Upload
david-ayoub
View
23
Download
2
Tags:
Embed Size (px)
Citation preview
©A10 Networks, Inc.
A10 SSLi Solutions March, 2015
Accelerating and Securing Data Center Applications & Networks
09242014
David Ayoub RSM-Intel/ NAVY/ CYBER/ FSI [email protected] 703.623.0892
2 ©A10 Networks, Inc.
A10 Corporate Introduction
54.7M
$91.5M
$120M
$142M
2010 2011 2012 2013
1,000+
2,000+
3,400+
Q4' 11 Q4' 12 Today
CUSTOMER GROWTH
COMPANY GROWTH
Headquarters in San Jose 700+ Employees Offices in 27 countries Customers in 65 countries
3 ©A10 Networks, Inc.
3400+ Customers in 65 Countries
Web Giants Enterprises Service Providers
3 of Top 4 U.S. WIRELESS CARRIERS
7 of Top 10 U.S. CABLE PROVIDERS
Top 3 WIRELESS CARRIERS IN JAPAN
4 ©A10 Networks, Inc.
Certifications Tech Partnerships Customers Federal Presence
Certs: 1659, 1963
DISA ATO
EAL2+ Certified
Listed as IA Tool
5 ©A10 Networks, Inc.
ACOS Platform: High Performance Application Networking
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
Efficient & Accurate Memory
Architecture
64-Bit Multi-Core Optimized
Optimized Flow Distribution
Application Acceleration
Application Security
Application Availability
6 ©A10 Networks, Inc.
Linear Scaling – Shared Memory Architecture R
eso
urc
e e
ffic
ien
cy
# of CPU Cores
Conventional IPC memory architecture
Parallel processing with dedicated memory
Benefits: § Cost § Power
§ Heat § Size
A10 ACOS shared memory architecture
SSL Intercept
8 ©A10 Networks, Inc.
§ SSL Intercept feature transparently intercepts traffic, decrypts it and forwards it through a firewall for deep packet inspection and then securely forwarding on to its destination
§ 2048-bit keys are now the standard – CPU utilization rises exponentially with encryption
strength increase
§ Thunder ADCs are the right choice – Dedicated security processors for hardware SSL
– Firewalls can’t always do SSL Intercept with scale
– Freedom to choose best-of-breed traffic inspection/mitigation
SSL Intercept Overview
Other
DLP UTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/Protection
Client
1 6
2
5
3
4
9 ©A10 Networks, Inc.
§ Transparently intercept SSL traffic, decrypt it, and send it through the firewall
§ There are three distinct stages of traffic handling, as depicted in the diagram 1. Traffic is encrypted in passing from the client
to the inside Thunder ADC
2. Traffic passes from the inside Thunder ADC to the outside Thunder ADC, and then through the firewall. Traffic is in plain text during this segment
3. Traffic from the outside Thunder ADC is sent to the remote server, where it is encrypted once again
SSL Intercept Function
SSL Encrypted Connection
Unencrypted Traffic Flow
SSL Encrypted Connection
10 ©A10 Networks, Inc.
Malware Detection Security Forensics
§ User connects to site using SSL
§ ACOS terminates client/server SSL connection on internal/external forward proxy ACOS ADCs
§ ACOS creates an unencrypted zone
§ Unencrypted traffic passes to security devices, which can now inspect the traffic and mitigate per corporate policy
Thunder ADC SSL Intercept Solution
www.example.com
SSL Connection to www.example.com
Un-encrypted ZONE
encrypted
decrypted
encrypted
11 ©A10 Networks, Inc.
§ Problem: Provide high performance security for – Stateful Firewall
– URL Filtering
– IDS/IPS
– SSL decryption and inspection
§ Enabling all these features degrades security performance significantly – Solution: ACOS Series SSL Intercept with
Security Processors
– Net Effect: Security platforms have more processing resource available for policy inspection due to ACOS SSL Intercept
High Performance Security with SSL Intercept
www.example.com
SSL Connection to www.example.com
Firewall IPS/IDS
encrypted
encrypted
Decryption, inspection & encrypted
decrypted
decrypted
12 ©A10 Networks, Inc.
13 ©A10 Networks, Inc.
SSL/TLS Certificates
SSL Acceleration
15 ©A10 Networks, Inc.
§ SSL Offload relieves the server of SSL tasks
§ Provides faster server response time and higher server scalability
§ Thunder receives HTTPS client traffic and sends multiplexed HTTP(S) traffic to the servers
SSL Acceleration
HTTPS HTTPS
HTTP
OR
aFleX TCL Scripting
17 ©A10 Networks, Inc.
§ aFleX is a powerful and flexible Thunder feature that you can use to manage your traffic and provide enhanced benefits/services – aFleX uses industry-standard TCL (Tools Command Language) based syntax
§ Standard TCL commands § Special set of extensions provided by the Thunder
– aFleX allows: § Content inspection (headers / data) § Actions on traffic
– Block traffic – Redirect traffic to a specific Service Group (pool) or Server (node) – Modify traffic content
aFleX Overview
18 ©A10 Networks, Inc.
Sample aFleX Script: URI Redirect
19 ©A10 Networks, Inc.
Provides a simple way to provide CAC Authentication when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject [X509::subject $cert]
regexp {\d{10}} $subject edipi } when HTTP_REQUEST {
HTTP::header insert edipi "$edipi” }
Request CAC Auth
Sample aFleX Script: Pass CAC Information
Thunder Series ADC Product Line Overview
21 ©A10 Networks, Inc.
Thunder ADC Hardware Appliances Pr
ice
Performance
Thunder 930 ADC
5 Gbps (L4&L7) 200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7) 450k L4 CPS
2M RPS (HTTP) SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7) 750k L4 CPS
3M RPS (HTTP) SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7) 2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7) 2.8M L4 CPS
17M RPS (HTTP) SSL Processor Hardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7) 3.7M L4 CPS
20M RPS (HTTP) SSL Processor Hardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7) 6M L4 CPS
32.5M RPS (HTTP) SSL Processor Hardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7) 5.3M L4 CPS
31M RPS (HTTP) SSL Processor Hardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7) 7.1M L4 CPS
38M RPS (HTTP) SSL Processor Hardware FTA
Thunder 1030S Thunder 3030S Thunder 4430S Thunder 5430S Thunder 6430S
SSL Insight CPS (2048-bit)
3,000 6,000 24,000 27,000 40,000
SSL Insight Throughput (2048-bit)
1.5 Gbps 3 Gbps 10.6 Gbps 11.2 Gbps 23.8 Gbps
22 ©A10 Networks, Inc.
§ ACOS designed for reliability – No HDD – SSD only
– No CPU fans – hot-swap fans only
– No moving parts on motherboard
§ Reliability Data – A10 DOA & RMA rate: < 2.0% (2013 rate)
– Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]
Gold Standard for Reliability & Quality
23 ©A10 Networks, Inc.
vThunder Software Appliances
Lab Edition
Entry Level/Lab 200 Mbps
Entry Level/Lab 1 Gbps
High-performance 4 Gbps
High-performance 8 Gbps
vThunder (Perpetual Licensing) § 200 Mbps to 8 Gbps § VMware, KVM, Hyper-V & Xen
hypervisors § Dynamic provisioning, faster roll out § Scale up or down on-demand
Pric
e
Performance
Thank you