8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applications & Networks
-
Upload
bga-bilgi-guevenligi-akademisi -
Category
Technology
-
view
757 -
download
0
Transcript of 8 Ocak 2015 SOME Etkinligi - A10 Networks - Accelerating and Securing Applications & Networks
©A10 Networks, Inc.
SSL Insight & TPS
Accelerating and Securing Applications & Networks
09242014
Arzu Akkaya
Sinan İlkiz
2©A10 Networks, Inc.
3400+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
SSL Insight
Uncover Hidden Threats in Encrypted Traffic
4©A10 Networks, Inc.
Uncover Hidden Threats in Encrypted Traffic
of Internet traffic is
encrypted with SSL25%
35%
of all attacks will use encrypted
traffic to bypass controls by
2017
More
than
50%
of organizations with a firewall,
IPS or UTM appliance decrypt
inbound or outbound SSL traffic
Less
than
20%
average performance loss
of leading firewalls when
decrypting traffic81%
more of the most
popular websites use
SSL in 2014 than 201348%
NSS Labs, “SSL Performance Problems" StackExchange analysis on key lengths NetCraft SSL Survey
5©A10 Networks, Inc.
Challenge
Malicious users leverage SSL encryption to conceal their exploits.
Organizations need a powerful, high-performance platform to decrypt
SSL traffic.
Solution
A10 Networks enables organizations to analyze all data, including
encrypted data, by intercepting SSL communications and sending it to
3rd party security devices such as firewalls, threat prevention platforms
and forensic tools for inspection.
Uncover Hidden Threats in Encrypted Traffic
6©A10 Networks, Inc.
SSL Insight Traffic Flow
1. Encrypted traffic from the client is decrypted by the
internal, client-side Thunder ADC
2. Thunder ADC sends the unencrypted data to a security
appliance which inspects the data in clear text
3. The external Thunder ADC re-encrypts the data and sends
it to the server
4. The server sends an encrypted response to the external
Thunder ADC
5. Thunder ADC decrypts the response and forwards it to the
security device for inspection
6. The internal ADC receives traffic from the security device,
re-encrypts it and sends it to the client
7©A10 Networks, Inc.
SSL Insight
With SSL Insight, organizations can,
Achieve high performance with SSL acceleration
hardware
Scale security with load balancing
Reduce load on security infrastructure by
controlling which types of traffic to decrypt
Granularly control traffic with aFleX policies
Selectively bypass sensitive web applications*
* With ACOS 4.0.1
8©A10 Networks, Inc.
A Single Point for Decryption and Analysis
Thunder ADC can work with
– Firewalls
– Intrusion Prevention Systems
(IPS)
– Unified Threat Management
(UTM) platforms
– Data Loss Prevention (DLP)
products
– Threat prevention platforms
– Network forensics and web
monitoring tools
Inline Non-Inline
9©A10 Networks, Inc.
SSL Insight Performance & Summary
Scalability, with up to 23.8 Gbps of SSL inspection performance in a standard configuration
Load Balancing of security devices to maximize uptime and scale security
Advanced SSL Insight features like URL classification subscriptions, untrusted certificate handling,1 and more
Hardware Security Module (HSM) integration for FIPS 140-2 Level 3 compliant SSL key management
Traffic steering to intelligently route traffic, optimize performance and reduce security appliance costs
Validated interoperability with FireEye, RSA, IBM and other leading inspection products ensure that our solutions work together
Threat Protection System
High-performance, Network-wide DDoS Protection
11©A10 Networks, Inc.
DDoS Problems
Q3 2010
PayPal
Discloses cost of attack £3.5M(~$5.8 million)
Q1 2013
Credit Union Regulators
Recommend DDoS protection to all members
Q4 2012
Bank of the West
$900k stolen, DDoS as a distraction
Q1 2013
al Qassam Cyber Fighters
10-40 Gbps attacks target 9 major banks
Q1 2014
CloudFlare
400 Gbps NTP amplification attack
Q4 2013
60 Gbps attacks regularly seen,100 Gbps not uncommon
Q4 2013
26% YoY attack increase (17% L7, 28% L3-4)
Q4 2013
PPS reaches 35 million
Q4 2013
6.8 million mobile devices are potential attackers (LOIC and AnDOSid)
“High-bandwidth DDoS attacks are becoming the new norm and will
continue wreaking havoc on unprepared enterprises”
Source: Gartner
12©A10 Networks, Inc.
