1

•Customer Driven Innovation

1

•Do not distribute/edit/copy without the written consent of A10 Networks

Protect from DDoS and Application attacks without sacrificing performance

Boris Siu A10 Networks

•2

Agenda

Who is A10?

Our Big Headache

DDoS Attack, DNS Attack, Application Attack

How to maintain SLA

How to prevent Information Leaking

Relieve Our Headache

A10 DDoS Protection Solution

A10 Disaster Recovery Solution

A10 DNS Firewall and DNS Caching Solution

A10 SSL Intercept Solutions

A10 Honeypot Solution and Throttling Solution

A10 Load Balancing Solutions

A10 IPv6 Solutions

•3

Who is A10?

Microsoft TechEd Networking Product Award

•AX 3530 won two Grand Prize awards for: Performance Optimization with aVCS and ShowNet Demonstration for IPv6 Migration solutions.

•Ranked as #1 Computer Hardware company for 2012

• #1 award for 2nd consecutive

year • Three-year sales growth of

2,334% • Top 5 San Jose company • Listed 3 consecutive years

• #4 for Communications/Networking companies • #37 Overall

•4

A10 Sample Customers

•5

Mitigate DDoS and Application Attack - Layered Approach to DDoS Defense

A10 : DDoS Protection

FW / IPS / IDS A10 : Throttling A10 Device Filter

A10 : DPI

•6

DDoS and Application attacks

A10 Networks : DDos Protection

Q3,2012 vs Q2,2011 Attack duration drop from 33 to 19 hrs Attack bandwidth increased 230% Total # of attacks increased 88%

•7

DDoS Attack Models

IP Spoofing IP Spoofing

Estimated attack volume in 2013??

Real IP Real IP

Real IP

•8

•World's Fastest Application Delivery Controller; Unparalleled SSL Speed

AX 5630 Record Breaking Performance

Industry Record : 100+ million SYN Flood Protection

•9

Virtual Chassis : 800% Performance Gain

A10 Networks : Scalability by aVCS

•Phase 1 •Phase 2

•Phase 3

•10

DDoS Attack Models

•11

Reduce load by up to 70%

A10 : DNS Application Firewall

A10 Networks : DNS FW & Caching, DNSSec

•12

A10 Disaster Recovery (DR) Solution - No Extra License Required

Primary Datacenter

Servers

•No licensing = efficient operation & reduced impact on personnel

Backup Datacenter

•13

Where is my customer??

•AX2200-KLN#show gslb geo-location db top 100 percent • Last = Last Matched Client, Per = Percentage of Client matched

• T = Type, Sub = Count of Sub Geo-location

• G(global)/P(policy), S(sub)/R(sub range)

• M(manually config)/B(built-in)

•Global

•Name From To Last Per Sub T

•--------------------------------------------------------------------------------

•HK 218.102.21.129 78% 1135 G

•SG 175.176.170.130 10% 895 G

•US 69.162.74.234 4% 20488G

•CN 222.128.34.43 3% 682 G

•CN.CNC 202.106.0.103 1% 339 G

•apnic 210.0.128.10 0% 12 G

•GB 92.42.123.88 0% 13471G

•CN.CTC 116.236.168.2 0% 438 G

•TW 61.220.9.125 0% 481 G

•RO 89.36.21.42 0% 1060 G

•NL 194.109.76.99 0% 6408 G

•14

DDoS Attack Models

8 Million PBSLB entries connection limit (Conc Conn. or Rate Limit)

•15

What is SSL Intercept? How Does Security Improve?

•16

How to Prevent Data Leaking??

SSL traffic cannot be inspected by FW??

More and more devices require SSL security

BYOD results in proliferation of outbound connections, which requires enterprises to increase their security for “always on” mobile devices

Applications such as: MS Exchange, Lync, e-business, Gmail/Hotmail/Yahoo mail, Facebook, LinkedIn, Twitter, etc.

•17

Problem: SSL Can be Exploited by Hackers

User starts an SSL

connection to malicious

site

Hacker takes advantage of

SSL by inserting malware

into SSL connection

Security appliances relied

upon to identify risks have

no visibility into SSL

traffic. Threats are not

identified or mitigated

Other machines within the

enterprise can now be

compromised

www.example.com

SSL Connection to www.example.com

Malware Detection Security Forensics

Firewall IDS/IPS

•18

What is a SSL Intercept Proxy?

