©A10 Networks, Inc.

SSL Insight & TPS

Accelerating and Securing Applications & Networks

09242014

Arzu Akkaya

aakkaya@a10networks.com

Sinan İlkiz

silkiz@a10networks.com

2©A10 Networks, Inc.

3400+ Customers in 65 Countries

Web GiantsEnterprisesService Providers

3 of Top 4U.S. WIRELESS CARRIERS

7 of Top 10U.S. CABLE PROVIDERS

Top 3WIRELESS CARRIERS IN JAPAN

SSL Insight

Uncover Hidden Threats in Encrypted Traffic

4©A10 Networks, Inc.

Uncover Hidden Threats in Encrypted Traffic

of Internet traffic is

encrypted with SSL25%

35%

of all attacks will use encrypted

traffic to bypass controls by

2017

More

than

50%

of organizations with a firewall,

IPS or UTM appliance decrypt

inbound or outbound SSL traffic

Less

than

20%

average performance loss

of leading firewalls when

decrypting traffic81%

more of the most

popular websites use

SSL in 2014 than 201348%

NSS Labs, “SSL Performance Problems" StackExchange analysis on key lengths NetCraft SSL Survey

5©A10 Networks, Inc.

Challenge

Malicious users leverage SSL encryption to conceal their exploits.

Organizations need a powerful, high-performance platform to decrypt

SSL traffic.

Solution

A10 Networks enables organizations to analyze all data, including

encrypted data, by intercepting SSL communications and sending it to

3rd party security devices such as firewalls, threat prevention platforms

and forensic tools for inspection.

Uncover Hidden Threats in Encrypted Traffic

6©A10 Networks, Inc.

SSL Insight Traffic Flow

1. Encrypted traffic from the client is decrypted by the

internal, client-side Thunder ADC

2. Thunder ADC sends the unencrypted data to a security

appliance which inspects the data in clear text

3. The external Thunder ADC re-encrypts the data and sends

it to the server

4. The server sends an encrypted response to the external

Thunder ADC

5. Thunder ADC decrypts the response and forwards it to the

security device for inspection

6. The internal ADC receives traffic from the security device,

re-encrypts it and sends it to the client

7©A10 Networks, Inc.

SSL Insight

With SSL Insight, organizations can,

Achieve high performance with SSL acceleration

hardware

Scale security with load balancing

Reduce load on security infrastructure by

controlling which types of traffic to decrypt

Granularly control traffic with aFleX policies

Selectively bypass sensitive web applications*

* With ACOS 4.0.1

8©A10 Networks, Inc.

A Single Point for Decryption and Analysis

Thunder ADC can work with

– Firewalls

– Intrusion Prevention Systems

(IPS)

– Unified Threat Management

(UTM) platforms

– Data Loss Prevention (DLP)

products

– Threat prevention platforms

– Network forensics and web

monitoring tools

Inline Non-Inline

9©A10 Networks, Inc.

SSL Insight Performance & Summary

Scalability, with up to 23.8 Gbps of SSL inspection performance in a standard configuration

Load Balancing of security devices to maximize uptime and scale security

Advanced SSL Insight features like URL classification subscriptions, untrusted certificate handling,1 and more

Hardware Security Module (HSM) integration for FIPS 140-2 Level 3 compliant SSL key management

Traffic steering to intelligently route traffic, optimize performance and reduce security appliance costs

Validated interoperability with FireEye, RSA, IBM and other leading inspection products ensure that our solutions work together

Threat Protection System

High-performance, Network-wide DDoS Protection

11©A10 Networks, Inc.

DDoS Problems

Q3 2010

PayPal

Discloses cost of attack £3.5M(~$5.8 million)

Q1 2013

Credit Union Regulators

Recommend DDoS protection to all members

Q4 2012

Bank of the West

$900k stolen, DDoS as a distraction

Q1 2013

al Qassam Cyber Fighters

10-40 Gbps attacks target 9 major banks

Q1 2014

CloudFlare

400 Gbps NTP amplification attack

Q4 2013

60 Gbps attacks regularly seen,100 Gbps not uncommon

Q4 2013

26% YoY attack increase (17% L7, 28% L3-4)

Q4 2013

PPS reaches 35 million

Q4 2013

6.8 million mobile devices are potential attackers (LOIC and AnDOSid)

“High-bandwidth DDoS attacks are becoming the new norm and will

continue wreaking havoc on unprepared enterprises”

Source: Gartner

12©A10 Networks, Inc.

