1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce...

1

Cost-Effective Strategies for Countering Security Threats:

IPSEC, SSLi and DDoS Mitigation

Bruce Hembree,Senior Systems Engineer

A10 Networks

2

• A10 Overview• IPSEC – Surviving BYOD• SSLi – Cracking the code• DDOS – Expecting the Inquisition

Agenda

3

4000+ Customers in 65 Countries

Web GiantsEnterprisesService Providers

3 of Top 4U.S. WIRELESS CARRIERS

7 of Top 10U.S. CABLE PROVIDERS

Top 3WIRELESS CARRIERS IN JAPAN

4

A10 Product Portfolio Overview

Dedicated Network

ManagedHosting

Cloud IaaS IT Delivery Models

Application Networking Platform

PerformanceScalabilityExtensibilityFlexibility

CGN TPS

ADC

ACOS Platform

Product LinesADC – Application Acceleration & SecurityCGN – IPv4 Extension / IPv6 MigrationTPS – Network Perimeter DDoS Security

Carrier Grade Networking

Application Delivery Controller

Threat Protection System

5

IPSEC in your LAN

Because this rabbit is totally legit and is clearly not a threat

6

Smart Tactics: IPSEC domain boundaries with 2FA

• IPSEC domain boundaries with 2 Factor Authentication

• Require IPSEC communication inside your network as the default

• Used at large organizations as a first line against worms

• Most malware lives ~200 days before detection

• Stops spread during off-hours from APTs

7

Smart Tactics: IPSEC domain boundaries with 2FA

• IPSEC domain boundaries with 2 Factor Authentication

• Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules.

• Non-repudiation – Users identified by their certs and presence of their card/PIN combo

8

You’ve got to get into that data stream.

SSLi

9

Network Threats Hidden in SSL Traffic

– ~40% of Internet traffic is encrypted

– 50% of attacks will use encryption to bypass controls by 2017

– 80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic

70%+SSL Traffic

in someorganizations

Sources: “SSL Performance Problems,” NSS Labs, 2013“Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

10

How Malware Developers Exploit Encrypted Traffic

Botnet Herder

Clients

Data exfiltration over SSL channels Command and

Control Servers

HTTPS

Malicious file ininstant messaging

Drive-by downloadfrom an HTTPS site

Malicious attachmentsent over SMTPS

• Encryption obscures:– Bot installation– C&C communication– Data exfiltration

11

• Benefit:– Eliminate encryption blind spot to inspect

encrypted traffic, including malware and advance persistent threats (APTs)

• Advantage: – Optimized decryption with dedicated

security processors for CPU intensive 2048-bit keys

– Offloads firewalls that can’t scaleSSL decryption

– Freedom to work with any traffic inspection/mitigation device

SSL Insight: Eliminate the Outbound SSL Blind Spot

Other

FWUTM

IDS

Server

A10 ADC

A10 ADC

encrypted

decrypted

encrypted

Inspection/Protection

Client

16

2

5

3

4

Next Generation Firewalls/DLP/IPS/IDS

81%: The average performance loss across 7 NG FirewallsSource: “SSL Performance Problems,” NSS Labs, 2013

12

Thunder ADC Hardware Appliances

Pri

ce

Performance

Thunder 930 ADC

5 Gbps (L4&L7)200k L4 CPS

1 M RPS (HTTP)

Thunder 1030S ADC


2M RPS (HTTP)SSL Processor

Thunder 3030S ADC


3M RPS (HTTP) SSL Processor

Thunder 4430(S) ADC

38 Gbps (L4&L7)2.7M L4 CPS

11M RPS (HTTP)

Thunder 5430S ADC

77/75 Gbps (L4/L7)2.8M L4 CPS

17M RPS (HTTP)SSL ProcessorHardware FTA

Thunder 5430(S)-11 ADC

79/78 Gbps (L4/L7)3.7M L4 CPS


Thunder 5630 ADC

79/78 Gbps (L4/L7)6M L4 CPS

32.5M RPS (HTTP)SSL ProcessorHardware FTA

Thunder 6430(S) ADC

150/145 Gbps (L4/L7)5.3M L4 CPS


Thunder 6630 ADC

150/145 Gbps (L4/L7)7.1M L4 CPS


13

Expecting The Inquisition

DDOS Protection

14

• Benefits:– Large-scale DDoS protection– Advanced protection features– Predictable operations

• Advantage:– Full DDoS defense covers network and

application attacks– Hardware DDoS protection for common

attacks– SYN flood protection to 200 M per second

DDoS Protection: Multi-vector Edge Protection

SYN FloodRate LimitingConnection LimitingSlow L7 AttacksGeographic ControlInfrastructure ProtectionDDoSDDoSMore…L7 aFleX Control

15

Thunder TPS Hardware Appliances

CPE class platformMSSP integrated solution

Pric

e

Performance

Thunder 5435(S) TPS77 Gbps16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*

Hardware FTA Mitigation

Thunder 6435(S) TPS155 Gbps 16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*


Thunder 3030S TPS10 Gbps

6x1G Copper, 2x1G (SFP)4x10/1G (SFP+)SSL Processor

Thunder 4435(S) TPS38 Gbps16x10/1G (SFP+)SSL Processor*


High performance extended platforms forWeb Giants, Service Providers, Large Enterprise. E.g.

MSSPs, Gaming, etc.

* “S” model must be purchased

16

Trophies

Thank You

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce...

Documents

Transcript of 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce...