a10 networks: delivering data center to data center communications securely
TRANSCRIPT
SOLUTION BRIEF
1
Data Privacy ChallengesOrganizations of all sizes rely on IPsec VPNs to prevent snooping and data theft and to
address compliance. IPsec provides a cost-effective and secure way to transfer data over
IP networks.
While IPsec is a mature and well understood technology, new networking paradigms like
cloud computing, as well as escalating bandwidth requirements, are compelling large
enterprises and service providers to rethink their VPN strategies. As a result, organizations
need to develop VPN architectures that can:
• Support unprecedented IPsec throughput levels
• Leverage BGP routing for high availability and rapid scaling
• Spin up new IPsec tunnels and gateways on-demand in cloud environments
• Minimize power consumption and rack space requirements for data center efficiency
Organizations need a solution they can trust to deliver reliable IPsec connectivity, and one
that can interoperate with their existing routers and IPsec VPN gateways.
High-Speed IPsec Encryption with A10A10 Networks® Thunder® ADC line of Application Delivery Controllers includes IPsec
encryption capabilities that enable enterprises and service providers to build out large-scale
VPN deployments. By supporting up to 20,000 VPN tunnels per Thunder ADC platform and a
broad array of encryption algorithms and data integrity methods, organizations can deploy
Thunder ADC alongside their existing VPN equipment or build out new VPN networks with
Thunder ADC appliances.
Thunder ADC supports a comprehensive set of features in addition to IPsec VPN, including
advanced server load balancing, Network Address Translation (NAT), IPv4 and IPv6 routing,
and access control lists. By delivering a wide range of networking features, organizations can
support complex network designs and granularly control access to remote resources without
needing to deploy and manage numerous appliances. All of these features, in addition to
IPsec, are provided standard with Thunder ADC as part of A10’s all-inclusive licensing.
High Availability and Rapid ScalingFor many organizations, VPNs serve business critical functions such as data migration,
disaster recovery, remote user access, and connecting data centers to cloud networks.
Regardless of the use case, organizations depend on VPNs to run their business and these
VPNs must always be available.
THUNDER ADC IPSEC VPN Encrypt Traffic on a Massive Scale and in the Cloud
Challenge:To protect communications, organizations need to encrypt data at high speed and scale out VPN tunnel capacity on-demand.
Solution:A10 Networks empowers organizations to reduce their data center footprint and ensure data privacy with integrated, high-performance IPsec VPN and load balancing.
Benefits:
• Consolidate IPsec VPN, server load balancing and stateful firewall functionality
• Encrypt data at unparalleled speeds
• Reduce rack space and power requirements
• Scale capacity by launching new VPN gateways on-demand
2
Thunder ADC supports an array of clustering, high availability and
dynamic routing features that maximize uptime, not just for IPsec VPN
routes but also to ensure connectivity to servers and applications. High
availability and scaling features include:
• Route monitoring and failover – Using A10’s enhanced
Virtual Router Redundancy Protocol implementation, VRRP-a,
Thunder ADC can monitor route and VPN gateway failures
and rapidly failover traffic to a passive Thunder ADC appliance.
Supporting up to eight appliances in a cluster, VRRP-a can detect
unresponsive services, servers and applications and identify
infrastructure failures. With A10 Virtual Chassis System (aVCS®),
multiple A10 devices can function as a single virtual chassis, with
a single point of control and centralized statistics.
• Intelligent routing to increase VPN capacity – Thunder ADC
supports Border Gateway Protocol (BGP) routing, which not only
allows BGP routers to communicate across IPsec VPN tunnels
but also enables organizations to boost IPsec capacity simply by
deploying more Thunder ADC appliances. Using BGP, Thunder
ADC deployments can scale to support terabit bandwidth
requirements without complicated network designs or forklift
hardware upgrades, and they can deploy more Thunder ADC
appliances to increase IPsec throughput. VRRP-a integrates with
BGP to inject routes and ensure smooth route failovers. Thunder
ADC also supports Bidirectional Forwarding Detection (BFD) for
fast path failure detection and route convergence.
