l DATA SHEET l

NETSCOUT’s Arbor Edge Defense (AED)

and Arbor Enterprise Manager (AEM)
AI and ML powered DDoS Protection Solution that
Can Stop All DDoS Attacks To Provide Effective First and
Last Line of Automated Perimeter Defense

DDoS attacks are evolving, the new preferred flavor of DDoS attack, is a direct path attack
that adjusts vectors and methodologies to continually evade existing DDoS defenses. Add to
KEY FEATURES & BENEFITS this the ransomware, phishing attempts, and compromised IoT devices and you can see how
organizations are under constant risk from all types of advanced cyber threats. To address
Adaptive DDoS Protection these evolving threats, security teams need solutions that can dynamically adapt to the changing
attacks - both entering or leaving their networks. Just as importantly, these solutions must also
Effectively detect and mitigate ever-changing
DDoS attacks without impacting legitimate
be able to integrate into an organization’s existing security stack and/or consolidate functionality
services by automatically detecting new to reduce cost, complexity, and risk.
attack techniques and providing targeted,
surgical mitigation. Enabled by AI and ML
powered traffic analysis technology, global INTERNAL NETWORK / DATA CENTER
attack visibility, and decades of DDoS
INTERNET
domain expertise.

Inbound Threats Outbound

Enterprise Scale and Multi-Layer Threat
NETSCOUT AED Communication
Defense in-Depth + ATLAS

Centralized and scalable visibility for

management of all deployed AEDs from
a single pane of glass through Arbor Figure 1: The comprehensive hybrid DDoS protection solution.
Enterprise Manager. Intelligently integrates
with Arbor Cloud® for comprehensive,
NETSCOUT® Arbor Edge Defense (AED) is uniquely positioned on the network edge (i.e., between
hybrid DDoS attack protection.
the internet router and the firewall) to provide an inline, always-on, first and last line of defense.
Using stateless AI and ML powered packet processing, continuous global threat intelligence
and decades of DDoS mitigation expertise, AED can automatically stop inbound, dynamic DDoS
Protect Assets in Public Cloud attacks and outbound communication from internal compromised devices communicating with
Deploy virtual AED in AWS and Azure to threat actor command and control (C2) infrastructure. Arbor Enterprise Manager provides a
detect and mitigate attacks targeting assets centralized and scalable single-pane-of-glass console for managing all AEDs.
both from outside of AWS and Azure cloud
and inside the cloud between VPCs. Detect
Attack traffic that is not
being blocked

First & Last Line of Defense

Automatically and surgically block
unwanted inbound and outbound malicious
traffic including malware, scanning and Analyze Alert
Forward packets that Notify operator with
phishing attempts at the network edge have passed DNS attack details and
countermeasures recommend specific
with unparalleled threat intelligence and protection actions
embedded security analysis expertise. to take

Integration with Existing Security

Update Blocking
Stack and Process Based on recommendations,
update countermeasure
NETSCOUT AED’s REST API, support for configuration to block attacks
Syslog (CEF, LEEF) and STIX/TAXII, enable
NETSCOUT AED to be a fully integrated
Figure 2: Arbor Adaptive DDoS Protection is driven by this simple efficient workflow.
component of an organization’s existing
security stack and process. Note: Adaptive DDoS Protection is supported on AED 8100, AED 8200, and virtual AED. AEM is also required.

SECURITY
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

NETSCOUT AED Appliances

Features 8100 8200 HD1000

Physical Chassis: 2RU rack height; Chassis: 2RU; Chassis: 2U rack height
Dimensions Height: 3.45 inches (8.67 cm); Height: 3.4 in (8.68 cm) Weight: 45.2 lbs (20.5 kg) with 1 PPM,
Width: 17.14 inches (43.53 cm); Width: 17.1 in (43.4 cm); add 1.6 lb (.73 kg) per PPM (up to eight)
Depth: 20 inches (50.8 cm); Depth: 30.39 in (77 cm); Height: 3.5 in (8.89 cm)
Weight: 36.95 lbs. (17.76 kg) Weight: 65 lbs (29.5 kg) Width: 17.6 in (44.70 cm)
Depth: 21 in (53.34 cm)

Power Options DC: 2 x DC redundant, hot swap capable Dual hot-swap, redundant (1+1) AC AC: Two 1500-watt redundant power
power supplies; power supplies or DC power supplies: supplies; 100-240V AC, 15-10 A, 50‑60 Hz
DC Power Ratings: -40 to -72 Vdc, 28/14 AC: 1100 W Platinum (derates to 1050 W (x2);
A max (per DC input); @ 110 VAC) DC: Two 1500-watt redundant power
AC: 2 x AC redundant, hot swap capable DC: 1100 W -48 VDC supplies; -48 to -60 Vdc, 44 A (x2)
power supplies;
AC Power Ratings: 100 to 240 VAC,
50 to 60 Hz, 12/6 A max;
Both AC and DC power options are
850‑watt.

