A10 Capabilities Overview(2015-05-29)
-
Upload
david-ayoub -
Category
Documents
-
view
109 -
download
4
Transcript of A10 Capabilities Overview(2015-05-29)
©A10 Networks, Inc.
A10 Networks OverviewMay, 2015
Accelerating and Securing Data Center Applications & Networks
02242015
David AyoubRSM-Intel/ NAVY/ CYBER/ [email protected]
2©A10 Networks, Inc.
A10 Corporate Introduction
Headquarters in San Jose 700+ EmployeesOffices in 27 countriesCustomers in 65 countries
2010 2011 2012 2013 2014
$55M
$92M
$120M
$142M
$180M
Q4' 11 Q4' 12 Q4' 13 Now
1,000+
2,000+
2900 3900+
CUSTOMER GROWTH
COMPANY GROWTH
3©A10 Networks, Inc.
3900+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
4©A10 Networks, Inc.
CertificationsTech PartnershipsCustomersFederal Presence
Certs: 1659, 1963
DISA ATO
EAL2+ Certified
Listed as IA Tool
Why A10?
6©A10 Networks, Inc.
Best-in-class application networking performance scalability
Software-based platform with platform APIs for Cloud integration
Flexible form factors & packaging
Predictable Capex / Opex with all-inclusive licensing and support pricing
Highly efficient design for data center OPEX
Gold standard for quality & reliability
Why A10?
A10 ACOS Platform
8©A10 Networks, Inc.
ACOS Platform: High Performance Application Networking
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
Efficient & Accurate Memory
Architecture
64-Bit Multi-CoreOptimized
OptimizedFlow Distribution
Application Acceleration
ApplicationSecurity
Application Availability
9©A10 Networks, Inc.
Can modestly scale up parallel processing efficiency
Can eliminate requirement for some memory sharing
Flaw: memory elements must still be replicated impacting performance– Configurations: system, interface,
VIP, rates, rules, et al
– Caching: inherently cross-flow, cross-core function
– Learning: security policies inherently shared (black lists, cookies…)
Competitors’ Approach: Parallel Processing w/ Dedicated Memory
L4-7CPU 1
L4-7CPU 2
L4-7CPU 3
L4-7CPU 4
L4-7CPU 5
Communication Bus
10©A10 Networks, Inc.
Scales up parallel processing linearly Zero Memory Duplication Zero IPC Zero Locking Zero Scheduling Zero Interrupts
A10 ACOS Approach: Parallel Processing with Shared Memory
L4-7CPU 1
L4-7CPU 2
L4-7CPU 3
L4-7CPU 4
L4-7CPU 5
High-speed Shared Memory
11©A10 Networks, Inc.
Benefits of ACOS Shared Memory
ACOS Shared MemoryConventional IPC Architecture
L4-7CPU 1
L4-7CPU 2
L4-7CPU 3
L4-7CPU 4
L4-7CPU 5
High-speed Shared Memory
L4-7CPU 1
L4-7CPU 2
L4-7CPU 3
L4-7CPU 4
L4-7CPU 5
Communication Bus
12©A10 Networks, Inc.
Linear Scaling – Shared Memory ArchitectureR
eso
urc
e e
ffici
ency
# of CPU Cores
Conventional IPC memory architecture
Parallel processingwith dedicated memory
Benefits: Cost Power
Heat Size
A10 ACOS shared memoryarchitecture
13©A10 Networks, Inc.
ADC
aGalaxy
ACOS: Platform for Application Service Gateway Portfolio
Policy Mgmt
Software Product
Lines
Platform OS& Services
Form Factors
CGN TPS
aXAPI
ACOS – Advanced Core Operating System
Security DDoS | SSL | WAF | AAM | DAFOptimization
& Acceleration IPv6 | SLB | SSL | GSLB | TCP Opt | NAT
ThunderTM & AX Series
AppliancesVirtual Chassis
(aVCS )
vThunderPerpetual License
Dedicated Data Centers
Thunder HVA Appliances
Application Delivery Partitions
(ADPs)
Multi-Tenant Data Centers
Dedicated Network
aFleXaCloud Services Architecture (SDN & Cloud Integration)
aCloud™
IT Delivery Models
Managed Hosting
Cloud IaaS
vThunder Pay-as-you-Go
License
14©A10 Networks, Inc.
