1
•Customer Driven Innovation
1
•Do not distribute/edit/copy without the written consent of A10 Networks
Protect from DDoS and Application attacks without sacrificing performance
Boris Siu A10 Networks
•2
Agenda
Who is A10?
Our Big Headache
DDoS Attack, DNS Attack, Application Attack
How to maintain SLA
How to prevent Information Leaking
Relieve Our Headache
A10 DDoS Protection Solution
A10 Disaster Recovery Solution
A10 DNS Firewall and DNS Caching Solution
A10 SSL Intercept Solutions
A10 Honeypot Solution and Throttling Solution
A10 Load Balancing Solutions
A10 IPv6 Solutions
•3
Who is A10?
Microsoft TechEd Networking Product Award
•AX 3530 won two Grand Prize awards for: Performance Optimization with aVCS and ShowNet Demonstration for IPv6 Migration solutions.
•Ranked as #1 Computer Hardware company for 2012
• #1 award for 2nd consecutive
year • Three-year sales growth of
2,334% • Top 5 San Jose company • Listed 3 consecutive years
• #4 for Communications/Networking companies • #37 Overall
•4
A10 Sample Customers
•5
Mitigate DDoS and Application Attack - Layered Approach to DDoS Defense
A10 : DDoS Protection
FW / IPS / IDS A10 : Throttling A10 Device Filter
A10 : DPI
•6
DDoS and Application attacks
A10 Networks : DDos Protection
Q3,2012 vs Q2,2011 Attack duration drop from 33 to 19 hrs Attack bandwidth increased 230% Total # of attacks increased 88%
•7
DDoS Attack Models
IP Spoofing IP Spoofing
Estimated attack volume in 2013??
Real IP Real IP
Real IP
•8
•World's Fastest Application Delivery Controller; Unparalleled SSL Speed
AX 5630 Record Breaking Performance
Industry Record : 100+ million SYN Flood Protection
•9
Virtual Chassis : 800% Performance Gain
A10 Networks : Scalability by aVCS
•Phase 1 •Phase 2
•Phase 3
•10
DDoS Attack Models
•11
Reduce load by up to 70%
A10 : DNS Application Firewall
A10 Networks : DNS FW & Caching, DNSSec
•12
A10 Disaster Recovery (DR) Solution - No Extra License Required
Primary Datacenter
Servers
•No licensing = efficient operation & reduced impact on personnel
Backup Datacenter
•13
Where is my customer??
•AX2200-KLN#show gslb geo-location db top 100 percent • Last = Last Matched Client, Per = Percentage of Client matched
• T = Type, Sub = Count of Sub Geo-location
• G(global)/P(policy), S(sub)/R(sub range)
• M(manually config)/B(built-in)
•Global
•Name From To Last Per Sub T
•--------------------------------------------------------------------------------
•HK 218.102.21.129 78% 1135 G
•SG 175.176.170.130 10% 895 G
•US 69.162.74.234 4% 20488G
•CN 222.128.34.43 3% 682 G
•CN.CNC 202.106.0.103 1% 339 G
•apnic 210.0.128.10 0% 12 G
•GB 92.42.123.88 0% 13471G
•CN.CTC 116.236.168.2 0% 438 G
•TW 61.220.9.125 0% 481 G
•RO 89.36.21.42 0% 1060 G
•NL 194.109.76.99 0% 6408 G
•14
DDoS Attack Models
8 Million PBSLB entries connection limit (Conc Conn. or Rate Limit)
•15
What is SSL Intercept? How Does Security Improve?
•16
How to Prevent Data Leaking??
SSL traffic cannot be inspected by FW??
More and more devices require SSL security
BYOD results in proliferation of outbound connections, which requires enterprises to increase their security for “always on” mobile devices
Applications such as: MS Exchange, Lync, e-business, Gmail/Hotmail/Yahoo mail, Facebook, LinkedIn, Twitter, etc.
•17
Problem: SSL Can be Exploited by Hackers
User starts an SSL
connection to malicious
site
Hacker takes advantage of
SSL by inserting malware
into SSL connection
Security appliances relied
upon to identify risks have
no visibility into SSL
traffic. Threats are not
identified or mitigated
Other machines within the
enterprise can now be
compromised
www.example.com
SSL Connection to www.example.com
Malware Detection Security Forensics
Firewall IDS/IPS
•18
What is a SSL Intercept Proxy?