Hard Drives 2 x 240GB SSD in RAID 1 Configuration 480GB SSD SATA 6Gbps 2.5in Hot-plug 2 x 480GB SSD drives, RAID 1

Environmental Operating: Temperature: Temperature, operating: 50°F to 95°F Operating temperature:

41ºF to 104ºF (5º to 40ºC) Humidity: (10°C to 35°C) at altitudes less than 2953 39.2º to 104ºF (-4º to 40ºC)
5–85%; ft (950 m) with no direct sunlight on the Relative humidity (operating):
Non-Operating: Temperature -40º to equipment; 5 to 93%, non-condensing
158ºF (-40º to 70ºC); Humidity 95% Humidity, operating: 10% to 80% relative
humidity with 69.8°F (21°C) maximum
dewpoint (non-condensing);
Airflow direction: Front to back. For
proper airflow, ensure that the air intake
is positioned in a cold aisle and the air
exhaust is positioned in a hot aisle.

Operating Our proprietary ArbOS® operating system

System

Management 2 x 1G or 2 x 10G Copper, 2 x 1GE + 2 x 10GE copper management 4 x 1G Copper,

Interfaces RJ-45 serial console support ports RJ-45 serial console port

Protection • 4 x 1 GigE bypass ports (LX, SX or • 16 x 1 GigE bypass ports (LX, SX, or 4 x 100 GigE + 8 x 10 GigE = One to four
Interfaces copper) Copper) 100 GbE QSFP28 (LR) optical transceivers
• 8 x 1 GigE bypass ports (LX, SX, copper • 16 x 10 GigE bypass ports (LR or SR) + One or two 4 x 10 GbE QSFP+ (SR or LR
or mixed) • 4 x 40 GigE bypass ports (LR or SR) Lite) optical transceivers with one 4 x 10
• 12 x 1 GigE bypass ports (LX, SX, • 4 x 100 GigE bypass ports (LR4 or SR4)
GbE breakout cable on each transceiver
copper or mixed)
• 4 x 10 GigE bypass ports (LR or SR)
• 8 x 10 GigE bypass ports (LR, SR, or
mixed)
• 4 x 10 GigE bypass ports (LR or SR)
plus 4 x 1GigE bypass ports (LX, SX or
copper)
• 4 x 10 GigE bypass ports (LR or SR)
plus 8 x 1GigE bypass ports (LX, SX or
copper)
• 8 x 10 GigE bypass ports (LR or SR)
plus 4 x 1GigE bypass ports (LX, SX or
copper)
• 2 x 40 GigE bypass ports (LR or SR)
• 4 x 40 GigE bypass ports (LR or SR)
• 2 x 40 GigE bypass ports (LR or SR) plus
4 x 10 GigE bypass ports (LR or SR)
• 2 x 40 GigE bypass ports (LR or SR) plus
8 x 10 GigE bypass ports (LR or SR)
• 4 x 100 GigE bypass ports (LR4 or SR4)

SECURITY 2
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

Features 8100 8200 HD1000

Protection • 1GigE Copper -> RJ45
Interfaces • 1GigE SX -> LC
(Cont.) • 1GigE LX -> LC
• 10GigE SR -> LC
• 10GigE LR -> LC
• 40GigE LR -> LC
• 100GigE LR4 -> LC
• 40GigE SR -> MTP
• 100GigE SR4 -> MTP

Traffic Bypass Integrated hardware bypass; Internal Integrated hardware bypass; Internal External hardware bypass via 3296 Inline
Options “software” bypass to pass traffic “software” bypass to Bypass Switch
without inspection pass traffic without inspection

Latency Less than 80 microseconds

Availability Inline bypass, dual power supplies, solid- Inline bypass, dual power supplies, solid- External bypass, dual power supplies
state hard drive RAID cluster state hard drive
RAID cluster