Thunder ASG Products & Example Deployment Use Cases
SLB, Cache, SSL Offload, WAF
Data Center Demilitarized Zone (DMZ)
ADC FWLB & SSL
Intercept
CGNAT, NAT44, NAT64, DS-Lite
Pay-as-you-Go Licensing Model
Carrier Network
Managed Hosting Provider & IaaS
DDoS Detection & Mitigation
CGN
TPSaCloud
ADC
15©A10 Networks, Inc.
Objective Data Comparison – FIPS 140-2
Source: Company Public Data Sheets
* Additional SSL performance available
Note: based upon F5 lowest priced “Good” license package with LTM only (NO Better/Best)
Platform:Thunder 1030S-
FIPS
BIG-IP5250V-FIPS
BIG-IP7200V-FIPS
Thunder 3030S-FIPS
Thunder 4430(S)-FIPS*
BIG-IP10200V-SSL
Thunder 5430-FIPS*
Thunder 6430S-FIPS
Performance
L4 Connections Per Second 450,000 700,000 775,000 750,000 2,700,000 1,000,000 3,700,000 5,300,000
HTTP Requests Per Second 2,000,000 7,000,000 7,000,000 3,000,000 11,000,000 14,000,000 20,000,000 31,000,000L7 Throughput (Gbps) 10 15 20 30 38 40 78 145
L7 Requests Per Sec (Inf-Inf) 480,000 1,500,000 1,600,000 800,000 1,590,000 2,000,000 2,100,000 3,300,000Max. SSL TPS 2K Keys* 7,000 5,000 9,000 14,000 68,000 9,000 68,000 130,000
Price Performance
SLB/LTM $23,095 $76,995 $94,995 $32,995 $113,295 $119,995 $145,195 $296,995$ / L4 CPS $0.05 $0.09 $0.09 $0.04 $0.03 $0.09 $0.03 $0.05$ / SSL TPS 2K Keys $3.00 $3.05 $2.80 $2.14 $1.29 $2.26 $1.72 $2.08
Resources
CPU Type Intel XeonQuad Core
Intel XeonQuad Core
Intel XeonQuad Core
Intel XeonQuad Core
Intel Xeon Hexa Core
Intel Xeon Hexa Core
Intel Xeon Deca Core
Intel Xeon 2x Octo Core
Memory 8 GB 32 GB 32 GB 16 GB 32 GB 48 GB 64 GB 128 GB
16©A10 Networks, Inc.
ACOS: SW Agility Supports Rapid Product Line Extensions
ADC
SLB NATSSL
OFFLOADDDoS DNS FW WAF
SSL INTERCEPT
AAMNAT DDoS
CGN
CGNAT IPv6IP PROXYGATEWAY
TPS
VOLUMETRICATTACK
MITIGATION
RESOURCE ATTACK
MITIGATION
PROTOCOL ATTACK
MITIGATION
Future Products in Development
ACOS
17©A10 Networks, Inc.
ACOS designed for reliability– No HDD – SSD only
– No CPU fans – hot-swap fans only
– No moving parts on motherboard
Reliability Data– A10 DOA & RMA rate: < 2.0% (2013 rate)
– Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]
Gold Standard for Reliability & Quality
Customer Case Studies
19©A10 Networks, Inc.
ADC Solution
Series1 Series1 Series1PriceConnections
(L4 CPS)
Throughput(Gbps)
750,000
150,000
CASE STUDY: BOX
NEED Scalable ADC infrastructure to
provide high performance to growing user base
Solve low reliability and outages from incumbent
SOLUTION Greater than 4x connections / sec.
and 3x of throughput Greater than 2x price-performance
with increased reliability Reduced network downtime
Leading, fast-growing “prosumer” cloud service
A10 Thunder 3030S ADC
F5 ADC BIG-IP 4000S
$64K*
3x
5x
$30K Base
30
10
½
* F5 “Better” License
21©A10 Networks, Inc.
CGN Solution
Series1 Series1Throughput
(Gbps)Simultaneous
Sessions(# Flows)
Capacity(# Subscribers)
512,000
136,000
256M
68M
115
76
A10 CGN1 RU Space
Juniper MX480 3DMS-DPC (4)8 RU Space
~4x
~4x 1.5x
CASE STUDY
National provider of wireless voice, messaging and data services
NEED Deliver reliable service to millions
of subscribers Avoid costly & disruptive IPv6
replacement
SOLUTION Scalable translation solution that
extends life of IPv4 Roughly 3x overall performance at
roughly ¼ $$$ price vs. incumbent edge-router vendor
Thunder Series ADC Product Line Overview
26©A10 Networks, Inc.
