Upload
trinhtruc
View
224
Download
3
Embed Size (px)
Citation preview
©A10 Networks, Inc.
Security Overview and Cisco ACE Replacement
March, 2014
Tobias Kull [email protected]
Security Days Geneva 2015
2 ©A10 Networks, Inc.
A10 Corporate Introduction
54.7M
$91.5M
$120M
$142M
2010 2011 2012 2013
1,000+
2,000+
4000+
Q4' 11 Q4' 12 Today
CUSTOMER GROWTH
COMPANY GROWTH
Headquarters in San Jose
800+ Employees Offices in 32 countries Customers in 65 countries
3 ©A10 Networks, Inc.
Network Performance and Security Challenges
Scaling Infrastructure Performance
Mobile Device Explosion
Big Data Analytics
IPv4 Address Exhaustion
100G Backbones
Targeted Resource Denial (DDoS)
Rapid Volume Growth (Botnets)
Cloud Automation (IaaS)
Software-Defined Networking (SDN)
Network Function Virtualization (NFV)
Application Performance
Scalability & Availability
New Data
Center Designs
Increasingly Sophisticated
Security Threats
4 ©A10 Networks, Inc.
A10 Product Portfolio Overview
Dedicated
Network
Managed
Hosting Cloud IaaS IT Delivery Models
Application Networking Platform
Performance
Scalability
Extensibility
Flexibility
CGN TPS
ADC
ACOS Platform
Product Lines
ADC – Application Acceleration & Security
CGN – IPv4 Extension / IPv6 Migration
TPS – Network Perimeter DDoS Security Carrier Grade
Networking
Application Delivery Controller
Threat Protection System
5 ©A10 Networks, Inc.
3400+ Customers in 65 Countries
Web Giants Enterprises Service Providers
3 of Top 4 U.S. WIRELESS CARRIERS
7 of Top 10 U.S. CABLE PROVIDERS
Top 3 WIRELESS CARRIERS IN JAPAN
A10 ACOS Platform Software & Hardware
7 ©A10 Networks, Inc.
ACOS Platform: Scaling Application Networking with Moore’s Law
Extremely Efficient Network Pre-Processing*:
Hardware-Assisted L2-4 Pre-Processing
Optimized Hardware-Assisted Flow Distribution
Hardware-Assisted Security Functions
* Hardware Assist Features Available on Most Thunder Appliances
Highly Scalable Application-Layer Processing:
Scalable Symmetric Multi-Processing
Unique Shared Memory Architecture
Linear Growth in Scale via Parallel Processing
Low-Value Services:
Forwarding, Segmentation
High-Value Services:
Optimization, Availability, Security
Application
OSI Reference Model
Presentation
Session
Transport
Network
Data Link
Physical
MAC: f4:f9:51:f0:d5:9d
IP: 192.168.1.1
MAC: f4:f9:51:f0:d5:9d
IP: 192.168.1.1
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
9 ©A10 Networks, Inc.
ADC
aGalaxy
ACOS: Platform for Application Service Gateway Portfolio
Policy Mgmt
Software
Product
Lines
Platform OS
& Services
Form Factors
CGN TPS
aXAPI
ACOS – Advanced Core Operating System
Security DDoS | SSL | WAF | AAM | DAF Optimization
& Acceleration IPv6 | SLB | SSL | GSLB | TCP Opt | NAT
ThunderTM & AX Series
Appliances Virtual Chassis
(aVCS )
vThunder Perpetual License
Dedicated Data Centers
Thunder HVA Appliances Application Delivery
Partitions (ADPs)
Multi-Tenant Data Centers
Dedicated
Network
aFleX aCloud Services Architecture (SDN & Cloud Integration)
aCloud™
IT Delivery
Models Managed
Hosting Cloud IaaS
vThunder Pay-as-you-Go
License
12 ©A10 Networks, Inc.
Thunder ASG Products & Example Deployment Use Cases
SLB, Cache, SSL Offload, WAF
Data Center Demilitarized Zone (DMZ)
ADC FWLB & SSL
Intercept
CGNAT, NAT44, NAT64,
DS-Lite
Pay-as-you-Go Licensing Model
Carrier Network
Managed Hosting
Provider & IaaS
DDoS Detection & Mitigation
CGN
TPS aCloud
ADC
A10 ACOS Platform Security Solutions
14 ©A10 Networks, Inc.
