SSL Insight: Find out how A10 helps solve today's encryption challenges

©A10 Networks, Inc.

A10 SSLi Solutions March, 2015

Accelerating and Securing Data Center Applications & Networks

09242014

David Ayoub RSM-Intel/ NAVY/ CYBER/ FSI [email protected] 703.623.0892

2 ©A10 Networks, Inc.

A10 Corporate Introduction

54.7M

$91.5M

$120M

$142M

2010 2011 2012 2013

1,000+

2,000+

3,400+

Q4' 11 Q4' 12 Today

CUSTOMER GROWTH

COMPANY GROWTH

Headquarters in San Jose 700+ Employees Offices in 27 countries Customers in 65 countries


3400+ Customers in 65 Countries

Web Giants Enterprises Service Providers

3 of Top 4 U.S. WIRELESS CARRIERS

7 of Top 10 U.S. CABLE PROVIDERS

Top 3 WIRELESS CARRIERS IN JAPAN


Certifications Tech Partnerships Customers Federal Presence

Certs: 1659, 1963

DISA ATO

EAL2+ Certified

Listed as IA Tool


ACOS Platform: High Performance Application Networking

Shared Memory Architecture

1 2 3 N

Flexible Traffic Accelerator

Switching and Routing

Efficient & Accurate Memory

Architecture

64-Bit Multi-Core Optimized

Optimized Flow Distribution

Application Acceleration

Application Security

Application Availability


Linear Scaling – Shared Memory Architecture R

eso

urc

e e

ffic

ien

cy

# of CPU Cores

Conventional IPC memory architecture

Parallel processing with dedicated memory

Benefits: §  Cost §  Power

§  Heat §  Size

A10 ACOS shared memory architecture

SSL Intercept


§  SSL Intercept feature transparently intercepts traffic, decrypts it and forwards it through a firewall for deep packet inspection and then securely forwarding on to its destination

§  2048-bit keys are now the standard –  CPU utilization rises exponentially with encryption

strength increase

§  Thunder ADCs are the right choice –  Dedicated security processors for hardware SSL

–  Firewalls can’t always do SSL Intercept with scale

–  Freedom to choose best-of-breed traffic inspection/mitigation

SSL Intercept Overview

Other

DLP UTM

IDS

Server

A10 ADC

A10 ADC

encrypted

decrypted

encrypted

Inspection/Protection

Client

1 6

2

5

3

4


§  Transparently intercept SSL traffic, decrypt it, and send it through the firewall

§  There are three distinct stages of traffic handling, as depicted in the diagram 1.  Traffic is encrypted in passing from the client

to the inside Thunder ADC

2.  Traffic passes from the inside Thunder ADC to the outside Thunder ADC, and then through the firewall. Traffic is in plain text during this segment

3.  Traffic from the outside Thunder ADC is sent to the remote server, where it is encrypted once again

SSL Intercept Function

SSL Encrypted Connection

Unencrypted Traffic Flow

SSL Encrypted Connection


Malware Detection Security Forensics

§  User connects to site using SSL

§  ACOS terminates client/server SSL connection on internal/external forward proxy ACOS ADCs

§  ACOS creates an unencrypted zone

§  Unencrypted traffic passes to security devices, which can now inspect the traffic and mitigate per corporate policy

Thunder ADC SSL Intercept Solution

www.example.com

SSL Connection to www.example.com

Un-encrypted ZONE

encrypted

decrypted

encrypted


§  Problem: Provide high performance security for –  Stateful Firewall

–  URL Filtering

–  IDS/IPS

–  SSL decryption and inspection

§  Enabling all these features degrades security performance significantly –  Solution: ACOS Series SSL Intercept with

Security Processors

–  Net Effect: Security platforms have more processing resource available for policy inspection due to ACOS SSL Intercept

High Performance Security with SSL Intercept

www.example.com

SSL Connection to www.example.com

Firewall IPS/IDS

encrypted

encrypted

Decryption, inspection & encrypted

decrypted

decrypted



SSL/TLS Certificates

SSL Acceleration


§  SSL Offload relieves the server of SSL tasks

§  Provides faster server response time and higher server scalability

§  Thunder receives HTTPS client traffic and sends multiplexed HTTP(S) traffic to the servers

SSL Acceleration

HTTPS HTTPS

HTTP

OR

aFleX TCL Scripting


§  aFleX is a powerful and flexible Thunder feature that you can use to manage your traffic and provide enhanced benefits/services –  aFleX uses industry-standard TCL (Tools Command Language) based syntax

§  Standard TCL commands §  Special set of extensions provided by the Thunder

–  aFleX allows: §  Content inspection (headers / data) §  Actions on traffic

–  Block traffic –  Redirect traffic to a specific Service Group (pool) or Server (node) –  Modify traffic content

aFleX Overview


Sample aFleX Script: URI Redirect


Provides a simple way to provide CAC Authentication when CLIENTSSL_CLIENTCERT {

set cert [SSL::cert 0]

set subject [X509::subject $cert]

regexp {\d{10}} $subject edipi } when HTTP_REQUEST {

HTTP::header insert edipi "$edipi” }

Request CAC Auth

Sample aFleX Script: Pass CAC Information

Thunder Series ADC Product Line Overview


Thunder ADC Hardware Appliances Pr

ice

Performance

Thunder 930 ADC

5 Gbps (L4&L7) 200k L4 CPS

1 M RPS (HTTP)

Thunder 1030S ADC


2M RPS (HTTP) SSL Processor

Thunder 3030S ADC


3M RPS (HTTP) SSL Processor

Thunder 4430(S) ADC

38 Gbps (L4&L7) 2.7M L4 CPS

11M RPS (HTTP)

Thunder 5430S ADC

77/75 Gbps (L4/L7) 2.8M L4 CPS

17M RPS (HTTP) SSL Processor Hardware FTA

Thunder 5430(S)-11 ADC

79/78 Gbps (L4/L7) 3.7M L4 CPS


Thunder 5630 ADC

79/78 Gbps (L4/L7) 6M L4 CPS

32.5M RPS (HTTP) SSL Processor Hardware FTA

Thunder 6430(S) ADC

150/145 Gbps (L4/L7) 5.3M L4 CPS


Thunder 6630 ADC

150/145 Gbps (L4/L7) 7.1M L4 CPS


Thunder 1030S Thunder 3030S Thunder 4430S Thunder 5430S Thunder 6430S

SSL Insight CPS (2048-bit)

3,000 6,000 24,000 27,000 40,000

SSL Insight Throughput (2048-bit)

1.5 Gbps 3 Gbps 10.6 Gbps 11.2 Gbps 23.8 Gbps


§  ACOS designed for reliability –  No HDD – SSD only

–  No CPU fans – hot-swap fans only

–  No moving parts on motherboard

§  Reliability Data –  A10 DOA & RMA rate: < 2.0% (2013 rate)

–  Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]

Gold Standard for Reliability & Quality


vThunder Software Appliances

Lab Edition

Entry Level/Lab 200 Mbps

Entry Level/Lab 1 Gbps

High-performance 4 Gbps

High-performance 8 Gbps

vThunder (Perpetual Licensing) §  200 Mbps to 8 Gbps §  VMware, KVM, Hyper-V & Xen

hypervisors §  Dynamic provisioning, faster roll out §  Scale up or down on-demand

Pric

e

Performance

Thank you

Technology

SSL Insight: Find out how A10 helps solve today's encryption challenges