Thunder ADC Solutions to Enhance Your Business
Availability
Scale Web and key infrastructure
Reduce downtime Ensure business
continuity
Acceleration
Provide fast and responsive services
Competitive advantage
Drive down CAPEX and OPEX
Security
Protect against advanced and emerging attacks
Protect brand and guard against revenue loss
Meet required compliance standards
27©A10 Networks, Inc.
Application availability– To maintain uptime
– SLB, GSLB, high-availability (HA), Health-checks, more…
Application acceleration– For equipment consolidation and faster
user experience
– Caching, compression, network optimization, more…
Application security services – For brand and asset protection while
enhancing your existing security
– FWLB, WAF, SSL services, more…
Enterprise Data Center
Acceleration:SSL OffloadTCP ReuseRAM CachingCompression
A10 ADC
Web App DNS Other App
Security:DDoS MitigationWAFDAFAAM
Availability:GSLB
High-availabilityHealth-checks
Backup Data Center
28©A10 Networks, Inc.
Scaling security devices and encrypted communications– SSL Intercept: Eliminate encryption
blind spot and scale security appliances
– FWLB and SSL offload, more…
Defend against emerging DDoS attacks – Network and application protection
Selectively apply dynamic security chains– Traffic steering and advanced ADC
services
DMZ Security SolutionsFirewall Load BalancingDDoS MitigationWAFDAFAAMTraffic SteeringaFleX ScriptingSSL Offload
A10 ADC
Data Center
FirewallsIDS/IPSDLPOther
Firewall Load BalancingSSL Intercept
A10 ADC
Internal Users
Application Access Management
31©A10 Networks, Inc.
Values:– Requires valid user authentication for
resource access
– Enhanced protection and server efficiency
– Authentication offload
Advantages:– Supports popular authentication services/stores
– No adjustment to Web servers or infrastructure
– Seamless integration
– No license required
Application Access Management (AAM)
Access RequestAuthentication
ChallengeAuthentication
RequestAccess
Granted
AAM
AuthenticationSuccess
32©A10 Networks, Inc.
Authentication Methods
– Basic HTTP
– Form Based Web page generated from Thunder
ADC (not Web servers)
– Certificate authentication with OCSP responder support
Authentication Server Support
– LDAP Including password change
– RADIUS
– OCSP
Authentication Relay– Basic HTTP
– Kerberos Authentication Single Sign-On Kerberos Constrained Delegation (KCD) Kerberos Protocol Transition (KPT)
Health Monitoring– LDAP
– RADIUS
– Kerberos
Load Balancing– LDAP
– RADIUS
– OCSP
AAM Features
33©A10 Networks, Inc.
Example AAM Configuration– Logon (HTTP Basic Login)
– Authentication (LDAP Authentication)
– Authentication Relay (HTTP Basic)
AAM Transaction Overview
SharePoint ServersClients
Active Directory
SSL Intercept
35©A10 Networks, Inc.
SSL Intercept feature transparently intercepts traffic, decrypts it and forwards it through a firewall for deep packet inspection and then securely forwarding on to its destination
2048-bit keys are now the standard– CPU utilization rises exponentially with
encryption strength increase
Thunder ADCs are the right choice– Dedicated security processors for hardware SSL
– Firewalls can’t always do SSL Intercept with scale
– Freedom to choose best-of-breed traffic inspection/mitigation
SSL Intercept Overview
Other
DLPUTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/Protection
Client
16
2
5
3
4
36©A10 Networks, Inc.
Transparently intercept SSL traffic, decrypt it, and send it through the firewall
There are three distinct stages of traffic handling, as depicted in the diagram
1. Traffic is encrypted in passing from the client to the inside Thunder ADC
2. Traffic passes from the inside Thunder ADC to the outside Thunder ADC, and then through the firewall. Traffic is in plain text during this segment
3. Traffic from the outside Thunder ADC is sentto the remote server, where it is encrypted once again
SSL Intercept Function
SSL Encrypted Connection
Unencrypted Traffic Flow
SSL Encrypted Connection
37©A10 Networks, Inc.
Malware DetectionSecurity Forensics
User connects to site using SSL
ACOS terminates client/server SSL connection on internal/external forward proxy ACOS ADCs
ACOS creates an unencrypted zone
Unencrypted traffic passes to security devices, which can now inspect the traffic and mitigate per corporate policy
Thunder ADC SSL Intercept Solution
www.example.com
SSL Connection to www.example.com
Un-encryptedZONE
encrypted
decrypted
encrypted
38©A10 Networks, Inc.