Server Hello Certificate
Server Hello Done
Change Cipher Spec Finished
Client Hello Client Key Exchange Change Cipher Spec
Finished
Server Hello Certificate
Server Hello Done
Change Cipher Spec Finished
Client Hello Client Key Exchange Change Cipher Spec
Finished
End-to-end connection is split into two sessions
AX as server to client
AX as client to server
SSL Intercept increases enterprise security
SSL Intercept increases performance
AX Series SSL Intercept
Proxy
Client
Server
•19
Malware Detection Security Forensics
Solution: AX SSL Intercept
User connects to site
using SSL
AX terminates
client/server SSL
connection on
internal/external forward
proxy AX ADCs
AX creates an
unencrypted zone
Unencrypted traffic
passes to security
devices, which can now
inspect the traffic and
mitigate per corporate
policy
www.example.com
SSL Connection to www.example.com
Un-encrypted ZONE
•20
Firewall IDS/IPS
High Performance UTM with SSL Intercept
Problem: Need to provide high
performance Unified Threat
Management (UTM)
capabilities such as:
Stateful Firewall
URL Filtering
IDS/IPS
SSL decryption and inspection
Enabling all these features
degrades UTM performance
significantly
Solution: AX Series SSL Intercept
with Nitrox III
Net Effect: UTMs have more
processing resource available for
policy inspection due to AX SSL
Intercept
www.example.com
SSL Connection to www.example.com
•21
How to tackle Resource Depletion
•22
DDoS Attack Models
•23
Resource Depletion
TCP Time Wait : 65535 / 240 sec = 273 CPS
TCP Push + ACK : Unload all data in buffer
•24
Connection Re-use
Problem: Excessive TCP connection management overhead can overwhelm the server farm and reduce overall performance
Solution: Connection Reuse (TCP Multiplexing) to offload TCP connection setup and tear down from the server farm
Net Effect: Reduction in connections, improved response times and less required servers
•25
Problem: Need to Increase Security without Impacting SSL Performance
Larger SSL key sizes provide more security but require greater computing power to maintain performance levels
1024 2048 4096
Extensive SSL Processing Power
•26
SSL Offload
Problem: Compute intensive encrypted SSL traffic overloads server CPU
Solution: SSL offloaded by AX Series hardware
Net Effect:
Servers support many more transactions per second
Improved response times and less required servers
Reduced operational expense
Simpler certificate management
Encrypted connections
Un-encrypted connections
•27
AX Series ADC with NITROX III SSL Acceleration
NIT
RO
X III
NIT
RO
X III
NIT
RO
X III
NIT
RO
X III
The AX with ACOS and NITROX III delivers the highest SSL performance for application delivery
This level of performance is up to 10 times greater than alternatives
Dual CPU Intel platforms: near parity for 1024-bit and 2048-bit key performance
•28
Superior Performance and Scalability
aVCS (Virtual Chassis System)
up to 8 AX units
Up to 1.3+ million CPS, 288
Gbps of SSL throughput with
2048-bit key encryption
aVCS
•29
Application Level Filtering - Send suspicious request to Honeypot
•29
Send unknown query to Honeypot for detailed inspection when HTTP_REQUEST { if { equals "demo.v4v6.info" } { switch -glob [User-Agent] { "*iphone*" { pool sg-iphone } "*ipad*" { pool sg-ipad } "*android*" { pool sg-android } default { pool sg-others } } } }
Honeypot
Desktop Smartphone
A10 Solutions : aFlex Scripting
•30
Throttling Solution for on-line transaction - Function of (Password / Src-IP / Time / Ticket #)
Internet
www.xxx.hk - .168.72
aaa.yyy.com.hk - .163.10
aFlex Key Generator - 118.142.44.167
Key
bbb.yyy.com.hk - .163.10 - Server Busy (2)
abc.yyy.com.hk - .168.72 - Server Busy (1)
Redirect
Refresh
Check Key
Key
A10 Solutions : Throttling Solution
•31
Well Know Applications or Puzzle Pieces?