Application availability
– To maintain uptime
– SLB, GSLB, high-availability (HA), Health-checks, more…
Application acceleration
– For equipment consolidation and faster user experience
– Caching, compression, network optimization, more…
Application security services
– For brand and asset protection while enhancing your existing security
– FWLB, WAF, SSL services, more…
Enterprise Data Center
Acceleration: SSL Offload
TCP Reuse
RAM Caching
Compression
A10 ADC
Web App DNS Other App
Security: DDoS Mitigation
WAF
DAF
AAM
Availability: GSLB
High-availability
Health-checks
Backup Data Center
15 ©A10 Networks, Inc.
Scaling security devices and encrypted communications
– SSL Intercept: Eliminate encryption blind spot and scale security appliances
– FWLB and SSL offload, more…
Defend against emerging DDoS attacks
– Network and application protection
Selectively apply dynamic security chains
– Traffic steering and advanced ADC services
DMZ Security Solutions
Firewall Load Balancing
DDoS Mitigation
WAF
DAF
AAM
Traffic Steering
aFleX Scripting
SSL Offload
A10 ADC
Data Center
Firewalls
IDS/IPS
DLP
Other
Firewall Load Balancing
SSL Intercept A10 ADC
Internal Users
16 ©A10 Networks, Inc.
A10 Security Alliance Partner Categories
SSL Inspection and Load Balancing
Certificate Management
Authentication
Intelligence
Advanced Detection and Analysis
Programmatic Security Control
SSL problematic
21 ©A10 Networks, Inc.
Trends are changing
22 ©A10 Networks, Inc.
Why those changes ?
23 ©A10 Networks, Inc.
How attackers exploit encrypted traffic
24 ©A10 Networks, Inc.
Where do we need SSL inspection ?
25 ©A10 Networks, Inc.
Deployment
26 ©A10 Networks, Inc.
Benefits to securing inbound & outbound SSL traffic
1. Security
– Threats discovery
2. Availability
– Faster backend server response time
– Automatic server redundancy
3. Performance
– Relieves security appliances
4. Scalability
– Certificate management
– Scale servers & security appliances
Why A10 Wins - Cisco ACE Replacement and in general
28 ©A10 Networks, Inc.
Easy transition features – CLI/GUI
Graphical User Interface (GUI)
Fewer screens and steps for tasks
Intuitive and easy to use
Rest-based API
JASON format
Many integrations and SDKs available
Command Line Interface (CLI)
Industry standard (Cisco-like CLI)
Easy to use, comprehensive help
ACOS Version 2.7.x
29 ©A10 Networks, Inc.
Easy transition features – CLI/SDP
interface vlan 120
description Upstream VLAN_120 - Clients and VIPs
ip address 192.168.120.1 255.255.255.0
fragment chain 20
fragment min-mtu 68
rserver host SERVER1
ip address 192.168.252.245
inservice
rserver host SERVER2
ip address 192.168.252.246
inservice
rserver host SERVER3
ip address 192.168.252.247
inservice
serverfarm host SFARM1
probe UDP
rserver SERVER1
inservice
rserver SERVER2
inservice
rserver SERVER3
inservice
class-map match-all L4UDP-VIP_114:UDP_CLASS
2 match virtual-address 192.168.120.114 udp eq 53
policy-map type loadbalance first-match L7PLBSF_UDP_POLICY
class class-default
serverfarm SFARM1
vlan 120 tagged interface e 1 router-interface ve 120 ! interface ve 120 ip address 192.168.120.1 255.255.255.0 ! slb server SERVER1 192.168.252.245 port 0 udp
! slb server SERVER2 192.168.252.246 port 0 udp ! slb server SERVER3 192.168.252.247 port 0 udp !
slb service-group SFARM1 udp health-check UDP member SERVER1:None member SERVER2:None member SERVER3:None ! slb virtual-server vs_192_168_120_114 192.168.120.114
port udp name L4UDP-VIP_114:UDP_CLASS service-group SFARM1
Cisco ACE config
A10 AX config
31 ©A10 Networks, Inc.
Best-in-class application networking performance scalability
Software-based platform with platform APIs for Cloud integration
Flexible form factors & packaging
Predictable Capex / Opex with all-inclusive licensing and support pricing
Highly efficient design for data center OPEX
Gold standard for quality & reliability
Why A10 ACOS Wins
32 ©A10 Networks, Inc.
Scalable Symmetric Multi-Core Processing (SMMP)
– Designed to Optimize Resource Utilization & Efficiency
Shared-Memory Architecture (SMA)
– Architected for 64-bit multi-core, multi-threaded operations
– Fundamental benefits: memory, processor & I/O efficiency
– Linear performance scalability with x86 trajectory
Flexible Traffic Accelerator (FTA)
– Multi-processor flow distribution
– Symmetric distribution of load across cores
ACOS: Best-in-Class Performance Scalability
Thank you