Transcript Project Galactic

Cost-Effective Strategies for
Countering Security
Threats: IPSEC, SSLi and
DDoS Mitigation
Bruce Hembree,
Senior Systems Engineer
A10 Networks
1
2
4000+ Customers in 65 Countries
Service Providers
Enterprises
Web Giants
3 of Top 4
U.S. WIRELESS CARRIERS
7 of Top 10
U.S. CABLE PROVIDERS
Top 3
WIRELESS CARRIERS IN JAPAN
3
A10 Product Portfolio Overview
ADC
Application
Delivery Controller
CGN
TPS
Carrier Grade
Networking
Threat Protection
System
Product Lines
ADC – Application Acceleration & Security
CGN – IPv4 Extension / IPv6 Migration
TPS – Network Perimeter DDoS Security
Application Networking Platform
ACOS Platform
Dedicated
Network
Managed
Hosting
Performance
Scalability
Extensibility
Flexibility
Cloud IaaS
IT Delivery Models
4
IPSEC in your LAN
Because this rabbit is totally
legit and is clearly not a
threat
5
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor
Authentication
• Require IPSEC communication inside your
network as the default
• Used at large organizations as a first line against
worms
• Most malware lives ~200 days before detection
• Stops spread during off-hours from APTs
6
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor
Authentication
• Adversaries frequently attempt replication
laterally during off-hours. Without a valid IPSEC
connection malware is default denied without
using cumbersome endpoint firewall rules.
• Non-repudiation – Users identified by their certs
and presence of their card/PIN combo
7
SSLi
You’ve got to get into that data stream.
8
Network Threats Hidden in SSL Traffic
– ~40%
of Internet traffic is encrypted
– 50%
70%+
SSL Traffic
in some
organizations
of attacks will use encryption
to bypass controls by 2017
– 80%+
of organizations with firewalls,
IPS, or UTM do not decrypt
SSL traffic
Sources:
“SSL Performance Problems,”
NSS Labs, 2013
“Security Leaders Must Address
Threats From Rising SSL
Traffic,” 2013
9
How Malware Developers Exploit Encrypted Traffic
Malicious attachment
sent over SMTPS
Botnet Herder
Malicious file in
instant messaging
Drive-by download
from an HTTPS site
Clients
• Encryption obscures:
– Bot installation
– C&C communication
– Data exfiltration
HTTPS
Data exfiltration over
SSL channels
Command and
Control Servers
10
SSL Insight: Eliminate the Outbound SSL Blind
Spot
•
–
•
Server
Benefit:
4
3
Advantage:
–
–
–
encrypted
Eliminate encryption blind spot to inspect
encrypted traffic, including malware and
advance persistent threats (APTs)
Optimized decryption with dedicated
security processors for CPU intensive
2048-bit keys
Offloads firewalls that can’t scale
SSL decryption
Freedom to work with any traffic
inspection/mitigation device
A10 ADC
decrypted
5
Inspection/
Protection
FW
UTM
IDS
Other
Next Generation Firewalls
/DLP/IPS/IDS
2
A10 ADC
1
81%: The average performance loss across 7 NG Firewalls
Source: “SSL Performance Problems,” NSS Labs, 2013
6
encrypted
Client
11
Thunder ADC Hardware Appliances
79/78 Gbps (L4/L7)
3.7M L4 CPS
20M RPS (HTTP)
SSL Processor
Hardware FTA
79/78 Gbps (L4/L7)
6M L4 CPS
32.5M RPS (HTTP)
SSL Processor
Hardware FTA
150/145 Gbps (L4/L7)
5.3M L4 CPS
31M RPS (HTTP)
SSL Processor
Hardware FTA
150/145 Gbps (L4/L7)
7.1M L4 CPS
38M RPS (HTTP)
SSL Processor
Hardware FTA
Thunder 6630 ADC
Thunder 6430(S) ADC
Price
Thunder 5630 ADC
Thunder 5430(S)-11 ADC
5 Gbps (L4&L7)
200k L4 CPS
1 M RPS (HTTP)
10 Gbps (L4&L7)
450k L4 CPS
2M RPS (HTTP)
SSL Processor
30 Gbps (L4&L7)
750k L4 CPS
3M RPS (HTTP)
SSL Processor
77/75 Gbps (L4/L7)
2.8M L4 CPS
17M RPS (HTTP)
SSL Processor
Hardware FTA
38 Gbps (L4&L7)
2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
Thunder 4430(S) ADC
Thunder 3030S ADC
Thunder 1030S ADC
Thunder 930 ADC
Performance
12
DDOS Protection
Expecting The Inquisition
13
DDoS Protection: Multi-vector Edge Protection
•
Benefits:
– Large-scale DDoS protection
– Advanced protection features
– Predictable operations
•
Advantage:
– Full DDoS defense covers network and
application attacks
– Hardware DDoS protection for common
attacks
– SYN flood protection to 200 M per second
Infrastructure
Connection
Geographic
L7
Slow
Rate
SYN
aFleX
More…
DDoS
L7
Limiting
Flood
Attacks
Control
Protection
Limiting
Control
14
Thunder TPS Hardware Appliances
Thunder 6435(S) TPS
Thunder 5435(S) TPS
77 Gbps
Price
16x10/1G (SFP+)
4x40G (QSFP+)
Thunder 4435(S) TPS
SSL Processor*
38 Gbps
Hardware FTA Mitigation
16x10/1G (SFP+)
SSL Processor*
Hardware FTA Mitigation
155 Gbps
16x10/1G (SFP+)
4x40G (QSFP+)
SSL Processor*
Hardware FTA Mitigation
Thunder 3030S TPS
10 Gbps
6x1G Copper, 2x1G (SFP)
4x10/1G (SFP+)
SSL Processor
High performance extended platforms for
Web Giants, Service Providers, Large Enterprise. E.g.
MSSPs, Gaming, etc.
CPE class platform
MSSP integrated solution
Performance
* “S” model must be purchased
15
Trophies
16
Thank You