A10 Networks
BUY Certified
A10 Solutions
A10 Solutions : Reliable, Flexible, Scalable
Build A10 + Self Build +
Consultants or
High Availability (M+N) MTBF > 10 years
Security Protection
Hidden Cost Scripting (aFlex)
XML Integration (aXAPI) External Scripting
M+N Redundancy Virtual Chassis (aVCS)
•32
A10 Solution Summary
A10 Networks : No Hidden Cost
A10 Remarks
Security Protection DDoS Included Prevent TCP Flood Attack
DNS FW / Caching Included Prevent UDP Flood Attack
IPv6 Tunneling Included Last Resort of BW Depletion
Core Functions GSLB Included Multi-Site Operation
SLB Included Server Load Balancing
App. Optimization SSL Offload Included Prevent Resource Depletion
TCP Optimization Included Prevent Resource Depletion
SSL Interception Included Prevent Data Leaking
App. Integration aFlex Scripting Included Honeypot for traffic analysis
Throttling Included Prevent system overloaded
…etc
33 33 •Do not distribute/edit/copy without the written consent of A10 Networks
Thank You
•www.a10networks.com
•Any App •Any Cloud •Any Size
•34
A10 Networks Company Overview
Leader in Application Networking
Optimize the networks of web giants, enterprises and
service providers
Profitable with consistent revenue growth
Headquarters in San Jose, California; offices in 22 countries; customers in over 45 countries
500 employees worldwide
Founded in 2004
CEO & Founder: Lee Chen –
co-founder of Foundry Networks
and Centillion
Flagship Product Family
AX Series Platform
•35
Sample Customers
•36
AX Series Models – 64-bit FTA Line-up
Large Enterprise or Service Provider
AX 3200-12 1.1M L4 CPS
18 Gbps 313 W Max 4 x 10 Gb
AX 3400 2M L4 CPS
38 Gbps 338 W Max 4 x 10 Gb
AX 5200-11 4.5M L4 CPS
40 Gbps 660 W Max 16 x 10 Gb
AX 5630 6M L4 CPS
77 Gbps 890 W Max 4 x 40 Gb
24 x 10 Gb
•37
AX Series Models – 64-bit Non-FTA Line-up
AX 3000-11 850K L4 CPS
30 Gbps 315 W Max 4 x 10 Gb
AX 1030 430K L4 CPS
7.5 Gbps 155 W Max
AX 3030 580K L4 CPS
27 Gbps 188 W Max 2 x 10 Gb
AX 2500 300K L4 CPS
11 Gbps 250 W Max
AX 3530 1.3 million L4 CPS
115 Gbps 467 W Max 12 x 10 Gb
•38
•Tem
pla
tes a
nd
Gu
ide
s
Sample Application, Management and Other Integrations C
ert
ific
atio
ns Microsoft Exchange
Microsoft Lync
Microsoft OCS
VMware VMready
HP Opsware/Cisco NCM Driver
Certified HP Network Automation Driver
CA eHealth Certification (Network Performance Monitor)
SevOne Certification (Network Performance Monitor)
VeriSign DNSSEC Tested
Infoblox DNS64
FIPS140-2
NEBS-3
EAL 2+ (Common Criteria)
IPv6 Ready (UNH)
Tem
pla
tes a
nd G
uid
es
Microsoft Exchange
Microsoft SharePoint
Microsoft Lync
Microsoft OCS
Microsoft Terminal Server
Microsoft IIS
Apache
VMware
VMware View
Oracle Weblogic
Oracle Application Server
Blackboard Learn
Infoblox NAT64/DNS64
IBM WebSphere
Juniper SSL VPN
•39
All Inclusive Features for Predictable OPEX
Layer 4 and Layer 7 Application
Acceleration
SSL Offload
RAM Caching – static or dynamic
HTTP Compression
aFleX L7 TCL scripting for
deep packet inspection
Multiple High Availability
configurations
Global Server Load Balancing
(GSLB)
DNS Application Layer Firewall
aXAPI REST-based XML API for custom management
Virtualized management Role-based and Partition-based
Management
Seamless management for multiple devices
IPv4 and IPv6 load balancing and management
Full web interface and industry-standard command line interface