibre Channel (FC) storage network, allowing for massive, reliable data retention of up to 80 TB across the platform.
The Open-Source Core: Transparency as a Feature
At the heart of VTPP is Security Onion, a premier open-source platform for threat detection and network monitoring. In a world where proprietary vendors often hide their logic, VNET embraces open source to ensure transparency, community-driven innovation, and cost-effectiveness. The Tech Stack Breakdown:
- Zeek (formerly Bro): Performs deep packet inspection, providing a semantic understanding of application protocols like HTTP, DNS, and TLS. Suricata: A world-class intrusion detection system (IDS) that uses constantly updated flow signatures to spot known threats.
- The ELK Stack (Elasticsearch, Logstash): The backbone for data processing and lightning-fast searching across millions of events.
- OpenVAS: An enterprise-grade tool integrated for perpetual penetration testing, ensuring that new vulnerabilities are detected and mitigated automatically.
This diagram depicts the flow of data from Forward Nodes through Redis load balancing to the Search Nodes for indexing and querying.
By combining these tools, VTPP offers a “best-of-breed” security stack that is not beholden to any single vendor’s roadmap. This choice allows for greater flexibility and customization in building the platform while remaining cost-effective.
AI-Driven Intelligence: The MINERWA Integration
A standout feature of the VTPP is the integration of an AI/ML data-in-transport analysis module. This module was born from the EU-funded MINERWA project and represents a massive leap forward in anomaly detection. While traditional systems often rely on “sampled metadata” (like NetFlow), which can miss subtle patterns due to sampling rates and flow export timeouts, the VTPP integration allows the AI core to process full raw packet data via Zeek. This enables a Transformer-based architecture to perform high-precision analysis on:
- Credential Theft: Detecting account compromise through behavioral shifts.
- IoT Botnets: Identifying Command-and-Control (C2) traffic from compromised “smart” devices. Covert Exfiltration: Spotting data being leaked through unusual application-layer channels like DNS or HTTP.
- Lateral Movement: Tracking attackers as they attempt to move between systems using SMB or RPC traffic.
This integrated Zeek-AI/ML module operates in real-time on gigabit-scale links, turning raw data into enriched traffic context and actionable intelligence.
The Hardware Underlay: Engineered for 100G
To support these advanced software capabilities, the VTPP requires an “underlay” of industrial-grade hardware. We have specified components that ensure maximum reliability and performance for a high-speed ISP environment.
Mandatory Hardware Specifications:
- Processing Power: Sensor and Search nodes utilize high-frequency AMD CPUs (3GHz+) to handle intensive packet analysis and real-time indexing.
- Memory: A massive 768GB of RAM per node to support large-scale data indexing and AI model inference.
- Storage: High-speed NVMe SSDs provide the IOPS necessary for real-time forensics and long-term investigation. Sensors require local storage to ensure low latency for capturing network packets.
- Connectivity: Support for 100G, 25G, and 10G interfaces via specialized Network Packet Brokers (NPBs). These NPBs must support ISP features such as BGP, MPLS, VXLAN, and EVPN.
- Hardware Security Modules (HSM): Dedicated hardware to protect cryptographic keys, ensuring compliance with FIPS 140-2, NATO SECRET standards, and the EU NIS2 Directive.
This hardware foundation ensures that the platform is not just powerful today, but future-proofed for the next decade of network growth.
Implementation Roadmap: Building the Shield
The deployment of VTPP is structured into distinct Work Packages (WPs) to ensure a smooth transition from legacy systems.
- WP2: Traffic Visibility & Anti-DDoS: Establishing the basis for visibility with 8 monitoring network packet brokers and 4 data sensors. This includes building a fast, automatized Anti-DDoS engine.
- WP3: Perpetual Penetration Testing: Deploying OpenVAS to automate the detection of CVEs, unsecured protocols, and vulnerable login portals across applications and IoT devices.
- WP4: AI/ML Enhancement: Integrating the MINERWA core into Zeek for high-performance packet meta-data analysis and anomaly detection.
- WP5: Unified Investigation Platform: Consolidating all data feeds into a high-performance SIEM/SOAR environment. This includes utilizing Security Onion for manageable and cost-effective threat detection.
- WP6: Ransomware Prevention: Utilizing HSMs and Key Management Systems (KMS) to separate encrypted data from encryption keys, effectively neutralizing ransomware threats and conforming to industry standards.
- WP7: Global Routing Security: Implementing an RPKI framework to prevent BGP hijacking and malicious traffic redirection, ensuring the integrity of global Internet routing paths.
The PERT diagram provides a detailed timeline of the project, from initial preparatory phases in 2023 to final project closing in late 2026.
Market Comparison: Why VTPP Wins
When compared to proprietary giants like Palo Alto, Splunk, or IBM QRadar, the VNET VTPP solution offers several decisive advantages.
| Feature/Aspect | VNET VTPP (Security Onion + MINERWA) | Proprietary Commercial Solutions |
|---|---|---|
| Annual Cost | Minimal Licensing (Mostly HW/Customization) | $200,000 - $500,000+ per year |
| Flexibility | Highly Flexible; supports any custom tools | Proprietary; requires vendor-specific tools |
| Transparency | Open Source; no “black box” logic | Closed-source; proprietary |
| Scalability | Modular; easily handles 100G+ | High scalability, but with massive cost increases |
| AI Focus | Full Packet Analysis (MINERWA) | Often limited to sampled metadata or “lite” ML |
By choosing VTPP, organizations achieve a Lower Total Cost of Ownership (TCO) while gaining the ability to customize their security posture to their exact needs. The open-source nature of the solution enables rapid adaptation to new technologies and threat landscapes, ensuring long-term relevance.
Conclusion: A Secure Future for Europe
The VNET Threat Perception Platform is more than just a security upgrade; it is a statement of European digital sovereignty. By merging Slovakian technical expertise with the collaborative power of the open-source community and EU support, we have created a platform that is transparent, incredibly powerful, and ready for the 100G era. Whether it is preventing global routing attacks via RPKI or neutralizing ransomware with hardware-backed encryption, VTPP is the foundation for a safer European internet.