Problem: Provide high performance security for– Stateful Firewall
– URL Filtering
– IDS/IPS
– SSL decryption and inspection
Enabling all these features degrades security performance significantly– Solution: ACOS Series SSL Intercept with
Security Processors
– Net Effect: Security platforms have moreprocessing resource available for policyinspection due to ACOS SSL Intercept
High Performance Security with SSL Intercept
www.example.com
SSL Connection to www.example.com
FirewallIPS/IDS
encrypted
encrypted
Decryption, inspection & encrypted
decrypted
decrypted
39©A10 Networks, Inc.
Application Delivery Partition (ADP)
41©A10 Networks, Inc.
Application Delivery Partitions (ADP) provide isolation of configuration components and administration – Role-based Administration partitions (up to 255 RBA partitions)
Isolate Layer 4 - 7 Share resources (app, network, and system) with the rest of the system equally
– Layer 3 Virtualization partitions (up to 1023 L3V partitions) Isolate Layer 3 - 7 Allow customized resource allocation through system-resource-usage templates
A1-Active-vMaster[1/1](config)#system resource-usage template L3V_1A1-Active-vMaster[1/1](config-resource template)#?app-resources Enter the application resource limitsnetwork-resources Enter the network resource limitssystem-resources Enter the system resource limits
Note: An additional RBA and L3V partition exists if you count the shared partition allocation
ADP Overview and Benefits
42©A10 Networks, Inc.
Sharing Resources in RBA Partitions
In layers 1-3 objects are public and must be unique. They can be shared, unless they are a part of a private object defined in an RBA partition. Server _s1's IP address in this example cannot be used by any other partition.
Private space: Layers 4-7
Shared space: Layers 1-3
RBA_Part1
RBA_Part2
RBA_Part3
Server _s1• Port 80• 10.0.0.10
VE interfaces, IP addresses, VLANs
Ethernet interfaces
Virtual server
44©A10 Networks, Inc.
Sharing Resources in L3V Partitions
Note: In L3V partitions IP addresses are private
L3V_Part1
L3V_Part2 L3V_Part3
Configured interfaces
Configured interfaces
Configured interfaces
Server _s1• Port 80• 10.0.0.10
Server _s1• Port 80• 10.0.0.10
Server _s1• Port 80• 10.0.0.10
Virtual server Virtual server Virtual server
VLANs, Ethernet (physical) interfaces
Private space: Layers 3-7
Shared space: Layers 1-2
aFleX TCL Scripting
48©A10 Networks, Inc.
aFleX is a powerful and flexible Thunder feature that you can use to manage your traffic and provide enhanced benefits/services– aFleX uses industry-standard TCL (Tools Command Language) based syntax
Standard TCL commands Special set of extensions provided by the Thunder
– aFleX allows: Content inspection (headers / data) Actions on traffic
– Block traffic– Redirect traffic to a specific Service Group (pool) or Server (node)– Modify traffic content
aFleX Overview
49©A10 Networks, Inc.
Place aFleX script on the Thunder– Using CLI
Use a computer with any text editor to write an aFleX script and save it as a file Use “import aflex” command to import the aFleX file from a server to Thunder aFleX CLI syntax check: "aflex check <name>"
– Using Web GUI With ACOS Web interface, users can directly type in aFleX scripts and save them on the Thunder under
"Config > Service > aFleX"
– Using aFleX Editor aFleX editor can download/upload aFleX scripts from/to the Thunder. Moreover, it can do syntax checking.
It also has syntax highlighting, keyword auto-completion, etc.
aFleX Configuration
50©A10 Networks, Inc.
1. Events: Triggered based on client/server packet and/or connection flow
2. Operators: A descriptive string representing a rational or logical operation to be executed
3. Commands: Used on elements within the packet flow headers in order to gather data or provide various aFleX functionality
4. Variables: Used to store information to memory to be recalled when needed
5. Conditionals: Control structure in programming that allows you to create a logical flow within your code
aFleX Five Basic Elements
51©A10 Networks, Inc.
Sample use cases for aFleX scripting– Redirect end users to backup
data center when primarydata center is not reachable
– Transparent conversion ofHTTP requests to HTTPS
– Add a hostname to anexisting Web site
Both CLI and GUI optionsfor aFleX scripting– CLI: aflex create <name>
– GUI: See screenshot
Creating an aFleX
52©A10 Networks, Inc.