• Bandwidth aggregation by load balancing traffic over multiple paths – Thunder ADC leverages Equal-Cost Multipath
(ECMP) routing to increase total IPsec VPN bandwidth. ECMP,
combined with BGP, allows routers to support multiple network
routes simultaneously, allowing Thunder ADC to load balance
traffic across multiple paths to boost overall VPN capacity.
Cloud and On-demand Provisioning Organizations are moving their infrastructure to the cloud to optimize
computing efficiency and lower capital and operating expenses.
As they migrate to the cloud, they need their VPN infrastructure to
migrate with them. However, cloud architectures introduce new
requirements that do not exist in physical data center networks.
To realize the benefits of cloud computing, cloud architectures
must support automation, agility and on-demand scaling. And,
organizations must ensure that their VPN services support this new
cloud networking paradigm. VPN services should integrate seamlessly
with application networking services, SDN technologies and other
data center infrastructure. Organizations should be able to provision
VPN instances with the same cloud orchestration systems they use to
manage their cloud applications.
Thunder ADC empowers organizations to implement high-capacity
VPN services in the cloud. Supporting an array of form factors,
including high-performance virtual appliances, physical appliances
and hybrid virtual appliances, A10 provides organizations the flexibility
to build a VPN architecture that meets the unique requirements of
cloud networks.
Thunder ADC integrates with software defined network (SDN) fabrics
using Virtual Extensible LAN (VXLAN) and Network Virtualization
using Generic Routing Encapsulation (NVGRE) to support automated
network configuration and service chaining support. Integration with
cloud orchestration platforms such as Microsoft System Center Virtual
Machine Manager (SCVMM) and OpenStack, enables centralized
provisioning of VPN services. Pay-as-you-go licensing with utility and
rental billing models allows organizations to align VPN licensing with
the licensing models of other cloud-based services. aCloud Services
Architecture enables cloud data center operators to deliver advanced
application delivery and IPsec VPN services while improving agility.
The high availability, scalability and security features supported in
physical networks, such as dynamic routing and redundancy, are also
supported in cloud environments. This means that organizations can
leverage BGP routing and VRRP-a to scale out their VPN networks and
to maximize uptime.
InternetBGP Cloud
Thunder ADC 1 Thunder ADC 2
• IPsec VPN• Access Control Lists• BGP• BFD
Data Center
Multi-Site VPN
Thunder ADC n
Thunder ADC
VPN Site 2
Thunder ADC
VPN Site 1
Thunder ADC
VPN Site 3
Encrypted VPNTunnel
• IPsec VPN• Access Control Lists• BGP• BFD
Figure 1: Thunder ADC can connect to multiple VPN sites over a BGP cloud.
3
High-Performance Architecture Thunder ADC leverages unique software and hardware design
advantages to deliver exceptional IPsec performance. The A10
Networks Advanced Core Operating System (ACOS®) powers
Thunder ADC appliances. Built from the ground up to maximize
the performance of multicore CPU architectures, ACOS can linearly
scale compute processing as more CPU cores are added, providing
unparalleled performance in a compact form factor.
ACOS uses scalable symmetric multiprocessing (SSMP) to leverage
supercomputing techniques for parallel processing and to maximize
the performance of multicore architectures. Due to its highly scalable
64-bit operating system optimized for multicore architectures, Thunder
ADC hardware and A10 Networks vThunder® ADC line of virtual
appliances deliver unmatched IPsec VPN performance.
Select Thunder ADC hardware models include dedicated security
processors that accelerate IPsec encryption speed. Supporting up to four
quad-chip security processors on a rack-mountable appliance, Thunder
ADC provides fast IPsec encryption without forcing organizations to
deploy cumbersome and inefficient chassis-based systems.
• IPsec VPN• BGP• ECMP
• IPsec VPN• BGP• ECMP
Internet
Thunder ADC Thunder ADC
Router
Users Users
Firewall
Thunder ADC Thunder ADC Thunder ADC Thunder ADC
RouterFirewall
Figure 2: Users can forward traffic destined for the remote VPN site through the Thunder ADC appliance and send all other traffic directly to the Internet.
