ntxissacsc4 - array networks - a layered approach to web and application security
TRANSCRIPT
@NTXISSA#NTXISSACSC4
Array Networks“A Layered Approach to Web & Application Security”
EdwardKeiperSeniorSystemsEngineer
ArrayNetworksOctober7,2016
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 2
Array Networks at-a-glance
Founded2000
HeadquartersMilpitas,CA,USA
Employees250+
MarketApplicationDeliveryNetworking
Products
ApplicationDeliveryControllers(ADC)
SecureAccessGateways(SSLVPN)
SegmentsEnterprise,ServiceProvider,PublicSector
Technology30+Patents
Customers5000+Worldwide
Meeting Enterprise-Class Requirements For Over 10 Years
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 3
Why a multi-layer approach?
§ Encryptioncreatestheneedforatleasttwolevelsofsecurity
- SSL(HTTPS)trafficpassesdirectlythroughtraditionalfirewalls,bypassingrules,policiesandinspection
- SSLtrafficontherise,usedforbothremoteandmobileaccessandforaneverincreasingnumberofWebsitesandapplications
SSL
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 4
multi-layer security protects against…
DoS(DenyOfService)
BackDoors
FlashEvents
WebExploitation&DefacingLandAttack
PingAttack
SynFloodAttack
UnreachableHostAttack
TearDropAttack
BufferOverflowAttack
ParserEvasionAttacks
DirectoryTraversalAttack
HighBitShellcodeProtection
SecurityExploitation(Portscan)
CrossSiteScripting
Impersonation&BreachofPrivacy
CodeRed
SQLInjectionHeartbleed
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 5
Multi-layer security architecture (cont.)
§ Firewallperimetersecurity
- Thefirstlineofdefense,rules-basednetworklevelpacketfiltering;novisibilitytoSSL
§ SSLterminationandtrafficinspection
- TrafficfromsecureapplicationsareterminatedonADCs,decryptedandinspectedtrafficmaybesenttoserversortoadvancedsecurityappliancesforfurtherinspection
- TrafficfromremoteaccessusersareterminatedonSSLVPNs,decryptedandinspectedtrafficmaybesenttoserversortoadvancedsecurityappliances
§ Advancedsecurityappliances
- Furtherinspectionofsmallervolumeofpre-screenedtraffic
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 6
Multi-layer security architecture
FirewallPerimeterSecurity
IPS/IDSATP
Malware
ADCHTTP/SWebAppTraffic
SSLVPNHTTPSRemoteAccessTraffic
External&RemoteUsers
NetworksAppsData
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 7
Multi-layer security architecture (cont.)
§ Layer-3statefulpacketfiltering
- Per-customerinterface(VLAN/MNET),ingresspacketfiltering(source/destinationIP,port,protocol),1000ACLs,packetdeny/droplog,dynamicaccesslist,permit-onlynetworkaccess
§ Layer-4TCPstatefulinspection
- TCPstatefulinspection,L4packetsanitization,reverseproxy(clientpacketdoesnottouchserver),syn-cookieprotectionagainstTCPsynfloodsandDOSattacks
§ Layer-7contentfiltering,WAF&DDoS
- URLfiltering,configurableaccesscontrol(limitconnectionsperporttopreventDDoSattack),applicationsessioncontrol,HTTPprotocolvalidationandpolicyfiltering,attacksignaturefiltering,inputvalidation,XSSprevention,virtualpatching
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 8
SSL VPN multi-layer security
§ End-pointsecurity
- Scanforpersonalfirewalls,anti-virussoftware,browsers,operatingsystems,servicepacks,patches– applyadaptableremediationoptionsfornon-compliantclients
§ Advancedauthentication,authorizationandauditing
- LDAP,MicrosoftActiveDirectory,RADIUS,RSASecurID,LocalDB,SSLclientcertificates,multi-factorauthenticationincludingRSA,Duo,Swivel,Syferlockandothers
§ DeeppacketinspectionandWRM
- Bufferoverflowprotection,syn-floodprotection,URLfiltering,configurableaccesscontrol(limitconnectionsperporttopreventDDoSattack),WebresourcemappingwithpayloadinspectionandHTTPNATing
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016
9
SSL VPN security architecture
EndPointSecurityHostChecking
AdaptivePoliciesSecureDesktopCacheCleaning
• Eliminatesallelementsofbrowsercache• Localsandboxpreventsdataleakage
SSL
AAA• Supportsallindustry
standards(AD,RADIUS,LDAP,SecureID)
• RSAcertified• UniqueSSLintegration• FinegrainACLs• L3,L4andL7• Externalmapping• Blacklistandwhitelist• Fullaudittrail• Who,whatandwhen• Syslogsupport• Configurableemailalerts
FW
Proxy
FileShares• Clientless
accesstoshareddirectories
• CIFS/NFS
WebApps• ClientlessWeb
applicationsupport
Networks• FullL3VPN• AnyIPprotocol• L4redirection
• DenialofService(DoS)attackprotection• ACLs(Layer4)• URLfiltering(Layer7)• Networkprobelogging
• Allstandardcipher-suites• Hardware-accelerated• 2048-bitkeylengths• Client-sidecertificates
• Completeseparationbetweennon-securedandsecurednetworks
Desktops• Desktops• Terminal
ServerApplications
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 10
SSL VPN secure remote and mobile access
§ Anyresource,anyaccessmethod,anydevice,anywhere
RemoteWorkers&RoadWarriorsonLaptops
Home&SmallOfficeWorkersonPCs
MobileWorkersonSmartPhones&Tablets
Physical&VirtualDesktops
ClientServer&MobileApps
FileSharing
WebApplications
LimitsnetworkexposureandguardsagainstdataleakageImprovesproductivity
RemoteNetworks&Infrastructure
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 11
Multi-layer security architecture (cont.)