Sample aFleX Scripts
53©A10 Networks, Inc.
Sample aFleX Scripts
A10 Thunder Platforms
55©A10 Networks, Inc.
Thunder ADC Hardware AppliancesPri
ce
Performance
Thunder 930 ADC
5 Gbps (L4&L7)200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7)450k L4 CPS
2M RPS (HTTP)SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7)750k L4 CPS
3M RPS (HTTP) SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7)2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7)2.8M L4 CPS
17M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7)3.7M L4 CPS
20M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7)6M L4 CPS
32.5M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7)5.3M L4 CPS
31M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7)7.1M L4 CPS
38M RPS (HTTP)SSL ProcessorHardware FTA
56©A10 Networks, Inc.
vThunder Software Appliances
Lab Edition
Entry Level/Lab 200 Mbps
Entry Level/Lab1 Gbps
High-performance4 Gbps
High-performance 8 Gbps
vThunder (Perpetual Licensing) 200 Mbps to 8 Gbps VMware, KVM, Hyper-V & Xen
hypervisors Dynamic provisioning, faster roll
out Scale up or down on-demand
Pri
ce
Performance
57©A10 Networks, Inc.
Why HVA?– Hardware acceleration
– Deploy instances on demand
– Consolidation
– Strong hypervisor-based isolation
Advantage:– Hardware performance, virtual
flexibility
– OpenStack management
– SR-IOV support for network and SSL acceleration
– No performance or feature licenses
Thunder Hybrid Virtual Appliance (HVA)
Pri
ce
Performance
Thunder 3030S HVA
8 instances,35 Gbps
Thunder 3530S HVA
40 instances, 100 Gbps
58©A10 Networks, Inc.
Achieve automation, operational agility, and reduced TCO
SDN integration– Overlay & fabric integration
– VXLAN and NVGRE
– IBM SDN-VE, Cisco APIC, VMware NSX
Cloud orchestration integration– Policy integration with Cloud orchestration platforms
– aGalaxy, Microsoft SCVMM,vmware vCloud Director, OpenStack
Note: For more details about on SDN and Cloud Orchestration material,refer to the aCloud presentation slide deck.
3rd-Party Integrations: SDN/Cloud Orchestration Integration
Thunder Series CGN Product Line Overview
67©A10 Networks, Inc.
Preserve Investments in existing infrastructure– Compatibility with current network architecture
– Extend existing IPv4 network infrastructure
Transparent end user experience– Ensure applications and services are maintained
– Business continuity in case of failure
Smooth transition to IPv6– Need to support any/all migration technologies
Service Provider & Enterprise Challenges
69©A10 Networks, Inc.
A10 CGN Value Proposition
Most complete feature set:
Highest performance:
Form Factor Flexibility:
IPv4 extension IPv6 migrations Application Layer
Gateways Run any/all
features on one unit
256 million sessions
150 Gbps throughput
Cluster to 1 Tbps+ Purpose built
appliances High availability
and security
Physical Virtual Hybrid SDN/NFV ready Small form factor 1-3U appliances All inclusive license
Beats Chassis/modules alternatives hands down:Superior comprehensive feature set, highest performance,
smallest form factor, lowest power and cooling, best ROI
71©A10 Networks, Inc.
Common IPv6 Migration Techniques
Dual-Stack
Encapsulation
Translation
Native IPv4, IPv6 6rd, DS-Lite NAT64, NAT46
Why so many options? Every network is different and no one implementation fits all
72©A10 Networks, Inc.
Access Destination Migration
A10s IPv6 Migration Options
IPv6
IPv4
6rd
DS-Lite
StatefulNAT64/DNS64
StatelessNAT46
A10 offers
One box solution!
Unique Service Provider feature
Lw-4o6
IPv4
IPv6
IPv4
IPv6
IPv6 Internet
IPv4 Internet
IPv6 Internet
IPv4 Internet
74©A10 Networks, Inc.
Thunder CGN Hardware AppliancesPri
ce
Performance
Thunder 5630(S) CGN
Thunder 6630(S) CGN
Thunder 3030S CGN
Thunder 5430S CGN
Thunder 6430 CGN
Thunder 5430(S)-11 CGNThunder 3530S HVA
Thunder 3030S HVA
Thunder 4430(S) CGN
All inclusive licensing
Thank you
77©A10 Networks, Inc.
Visit www.a10networks.com– 30 days, 5 Mbps limit
– Full features
– For VMware, Hyper-V, KVM and Xen
vThunder Free Trial – Try Today