Server Hello Certificate

Server Hello Done

Change Cipher Spec Finished

Client Hello Client Key Exchange Change Cipher Spec

Finished

Server Hello Certificate

Server Hello Done

Change Cipher Spec Finished

Client Hello Client Key Exchange Change Cipher Spec

Finished

End-to-end connection is split into two sessions

AX as server to client

AX as client to server

SSL Intercept increases enterprise security

SSL Intercept increases performance

AX Series SSL Intercept

Proxy

Client

Server

•19

Malware Detection Security Forensics

Solution: AX SSL Intercept

User connects to site

using SSL

AX terminates

client/server SSL

connection on

internal/external forward

proxy AX ADCs

AX creates an

unencrypted zone

Unencrypted traffic

passes to security

devices, which can now

inspect the traffic and

mitigate per corporate

policy

www.example.com

SSL Connection to www.example.com

Un-encrypted ZONE

•20

Firewall IDS/IPS

High Performance UTM with SSL Intercept

Problem: Need to provide high

performance Unified Threat

Management (UTM)

capabilities such as:

Stateful Firewall

URL Filtering

IDS/IPS

SSL decryption and inspection

Enabling all these features

degrades UTM performance

significantly

Solution: AX Series SSL Intercept

with Nitrox III

Net Effect: UTMs have more

processing resource available for

policy inspection due to AX SSL

Intercept

www.example.com

SSL Connection to www.example.com

•21

How to tackle Resource Depletion

•22

DDoS Attack Models

•23

Resource Depletion

TCP Time Wait : 65535 / 240 sec = 273 CPS

TCP Push + ACK : Unload all data in buffer

•24

Connection Re-use

Problem: Excessive TCP connection management overhead can overwhelm the server farm and reduce overall performance

Solution: Connection Reuse (TCP Multiplexing) to offload TCP connection setup and tear down from the server farm

Net Effect: Reduction in connections, improved response times and less required servers

•25

Problem: Need to Increase Security without Impacting SSL Performance

Larger SSL key sizes provide more security but require greater computing power to maintain performance levels

1024 2048 4096

Extensive SSL Processing Power

•26

SSL Offload

Problem: Compute intensive encrypted SSL traffic overloads server CPU

Solution: SSL offloaded by AX Series hardware

Net Effect:

Servers support many more transactions per second

Improved response times and less required servers

Reduced operational expense

Simpler certificate management

Encrypted connections

Un-encrypted connections

•27

AX Series ADC with NITROX III SSL Acceleration

NIT

RO

X III

NIT

RO

X III

NIT

RO

X III

NIT

RO

X III

The AX with ACOS and NITROX III delivers the highest SSL performance for application delivery

This level of performance is up to 10 times greater than alternatives

Dual CPU Intel platforms: near parity for 1024-bit and 2048-bit key performance

•28

Superior Performance and Scalability

aVCS (Virtual Chassis System)

up to 8 AX units

Up to 1.3+ million CPS, 288

Gbps of SSL throughput with

2048-bit key encryption

aVCS

•29

Application Level Filtering - Send suspicious request to Honeypot

•29

Send unknown query to Honeypot for detailed inspection when HTTP_REQUEST { if { equals "demo.v4v6.info" } { switch -glob [User-Agent] { "*iphone*" { pool sg-iphone } "*ipad*" { pool sg-ipad } "*android*" { pool sg-android } default { pool sg-others } } } }

Honeypot

Desktop Smartphone

A10 Solutions : aFlex Scripting

•30

Throttling Solution for on-line transaction - Function of (Password / Src-IP / Time / Ticket #)

Internet

www.xxx.hk - .168.72

aaa.yyy.com.hk - .163.10

aFlex Key Generator - 118.142.44.167

Key

bbb.yyy.com.hk - .163.10 - Server Busy (2)

abc.yyy.com.hk - .168.72 - Server Busy (1)

Redirect

Refresh

Check Key

Key

A10 Solutions : Throttling Solution

•31

Well Know Applications or Puzzle Pieces?