Thunder Threat Protection System (TPS)
Next Generation DDoS Protection
Multi-vector
Application & Network
Protection
High Performance
Mitigation
Broad Deployment
Options & 3rd Party
Integration
Multi-vector Protection Detect & mitigate application &
network attacks
Flexible scripting & DPI for rapid
response
High Performance Mitigate 10 – 155 Gbps of attack
throughput, 200 M packets per
second (PPS) in 1 rack unit
Broad Deployment & 3rd Party Symmetric, asymmetric, out-of-band
Open SDK/RESTful API for 3rd party
integration
13©A10 Networks, Inc.
Five principal methods for effective mitigation
Mitigating DDoS Attacks
Packet anomaly check:Network level packet
sanity check
(conformance)
Authentication
challenge:Network and application
level validation of client
origination integrity
Black and white lists:Network level high speed
inspection and control
Traffic rate control:Network and
application monitoring
to rate limit traffic
Protocol and
application check:Network and
application
14©A10 Networks, Inc.
Real-time
DetectionFlood Thresholds
Protocol Anomalies
Behavioral Anomalies
Resource Starvation
L7 Scripts
Black Lists
HTTP DNSTCPUDP
Symmetric Deployment
– Inline DDoS detection and mitigation inone box
– Inspect both inbound and outbound traffic
– Suitable for Enterprises Protecting own services
Permanent protection
Sub-second detection-to-mitigation
Profile
– Detect and inspect L3 – L7 traffic for both inbound and outbound traffic
– Deep statistics sFlow export
– DDoS detection and mitigation at sub-second scale
Symmetric Deployment
Telemetry
DDoS Detection
System
Collection
Device
Services
15©A10 Networks, Inc.
Asymmetric Reactive deployment
– Classic deployment model
– Scalable solution for DDoS mitigation Oversubscribed bandwidth deployment
No additional latency in peace time
Longer time to mitigate
– Suitable for Service Providers Protecting select services
Large scale core network
Profile
– Traffic redirected to TPS for scrubbing as needed Support BGP for route injection
– Valid traffic forwarded into network for services Support GRE & IP-in-IP tunneling
Asymmetric Reactive Deployment
Core
Network
End Customer
or Data Center
Services
DDoS Detection
System
aXAPI /Manual Action
Traffic Redirection
Telemetry
16©A10 Networks, Inc.
MSSP
Network
Asymmetric Reactive Model with CPE
– Recommended for Managed Security Service Providers (MSSP)
– Enable a centralized scrubbing service with high performance TPS
– CPE device at end customer site Symmetric or Out-of-band deployment
Profile
– CPE provides full local mitigation
– Detection system analyses CPE data and mitigate when needed BGP used to direct traffic to cloud based high
performance Thunder TPS for scrubbing
Asymmetric Reactive Deployment with CPE
ISP
Network
End
Customer
Services
DDoS Detection
System
aXAPI
Traffic
Redirection
TelemetryThunder TPS CPE
17©A10 Networks, Inc.
Asymmetric Proactive Deployment
– For high performance DDoS detection and mitigation
– DDoS detection and mitigation in one box
– Suitable for Large Enterprises and ISPs Protecting own services
Protecting end customers
Large-mid scale core network
Profile
– Inbound traffic always routed toward TPS Insight in peace-time and war-time
– DDoS detection at sub-second scale
Asymmetric Proactive Deployment
Core Network
Services
End Customer
or Data Center
18©A10 Networks, Inc.
Out-of-Band (TAP) Deployment
– High Speed DDoS Detection Capability
– Receive and analyze mirrored traffic data from routers
– Build dynamic Black/White lists Function as black/white list master
Synchronize lists with cluster members
– Hybrid mode supported
– DDoS statistics and counters for DDoS detection
Out-of-Band (TAP) Deployment
Core Network
Data Center
Services
Mirrored Traffic
TAPTAP
Protocol Anomalies
Behavioral Analysis
Threat Intel Lists
Geolocation
Global Thresholds
User Thresholds
19©A10 Networks, Inc.
Thunder TPS Performance
Thunder3030S TPS (CPE)
Thunder4435 TPS
Thunder5435 TPS
Thunder6435 TPS
Mitigation Throughput 10 Gbps 38 Gbps 77 Gbps 155 Gbps
TCP SYN Auth/sec PPS* 6.5 million 35 million 40 million 70 million
SYN Cookies/sec PPS** 6.5 million 55 million 112 million 223 million
DDoS Attack Detection
and MitigationSoftware
Software
+ hardware assistSoftware
+ hardware assistSoftware
+ hardware assist
* Packets per second - CPU-based performance** Packets per second - Hardware(FTA)-based performance
20©A10 Networks, Inc.
Thank you