Regulatory UL/cUL/EN/IEC 62368-1; EN 55032; EN Regulatory M/N: E82S, UL/cUL/EN/IEC RoHS 6/6, IEC/EN/UL/ CSA 60950-1, FCC
Compliance 55035; CISPR 32, 35; ETSI EN 300 386; 62368-1; CSA C22.2 No. 62368-1:19, 3rd Part 15 Subpart BClass A, ETSI EN 300
cULus Mark; IC ICES-003 Class A; EN 61000- Ed; EN 55032; EN 55035; CISPR 32, 35; 386, CE Mark, RCM Mark, KCC Mark, EAC
3-2; EN 61000-3-3; EMC Directive 2014/30/ IC ICES-003 Class A; FCC 47 CFR Parts Mark, BIS, CCC Mark, CB Certificate and
EU; Low Voltage Directive 2014/35/EU; UL 15, Class A; CE, CB Certificate & Report Report to IEC62368-1 andIEC60950-1,
60950-1 2nd edition/CSA C22.2 No.60950- including all international deviations; 2nd edition and all international
1-07 2nd Edition; FCC 47 CFR Parts 15, RoHS, 2011/65/EU; Israel, Moroccan deviations, EMC Directive 2014/30/EU,
Class A; CB Certificate & Report including all Conformity Mark; VCCI (Japan); RCM Low Voltage Directive 2014/35/EU
international deviations; RoHS 2011/65/EU; (Australia/New Zealand); KCC (South
Moroccan Conformity Mark; VCCI (Japan); Korea); EAC-R Approval (Russia); South
BIS (India); CCC (China); RCM (Australia/ Africa LoA; Mexico.
New Zealand); KCC (South Korea); EAC-R
Approval (Russia); South Africa LoA; Mexico
(UL-CoC for Mexico); NEBS-ready

DDoS & Advanced Cyber Threat Protection

Features 8100 8200 HD1000

Clean Traffic Up to 40 Gbps; Up to 100 Gbps; Up to 200 Gbps;
(Inbound & Up to 22 Mpps (without decryption) Up to 81 Mpps (without decryption) or 42 Up to 8.7 Mpps per PPM
Outbound) Mpps (with decryption)
Throughput

Maximum Up to 77 Gbps; Up to 189 Gbps; Up to 200Gbps;

DDoS Flood Up to 38.92 Mpps (without decryption) Up to 196 Mpps (without decryption) or Up to 289.17 Mpps
Prevention Rate 78 Mpps (with decryption)

Licensed AED is licensed based on clean AED is licensed based on clean AED is licensed based on clean
Capacities traffic throughput (both inbound and traffic throughput (both inbound and traffic throughput (both inbound and
outbound). outbound). outbound).
AED 8100 supports the following licenses: AED 8200 supports the following licenses: AED-HD1000 supports the following
100 Mbps, 250 Mbps, 500 Mbps,1 Gbps, 2 100 Mbps, 250 Mbps, 500 Mbps,1 Gbps, licenses: 25 Gbps, 50 Gbps, 75 Gbps, 100
Gbps, 5 Gbps, 10 Gbps, 20 Gbps, 30 2 Gbps, 5 Gbps, 10 Gbps, 20 Gbps, 40 Gbps, 125 Gbps, 150 Gbps, 175 Gbps and
Gbps, and 40 Gbps. Gbps, 60 Gbps, 80 Gbps and 100 Gbps. 200 Gbps;
Licenses are software upgradeable. Licenses are software upgradeable. Hardware Mitigation Capacity: determined
by the number of PPMs with 25G per
PPM.
Up to 8.7 Mpps per PPM.
Note: Licensed Inspected Throughput
should not go above the Hardware
Mitigation Capacity.

SECURITY 3
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

Features 8100 8200 HD1000

DNS Query DNS Water Torture Prevention: up to 12M QPS during attack and peace time.
Flood DNS Amplification Prevention: up to 19M QPS during attack, and up to 13M QPS during
Prevention peace time
Queries Per
Second Rate

Protected Unlimited
Endpoints

Authentication On device, RADIUS; TACACS

SSL/TLS Traffic TLS, and CAM support can be found in the Decryption Capabilities table on page 8 Not Supported
Support
Capabilities

Management SNMP gets v1, v2c; SNMP traps v1, v2c, v3; CLI; Web UI; HTTPS; SSH customizable, role-based management; Up to 50 AED
(appliances and/or virtual AED running KVM hypervisor) can be managed by the AED Console; managed AED must at least be
running v.6.0 (v AED), v6.4 (HD1000), or v.6.6 (8100).

Protection 100 200 200

Groups

Reporting and Real-time and historical IPV4 and IPV6 traffic reporting, extensive drill-down by protection group and blocked host including total
Forensics traffic, passed/blocked,top destination URLs/services/domains, attack types, blocked sources, top sources by IP location. Packet
visibility in real-time.

