Post on 22-Dec-2015
1
Cost-Effective Strategies for Countering Security Threats:
IPSEC, SSLi and DDoS Mitigation
Bruce Hembree,Senior Systems Engineer
A10 Networks
2
• A10 Overview• IPSEC – Surviving BYOD• SSLi – Cracking the code• DDOS – Expecting the Inquisition
Agenda
3
4000+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
4
A10 Product Portfolio Overview
Dedicated Network
ManagedHosting
Cloud IaaS IT Delivery Models
Application Networking Platform
PerformanceScalabilityExtensibilityFlexibility
CGN TPS
ADC
ACOS Platform
Product LinesADC – Application Acceleration & SecurityCGN – IPv4 Extension / IPv6 MigrationTPS – Network Perimeter DDoS Security
Carrier Grade Networking
Application Delivery Controller
Threat Protection System
5
IPSEC in your LAN
Because this rabbit is totally legit and is clearly not a threat
6
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor Authentication
• Require IPSEC communication inside your network as the default
• Used at large organizations as a first line against worms
• Most malware lives ~200 days before detection
• Stops spread during off-hours from APTs
7
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor Authentication
• Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules.
• Non-repudiation – Users identified by their certs and presence of their card/PIN combo
8
You’ve got to get into that data stream.
SSLi
9
Network Threats Hidden in SSL Traffic
– ~40% of Internet traffic is encrypted
– 50% of attacks will use encryption to bypass controls by 2017
– 80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic
70%+SSL Traffic
in someorganizations
Sources: “SSL Performance Problems,” NSS Labs, 2013“Security Leaders Must Address Threats From Rising SSL Traffic,” 2013
10
How Malware Developers Exploit Encrypted Traffic
Botnet Herder
Clients
Data exfiltration over SSL channels Command and
Control Servers
HTTPS
Malicious file ininstant messaging
Drive-by downloadfrom an HTTPS site
Malicious attachmentsent over SMTPS
• Encryption obscures:– Bot installation– C&C communication– Data exfiltration
11
• Benefit:– Eliminate encryption blind spot to inspect
encrypted traffic, including malware and advance persistent threats (APTs)
• Advantage: – Optimized decryption with dedicated
security processors for CPU intensive 2048-bit keys
– Offloads firewalls that can’t scaleSSL decryption
– Freedom to work with any traffic inspection/mitigation device
SSL Insight: Eliminate the Outbound SSL Blind Spot
Other
FWUTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/Protection
Client
16
2
5
3
4
Next Generation Firewalls/DLP/IPS/IDS
81%: The average performance loss across 7 NG FirewallsSource: “SSL Performance Problems,” NSS Labs, 2013
12
Thunder ADC Hardware Appliances
Pri
ce
Performance
Thunder 930 ADC
5 Gbps (L4&L7)200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7)450k L4 CPS
2M RPS (HTTP)SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7)750k L4 CPS
3M RPS (HTTP) SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7)2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7)2.8M L4 CPS
17M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7)3.7M L4 CPS
20M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7)6M L4 CPS
32.5M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7)5.3M L4 CPS
31M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7)7.1M L4 CPS
38M RPS (HTTP)SSL ProcessorHardware FTA
13
Expecting The Inquisition
DDOS Protection
14
• Benefits:– Large-scale DDoS protection– Advanced protection features– Predictable operations
• Advantage:– Full DDoS defense covers network and
application attacks– Hardware DDoS protection for common
attacks– SYN flood protection to 200 M per second
DDoS Protection: Multi-vector Edge Protection
SYN FloodRate LimitingConnection LimitingSlow L7 AttacksGeographic ControlInfrastructure ProtectionDDoSDDoSMore…L7 aFleX Control
15
Thunder TPS Hardware Appliances
CPE class platformMSSP integrated solution
Pric
e
Performance
Thunder 5435(S) TPS77 Gbps16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*
Hardware FTA Mitigation
Thunder 6435(S) TPS155 Gbps 16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*
Hardware FTA Mitigation
Thunder 3030S TPS10 Gbps
6x1G Copper, 2x1G (SFP)4x10/1G (SFP+)SSL Processor
Thunder 4435(S) TPS38 Gbps16x10/1G (SFP+)SSL Processor*
Hardware FTA Mitigation
High performance extended platforms forWeb Giants, Service Providers, Large Enterprise. E.g.
MSSPs, Gaming, etc.
* “S” model must be purchased
16
Trophies
Thank You