1 cost-effective strategies for countering security threats: ipsec, ssli and ddos mitigation bruce...
TRANSCRIPT
![Page 1: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/1.jpg)
1
Cost-Effective Strategies for Countering Security Threats:
IPSEC, SSLi and DDoS Mitigation
Bruce Hembree,Senior Systems Engineer
A10 Networks
![Page 2: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/2.jpg)
2
• A10 Overview• IPSEC – Surviving BYOD• SSLi – Cracking the code• DDOS – Expecting the Inquisition
Agenda
![Page 3: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/3.jpg)
3
4000+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
![Page 4: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/4.jpg)
4
A10 Product Portfolio Overview
Dedicated Network
ManagedHosting
Cloud IaaS IT Delivery Models
Application Networking Platform
PerformanceScalabilityExtensibilityFlexibility
CGN TPS
ADC
ACOS Platform
Product LinesADC – Application Acceleration & SecurityCGN – IPv4 Extension / IPv6 MigrationTPS – Network Perimeter DDoS Security
Carrier Grade Networking
Application Delivery Controller
Threat Protection System
![Page 5: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/5.jpg)
5
IPSEC in your LAN
Because this rabbit is totally legit and is clearly not a threat
![Page 6: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/6.jpg)
6
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor Authentication
• Require IPSEC communication inside your network as the default
• Used at large organizations as a first line against worms
• Most malware lives ~200 days before detection
• Stops spread during off-hours from APTs
![Page 7: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/7.jpg)
7
Smart Tactics: IPSEC domain boundaries with 2FA
• IPSEC domain boundaries with 2 Factor Authentication
• Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules.
• Non-repudiation – Users identified by their certs and presence of their card/PIN combo
![Page 8: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/8.jpg)
8
You’ve got to get into that data stream.
SSLi
![Page 9: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/9.jpg)
9
Network Threats Hidden in SSL Traffic
– ~40% of Internet traffic is encrypted
– 50% of attacks will use encryption to bypass controls by 2017
– 80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic
70%+SSL Traffic
in someorganizations
Sources: “SSL Performance Problems,” NSS Labs, 2013“Security Leaders Must Address Threats From Rising SSL Traffic,” 2013
![Page 10: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/10.jpg)
10
How Malware Developers Exploit Encrypted Traffic
Botnet Herder
Clients
Data exfiltration over SSL channels Command and
Control Servers
HTTPS
Malicious file ininstant messaging
Drive-by downloadfrom an HTTPS site
Malicious attachmentsent over SMTPS
• Encryption obscures:– Bot installation– C&C communication– Data exfiltration
![Page 11: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/11.jpg)
11
• Benefit:– Eliminate encryption blind spot to inspect
encrypted traffic, including malware and advance persistent threats (APTs)
• Advantage: – Optimized decryption with dedicated
security processors for CPU intensive 2048-bit keys
– Offloads firewalls that can’t scaleSSL decryption
– Freedom to work with any traffic inspection/mitigation device
SSL Insight: Eliminate the Outbound SSL Blind Spot
Other
FWUTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/Protection
Client
16
2
5
3
4
Next Generation Firewalls/DLP/IPS/IDS
81%: The average performance loss across 7 NG FirewallsSource: “SSL Performance Problems,” NSS Labs, 2013
![Page 12: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/12.jpg)
12
Thunder ADC Hardware Appliances
Pri
ce
Performance
Thunder 930 ADC
5 Gbps (L4&L7)200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7)450k L4 CPS
2M RPS (HTTP)SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7)750k L4 CPS
3M RPS (HTTP) SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7)2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7)2.8M L4 CPS
17M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7)3.7M L4 CPS
20M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7)6M L4 CPS
32.5M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7)5.3M L4 CPS
31M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7)7.1M L4 CPS
38M RPS (HTTP)SSL ProcessorHardware FTA
![Page 13: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/13.jpg)
13
Expecting The Inquisition
DDOS Protection
![Page 14: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/14.jpg)
14
• Benefits:– Large-scale DDoS protection– Advanced protection features– Predictable operations
• Advantage:– Full DDoS defense covers network and
application attacks– Hardware DDoS protection for common
attacks– SYN flood protection to 200 M per second
DDoS Protection: Multi-vector Edge Protection
SYN FloodRate LimitingConnection LimitingSlow L7 AttacksGeographic ControlInfrastructure ProtectionDDoSDDoSMore…L7 aFleX Control
![Page 15: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/15.jpg)
15
Thunder TPS Hardware Appliances
CPE class platformMSSP integrated solution
Pric
e
Performance
Thunder 5435(S) TPS77 Gbps16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*
Hardware FTA Mitigation
Thunder 6435(S) TPS155 Gbps 16x10/1G (SFP+)4x40G (QSFP+)SSL Processor*
Hardware FTA Mitigation
Thunder 3030S TPS10 Gbps
6x1G Copper, 2x1G (SFP)4x10/1G (SFP+)SSL Processor
Thunder 4435(S) TPS38 Gbps16x10/1G (SFP+)SSL Processor*
Hardware FTA Mitigation
High performance extended platforms forWeb Giants, Service Providers, Large Enterprise. E.g.
MSSPs, Gaming, etc.
* “S” model must be purchased
![Page 16: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/16.jpg)
16
Trophies
![Page 17: 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks](https://reader030.vdocument.in/reader030/viewer/2022032523/56649d775503460f94a585b0/html5/thumbnails/17.jpg)
Thank You