DDoS TCP/UDP/HTTP(S) flood attacks, botnet protection, hacktivist protection, host behavioral protection, anti-spoofing, payload
Protection expression-based filtering, permanent and dynamic blacklists/whitelists, traffic shaping, multiple protections for HTTP, DNS and
SIP, TCP connection limiting, fragmentation attacks, connection attacks.

Modes Inline active; inline inactive (reporting, no blocking); SPAN port monitor

Notifications SNMP trap, Syslog (CEF,LEEF); email

Cloud Signaling Yes (collaborative DDoS attack mitigation with service provider or Arbor Cloud)

Web-Based GUI Supports multi-language translated user interfaces

Supported Google Chrome 83, Mozilla Firefox 77, Internet Explorer 11

Browsers

Maximum IoCs 3+ Million

Ioc Types & IP address, fully qualified domain names, URLs. Formats: Proprietary ATLAS Intelligence Feed format, STIX, and TAXII
Formats

SECURITY 4
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

Virtual AED
Features VMware KVM
Virtual Network Cloud-Init v0.7.6, Openstack Kilo and Mitaka series, OpenStack Heat, OpenStack Tacker, Ansible, Nokia Cloudband, Cisco
Function (VNF) NSO/ESC, Cisco NFVIS, Amdocs, Netcracker and other ONAP or ETSI NFV management and orchestration technologies
Orchestration

Minimum Virtual 4 vCPUs; 100 GB Storage; 12 GB RAM; 4 Interfaces (4 x virtio on KVM, 4 x E1000 on VMWare)
Machine Requirements

Supported VMware vSphere 5.5 or newer KVM kernel 3.19 or newer, QEMU 2.0
Hypervisors

Maximum Inspected 1 Gbps 10 Gbps (with SR-IOV)

Throughput / Instance

Maximum DDoS Flood 910 Kpps 12 Mpps

Rate / Instance

Number of Protection 50
Groups

Note: To use Adaptive DDoS Protection with a vAED, the minimum requirements are: 6 vCPUs; 100 GB Storage; 48 GB RAM.

Virtual AED for AWS

The EC2 Instance Types listed below are for guidance only. Different EC2 Instance Types can be used, as long as the vCPU and Memory are of the
equivalent capacity to the one being referenced.

Capacity Per vAED Instance EC2 Instance Type Reference CPU Cores
1 Gbps c5n.2xlarge 8
5 Gbps c5n.9xlarge 36
10 Gbps c5n.18xlarge 72

Virtual AED for Azure

• Virtual AED can be deployed in Azure as network virtual appliance.
• Each vAED instance supports up to 10 Gbps of clean traffic (inbound and outbound).

Virtual Arbor Enterprise Manager (vAEM) for Azure

Azure VM
Managing up to 5 AEDs D4s_v5 with 512 GB​
Managing up to 20 AEDs D8s_v5 with 1TB disk​
Managing over 20 AEDs D16s_v5 with 2TB disk​

Arbor Enterprise Manager

Supported Platforms Arbor Appliance; Virtual Machine

Max Number AED / 50

APS Managed

Supported Browsers Google Chrome 80, Mozilla Firefox 74, Internet Explorer 11

SECURITY 5
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

Virtual Arbor Enterprise Manager (vAEM) Configurations

Configuration Base vAEM with 2 Devices Each Additional Device

Disk Space 250GB 70GB
Cores 4 0.25
Memory 16GB 1GB
Management
1 management interface required; a second management interface is optional
Interface
Hypervisor
Requirements VMware vSphere Hypervisor™ version 6.7 or later; VMware vSphere Client software, version 6.7 or later
Contents

Arbor Enterprise Manager 8000 Appliance

Features 8000
Power Requirements Dual redundant, load-sharing, auto-sensing 850 Watt power supplies
AC: 100-240 VAC, 50/60 Hz, 10/5 A
DC: -40 Vdc to -72 Vdc, 25/12.5 A

Physical Dimensions Chassis: 2U rack height;

Height: 3.45 inches (8.67 cm);
Width: 17.14 inches (43.53 cm);
Depth: 20 inches (50.8 cm);
Weight: 36.95 lbs. (17.76 kg); Standard 19 and 23 inches rack mountable

Processors 2 × Intel Xeon Gold 5218T 2.1GHz 16 cores

Hard Drives Minimum: Six 480GB solid state drives configured for RAID 5

Network Interfaces 2 x 10G RJ45 onboard, 4 x 10G pluggable ports via installed PCI card

Environmental Operating: 41º – 104ºF (5º – 40ºC), 5-85% humidty

Non-Operating: -40ºF – 158ºF (-40ºC – 70ºC), 95% non-condensing humidity

Operating System Our proprietary, embedded ArbOS operating system, based on Linux