A10 Networks

BUY Certified

A10 Solutions

A10 Solutions : Reliable, Flexible, Scalable

Build A10 + Self Build +

Consultants or

High Availability (M+N) MTBF > 10 years

Security Protection

Hidden Cost Scripting (aFlex)

XML Integration (aXAPI) External Scripting

M+N Redundancy Virtual Chassis (aVCS)

•32

A10 Solution Summary

A10 Networks : No Hidden Cost

A10 Remarks

Security Protection DDoS Included Prevent TCP Flood Attack

DNS FW / Caching Included Prevent UDP Flood Attack

IPv6 Tunneling Included Last Resort of BW Depletion

Core Functions GSLB Included Multi-Site Operation

SLB Included Server Load Balancing

App. Optimization SSL Offload Included Prevent Resource Depletion

TCP Optimization Included Prevent Resource Depletion

SSL Interception Included Prevent Data Leaking

App. Integration aFlex Scripting Included Honeypot for traffic analysis

Throttling Included Prevent system overloaded

…etc

33 33 •Do not distribute/edit/copy without the written consent of A10 Networks

Thank You

•www.a10networks.com

•Any App •Any Cloud •Any Size

•34

A10 Networks Company Overview

Leader in Application Networking

Optimize the networks of web giants, enterprises and

service providers

Profitable with consistent revenue growth

Headquarters in San Jose, California; offices in 22 countries; customers in over 45 countries

500 employees worldwide

Founded in 2004

CEO & Founder: Lee Chen –

co-founder of Foundry Networks

and Centillion

Flagship Product Family

AX Series Platform

•35

Sample Customers

•36

AX Series Models – 64-bit FTA Line-up

Large Enterprise or Service Provider

AX 3200-12 1.1M L4 CPS

18 Gbps 313 W Max 4 x 10 Gb

AX 3400 2M L4 CPS

38 Gbps 338 W Max 4 x 10 Gb

AX 5200-11 4.5M L4 CPS

40 Gbps 660 W Max 16 x 10 Gb

AX 5630 6M L4 CPS

77 Gbps 890 W Max 4 x 40 Gb

24 x 10 Gb

•37

AX Series Models – 64-bit Non-FTA Line-up

AX 3000-11 850K L4 CPS

30 Gbps 315 W Max 4 x 10 Gb

AX 1030 430K L4 CPS

7.5 Gbps 155 W Max

AX 3030 580K L4 CPS

27 Gbps 188 W Max 2 x 10 Gb

AX 2500 300K L4 CPS

11 Gbps 250 W Max

AX 3530 1.3 million L4 CPS

115 Gbps 467 W Max 12 x 10 Gb

•38

•Tem

pla

tes a

nd

Gu

ide

s

Sample Application, Management and Other Integrations C

ert

ific

atio

ns Microsoft Exchange

Microsoft Lync

Microsoft OCS

VMware VMready

HP Opsware/Cisco NCM Driver

Certified HP Network Automation Driver

CA eHealth Certification (Network Performance Monitor)

SevOne Certification (Network Performance Monitor)

VeriSign DNSSEC Tested

Infoblox DNS64

FIPS140-2

NEBS-3

EAL 2+ (Common Criteria)

IPv6 Ready (UNH)

Tem

pla

tes a

nd G

uid

es

Microsoft Exchange

Microsoft SharePoint

Microsoft Lync

Microsoft OCS

Microsoft Terminal Server

Microsoft IIS

Apache

VMware

VMware View

Oracle Weblogic

Oracle Application Server

Blackboard Learn

Infoblox NAT64/DNS64

IBM WebSphere

Juniper SSL VPN

•39

All Inclusive Features for Predictable OPEX

Layer 4 and Layer 7 Application

Acceleration

SSL Offload

RAM Caching – static or dynamic

HTTP Compression

aFleX L7 TCL scripting for

deep packet inspection

Multiple High Availability

configurations

Global Server Load Balancing

(GSLB)

DNS Application Layer Firewall

aXAPI REST-based XML API for custom management

Virtualized management Role-based and Partition-based

Management

Seamless management for multiple devices

IPv4 and IPv6 load balancing and management

Full web interface and industry-standard command line interface