§ Security- SSLencryption,WAF,Webproxy- Application-leveldataprotection
§ Acceleration- SSLoffloading,compression,
caching,trafficshaping,etc.- 10xbetterserverefficiency
andapplicationperformance
§ Highavailability- Serverloadbalancing,GSLB,link
loadbalancing- 24/7applicationuptime
ApplicationServers
ExternalUsers
InternalUsers
Storage
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 12
Hardware and software portfolio
APV SeriesApplicationDeliveryControllers
AG SeriesSecureAccessGateways
Availability,scalability,performance,controlandsecurityforapplications,Websites,onlinetransactionsandcloudservices
Loadbalancing,SSLoffloading,caching,compression,applicationsecurity,L7scriptingandothernetworkfunctions
AchievesROIbyimprovingapplicationperformanceandserverefficiency
Secureaccesstobusinessapplicationsfromanyremoteormobiledeviceforanyuseranywhere
SSLVPNvirtualportals,L3– L7access,AAA,end-pointsecurity,singlesign-on,Webfirewallanddual-factorauthentication
AchievesROIbyincreasingproductivityandmitigatingbusinessdisruptions
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 13
Security-hardened OS and platform
§ Onlyexposesserviceports– nobackdoors
§ Securednetworkmanagement– SSLandHTTPS
- ExplicitdisallowsTelnetduetosecurityriskofaccount/passwordsniffing
§ Testedandhardenedagainstarangeofnetworkattacks
- HackingtoolsfromeEye(ncx.exe,iishack.exe)- Nessusscan- NMAP- FiltersmalformedpacketssuchasSmurfattachandlocalbroadcast
attacks
§ High-availabilityandclustercapability
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 14
Proprietary secured SSL stack
§ Usedforallproductiontraffic,provenimmunetoHeartbleed,Bash,Shellshockandotherrecentvulnerabilities
- CustomersdidnotneedtopatchorremediateanyArrayproducts
- Boughttimeforremediationandpatchingofbackendserversasnecessary
§ Deliversbothbettersecurityandhigherlevelsofperformance
- Pared-back,buttoned-downdesignrunsfasterandpresentsfewerattackvectors
- Cannotguarantee100%immuneforallpotentialvulnerabilities,buthasprovenprovideahigherlevelofsecurityandimmunityvs.OpenSSL
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 15
Flexible appliance options
• Dedicated,multi-tenantandvirtualADCappliances• EnablesIaaSproviderstooffercustomersafullrangeofloadbalancingservice
optionsoptimizedeitherforflexibilityorperformance
• VMware,XenServer,OpenXenandKVM
• Scalablefrom10Mbpsto4Gbps
• Upto32 vAPVADCinstances
• DedicatedSSL,I/O,computeresources
• Scalablefrom2Gbpsto120Mbps
• Provencloudtrackrecord
vAPVVirtualADC
AVX10650Multi-TenantADC
APVSeriesDedicatedADCs
Flexibility Performance
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 16
APV Series platforms
APV1600/T
3.5/2.5Gbps2/2KSSLTPS
APV2600
18Gbps5.5KSSLTPS
APV6600
35Gbps25KSSLTPS
APV10650
120Gbps70KSSLTPS
APV7600
80Gbps70KSSLTPS
APV11600
140Gbps70KSSLTPS
APV3600
37Gbps35KSSLTPS
APV3650
30Gbps25KSSLTPS
Supports1to16vCPUsVMware,XenServer,
OpenXen,KVM,Hyper-V
AVXSeries
Virtualizedmulti-tenantappliances– upto16or32vAPVinstances,65or115Gbps
and35Kor70KSSLTPSpersystem
APV6600FIPS
35Gbps9KSSLTPS
PHYSICAL & VIRTUAL APPLIANCES SCALING UP & OUT FOR
@NTXISSA#NTXISSACSC4NTXISSACyberSecurityConference– October7-8,2016 17
AG Series product line
PHYSICAL & VIRTUAL APPLIANCES SCALING UP & OUT FOR
10,000ConcurrentUsersVMware,XenServer,
OpenXen,KVM
AG1000
300ConcurrentUsers
AG1100
3000ConcurrentUsers
AG1200
25,000ConcurrentUsers
AG1600
128,000ConcurrentUsers
AG1500/AG1500FIPS
72,000ConcurrentUsersAG1150
10,000ConcurrentUsers
AG1000T
600ConcurrentUsers
@NTXISSA#NTXISSACSC4@NTXISSA#NTXISSACSC4
The Collin College Engineering DepartmentCollin College StudentChapteroftheNorthTexasISSA
NorthTexasISSA(InformationSystemsSecurityAssociation)
NTXISSACyberSecurityConference– October7-8,2016 18
Thankyou