Regulatory UL 60950-1 2nd edition/CSA C22.2 No.60950-1-07 2nd Edition, EMC Directive 2014/30/EU, Low Voltage Directive 2014/35/
Compliance EU, CB Certificate and Report to IEC62368-1 and IEC60950-1, 2nd edition and all international deviations, CE, FCC 47CFR
Parts 15, Verified Class A limit, ICES-003 Class A Limit, VCCI Class A ITE, RoHS (recast) Directive 2011/65/ EU, Moroccan
Conformity Mark, KC (Korea) Approval, RCM (Australia/New Zealand) Approval, EAC (Russia)

SECURITY 6
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

Decryption Capabilities

• Supports Perfect Forward Secrecy (PFS) through TLS Proxy.

• Performance data are measured with 2048-bit key.

Performance TLS Proxy Cryptographic Acceleration

Module (CAM)
Connections/Sec. • Each AED 8100 supports • Each AED 8100 supports up
up to 19,000 connections/ to 97K connection/sec.
sec total, and up to 3400
connections/sec for
encrypted application layer
attack decryption.
• Each AED 8200 supports up
to 100,000 Total, and up to
22,000 connections/sec for
encrypted application layer
attack decryption.
Inbound Inspected Throughput • Each AED 8100 supports up • Each AED provides up to
to 1.8 Gbps. 18 Gbps.
• Each AED 8200 supports up
to 10 Gbps.

 Supported  Supported for TLS 1.3

 Unsupported  Supported for TLS 1.2
 Unsupported in FIPS mode

Supported Cipher Suites

IANA Name TLS Proxy CAM

TLS_AES_256_GCM_SHA384  x

TLS_AES_128_GCM_SHA256  x

TLS_CHACHA20_POLY1305_SHA256  x

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256  x

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  x

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  x

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  x

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256  x

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256  x

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA  x

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  x

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA  x

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  x

TLS_RSA_WITH_AES_128_GCM_SHA256  x

TLS_RSA_WITH_AES_256_GCM_SHA384  x

TLS_RSA_WITH_AES_128_CBC_SHA  
TLS_RSA_WITH_AES_256_CBC_SHA  
TLS_RSA_WITH_3DES_EDE_CBC_SHA  
SSL_RSA_WITH_3DES_EDE_CBC_SHA x 
TLS_RSA_WITH_AES_128_CBC_SHA256 x 

SECURITY 7
 l DATA SHEET l NETSCOUT’s Arbor Edge Defense (AED) and Arbor Enterprise Manager (AEM)

IANA Name TLS Proxy CAM

TLS_RSA_WITH_AES_256_CBC_SHA256 x 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 x 
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 x 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 x 
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 x 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 x 
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 x 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 x 
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 x 
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA x 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA x 
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA x 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA x 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA x 
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA x 
TLS_RSA_WITH_RC4_128_SHA x x
TLS_RSA_WITH_RC4_128_MD5 x x
TLS_RSA_WITH_DES_CBC_SHA x x
SSL_RSA_WITH_DES_CBC_SHA x x

Note: Unlike the passive decryption capabilities provided by CAM, the TLS proxy plays an active role in cipher suite negotiation. This active role allows the
TLS proxy to select the most modern, secure cipher suites, which eliminates the need to support a larger set of older, less secure cipher suites.

If the client and server support a cipher suite that the TLS proxy supports, then the client can connect and the TLS proxy can decrypt traffic. In this case, the
cipher suite that AED uses with the TLS proxy might be different than the cipher suite that AED uses when the TLS proxy is not present.

For more information about the cipher suites and their security efficacy, refer to the SSL Labs web site at https://www.ssllabs.com/

Corporate Headquarters Sales Information Product Support

NETSCOUT Systems, Inc. Toll Free US: 800-309-4804 Toll Free US: 888-357-7667
Westford, MA 01886-4105 (International numbers below) (International numbers below)
Phone: +1 978-614-4000
www.netscout.com

NETSCOUT offers sales, support, and services in over 32 countries. Global addresses, and international numbers are
listed on the NETSCOUT website at: www.netscout.com/company/contact-us

© 2024 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Omnis, Guardians of the Connected World, Adaptive Service Intelligence, Arbor, ATLAS, InfiniStream,
nGenius, and nGeniusONE are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or its subsidiaries and/or affiliates in the USA and/or other countries.
Third-party trademarks mentioned are the property of their respective owners.
SECPDS_013_EN-2406 12/2024