IPsec VPN SpecificationsKeying Methods
• IKEv1, IKEv2
Authentication Methods• RSA Signature, Pre-shared Key, PKI
Key Exchange Diffie-Hellman Groups• 1, 2, 5, 14, 15, 16, 18
Encryption Algorithms• DES, 3DES, AES-128, AES-192, AES-256
Data Integrity• DES, 3DES, AES-128, AES-192, AES-256
Maximum Number of IPsec Tunnels Supported• 20,000i
RFCs Supported• RFC 6071, 2407, 2408, 2409, 3526, 3706, 3947, 7296, 4307, IANA-
IKEv2, 4301, 4303, 4308, 3602, 3986, 4304, 4868 (partial), 2560, 5280, draft-nourse-scep
IPsec VPN Features• NAT traversal• Dead peer detection• Perfect Forward Secrecy (PFS) supportii
• Life bytes and time rekey• Extended Sequence Number (ESN)• L3V partition aware• Route-based VPN
• OSPF, BGP and Bidirectional Forwarding Detection (BFD) over IPsec tunnel
• ECMP support • Integration with server load balancing and Network Address
Translation (NAT• UDP encapsulation • TCP maximum segment size (MSS) clamping• Public key infrastructure (PKI) support with Simple Certificate
Enrollment Protocol (SCEP), Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) distribution points
• Prioritized Internet Key Exchange (IKE) packets for hardware-accelerated Flexible Traffic Accelerator (FTA) appliance models
• Software and hardware-based encryption, with dedicated security processors in select hardware models
Cloud Integration • Integration with cloud orchestration systems such as Microsoft
SCVMM, OpenStack and VMware vCloud Director• vThunder virtual appliance support• On-demand provisioning of data-driven and command-driven
tunnels
High Availability• Virtual Router Redundancy Protocol (VRRP-a)• Security Association (SA) sync and session sync• Active – Active topology support
• Sub-second failover with BFD and route health checki Actual maximum number of supported VPN tunnels may vary by appliance model.ii Available in ACOS 4.0.1
4
Corporate HeadquartersA10 Networks, Inc3 West Plumeria Ave.San Jose, CA 95134 USATel: +1 408 325-8668Fax: +1 408 325-8666www.a10networks.com
Part Number: A10-SB-19132-EN-01 Jan 2015
Worldwide OfficesNorth [email protected] [email protected] America [email protected] [email protected] [email protected]
Taiwan [email protected] [email protected] Kong [email protected] Asia [email protected]/New Zealand [email protected]
To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative.
©2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS Policy Engine, ACOS Synergy, Affinity, aFleX, aFlow, aGalaxy, aVCS, AX, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, SSL Insight, Thunder, Thunder TPS, UASG, VirtualN, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Because of Thunder ADC’s high-performance and data center
optimized design, organizations can reduce the number of appliances
they need to provision, lowering capital and operating expenses as
well as reducing data center rack space and power costs.
SummaryOrganizations need a solution they can trust to deliver reliable IPsec
connectivity, and they also need one that can interoperate with their
existing routers and IPsec VPN gateways. Thunder ADC’s IPsec VPN
capability enables organizations to encrypt traffic at high speed and
support BGP routing and on-demand VPN provisioning. Using Thunder
ADC’s IPsec VPN technology, organizations can:
• Meet growing IPsec throughput requirements by leveraging
A10’s 64-bit ACOS platform and specialized security processors
• Consolidate IPsec VPN, server load balancing and stateful firewall
functionality on a single device
• Lower hardware, operating and maintenance costs with Thunder
ADC’s data center efficient design
• Support public, private and hybrid cloud provisioning and BGP
networking requirements
About A10 NetworksA10 Networks is a leader in application networking, providing a
range of high-performance application networking solutions that
help organizations ensure that their data center applications and
networks remain highly available, accelerated and secure. Founded
in 2004, A10 Networks is based in San Jose, California, and serves
customers globally with offices worldwide. For more information, visit:
www.a10networks.com