Thunder Threat Protection System (TPS)

Next Generation DDoS Protection

Multi-vector

Application & Network

Protection

High Performance

Mitigation

Broad Deployment

Options & 3rd Party

Integration

Multi-vector Protection Detect & mitigate application &

network attacks

Flexible scripting & DPI for rapid

response

High Performance Mitigate 10 – 155 Gbps of attack

throughput, 200 M packets per

second (PPS) in 1 rack unit

Broad Deployment & 3rd Party Symmetric, asymmetric, out-of-band

Open SDK/RESTful API for 3rd party

integration

13©A10 Networks, Inc.

Five principal methods for effective mitigation

Mitigating DDoS Attacks

Packet anomaly check:Network level packet

sanity check

(conformance)

Authentication

challenge:Network and application

level validation of client

origination integrity

Black and white lists:Network level high speed

inspection and control

Traffic rate control:Network and

application monitoring

to rate limit traffic

Protocol and

application check:Network and

application

14©A10 Networks, Inc.

Real-time

DetectionFlood Thresholds

Protocol Anomalies

Behavioral Anomalies

Resource Starvation

L7 Scripts

Black Lists

HTTP DNSTCPUDP

Symmetric Deployment

– Inline DDoS detection and mitigation inone box

– Inspect both inbound and outbound traffic

– Suitable for Enterprises Protecting own services

Permanent protection

Sub-second detection-to-mitigation

Profile

– Detect and inspect L3 – L7 traffic for both inbound and outbound traffic

– Deep statistics sFlow export

– DDoS detection and mitigation at sub-second scale

Symmetric Deployment

Telemetry

DDoS Detection

System

Collection

Device

Services

15©A10 Networks, Inc.

Asymmetric Reactive deployment

– Classic deployment model

– Scalable solution for DDoS mitigation Oversubscribed bandwidth deployment

No additional latency in peace time

Longer time to mitigate

– Suitable for Service Providers Protecting select services

Large scale core network

Profile

– Traffic redirected to TPS for scrubbing as needed Support BGP for route injection

– Valid traffic forwarded into network for services Support GRE & IP-in-IP tunneling

Asymmetric Reactive Deployment

Core

Network

End Customer

or Data Center

Services

DDoS Detection

System

aXAPI /Manual Action

Traffic Redirection

Telemetry

16©A10 Networks, Inc.

MSSP

Network

Asymmetric Reactive Model with CPE

– Recommended for Managed Security Service Providers (MSSP)

– Enable a centralized scrubbing service with high performance TPS

– CPE device at end customer site Symmetric or Out-of-band deployment

Profile

– CPE provides full local mitigation

– Detection system analyses CPE data and mitigate when needed BGP used to direct traffic to cloud based high

performance Thunder TPS for scrubbing

Asymmetric Reactive Deployment with CPE

ISP

Network

End

Customer

Services

DDoS Detection

System

aXAPI

Traffic

Redirection

TelemetryThunder TPS CPE

17©A10 Networks, Inc.

Asymmetric Proactive Deployment

– For high performance DDoS detection and mitigation

– DDoS detection and mitigation in one box

– Suitable for Large Enterprises and ISPs Protecting own services

Protecting end customers

Large-mid scale core network

Profile

– Inbound traffic always routed toward TPS Insight in peace-time and war-time

– DDoS detection at sub-second scale

Asymmetric Proactive Deployment

Core Network

Services

End Customer

or Data Center

18©A10 Networks, Inc.

Out-of-Band (TAP) Deployment

– High Speed DDoS Detection Capability

– Receive and analyze mirrored traffic data from routers

– Build dynamic Black/White lists Function as black/white list master

Synchronize lists with cluster members

– Hybrid mode supported

– DDoS statistics and counters for DDoS detection

Out-of-Band (TAP) Deployment

Core Network

Data Center

Services

Mirrored Traffic

TAPTAP

Protocol Anomalies

Behavioral Analysis

Threat Intel Lists

Geolocation

Global Thresholds

User Thresholds

19©A10 Networks, Inc.

Thunder TPS Performance

Thunder3030S TPS (CPE)

Thunder4435 TPS

Thunder5435 TPS

Thunder6435 TPS

Mitigation Throughput 10 Gbps 38 Gbps 77 Gbps 155 Gbps

TCP SYN Auth/sec PPS* 6.5 million 35 million 40 million 70 million

SYN Cookies/sec PPS** 6.5 million 55 million 112 million 223 million

DDoS Attack Detection

and MitigationSoftware

Software

+ hardware assistSoftware

+ hardware assistSoftware

+ hardware assist

* Packets per second - CPU-based performance** Packets per second - Hardware(FTA)-based performance

20©A10 Networks, Inc.

Thank you