ssl insight: find out how a10 helps solve today's encryption challenges
TRANSCRIPT
©A10 Networks, Inc.
A10 SSLi SolutionsJune, 2015
Accelerating and Securing Data Center Applications & Networks
09242014
David AyoubRSM-Intel/ NAVY/ CYBER/ [email protected]
2©A10 Networks, Inc.
A10 Corporate Introduction
2010 2011 2012 2013
54.7M
$91.5M
$120M
$142M
Q4' 11 Q4' 12 Today
1,000+
2,000+
3,400+CUSTOMER GROWTH
COMPANY GROWTH
Headquarters in San Jose 700+ EmployeesOffices in 27 countriesCustomers in 65 countries
3©A10 Networks, Inc.
3400+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4U.S. WIRELESS CARRIERS
7 of Top 10U.S. CABLE PROVIDERS
Top 3WIRELESS CARRIERS IN JAPAN
4©A10 Networks, Inc.
CertificationsTech PartnershipsCustomersFederal Presence
Certs: 1659, 1963
DISA ATO
EAL2+ Certified
Listed as IA Tool
5©A10 Networks, Inc.
ACOS Platform: High Performance Application Networking
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
Efficient & Accurate Memory
Architecture
64-Bit Multi-CoreOptimized
OptimizedFlow Distribution
Application Acceleration
ApplicationSecurity
Application Availability
6©A10 Networks, Inc.
Linear Scaling – Shared Memory ArchitectureR
eso
urc
e e
ffici
ency
# of CPU Cores
Conventional IPC memory architecture
Parallel processingwith dedicated memory
Benefits: Cost Power
Heat Size
A10 ACOS shared memoryarchitecture
8©A10 Networks, Inc.
SSL Intercept feature transparently intercepts traffic, decrypts it and forwards it through a firewall for deep packet inspection and then securely forwarding on to its destination
2048-bit keys are now the standard– CPU utilization rises exponentially with
encryption strength increase
Thunder ADCs are the right choice– Dedicated security processors for hardware SSL
– Firewalls can’t always do SSL Intercept with scale
– Freedom to choose best-of-breed traffic inspection/mitigation
SSL Intercept Overview
Other
DLPUTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/Protection
Client
16
2
5
3
4
9©A10 Networks, Inc.
Transparently intercept SSL traffic, decrypt it, and send it through the firewall
There are three distinct stages of traffic handling, as depicted in the diagram
1. Traffic is encrypted in passing from the client to the inside Thunder ADC
2. Traffic passes from the inside Thunder ADC to the outside Thunder ADC, and then through the firewall. Traffic is in plain text during this segment
3. Traffic from the outside Thunder ADC is sentto the remote server, where it is encrypted once again
SSL Intercept Function
SSL Encrypted Connection
Unencrypted Traffic Flow
SSL Encrypted Connection
10©A10 Networks, Inc.
Malware DetectionSecurity Forensics
User connects to site using SSL
ACOS terminates client/server SSL connection on internal/external forward proxy ACOS ADCs
ACOS creates an unencrypted zone
Unencrypted traffic passes to security devices, which can now inspect the traffic and mitigate per corporate policy
Thunder ADC SSL Intercept Solution
www.example.com
SSL Connection to www.example.com
Un-encryptedZONE
encrypted
decrypted
encrypted
11©A10 Networks, Inc.
Problem: Provide high performance security for– Stateful Firewall
– URL Filtering
– IDS/IPS
– SSL decryption and inspection
Enabling all these features degrades security performance significantly– Solution: ACOS Series SSL Intercept with
Security Processors
– Net Effect: Security platforms have moreprocessing resource available for policyinspection due to ACOS SSL Intercept
High Performance Security with SSL Intercept
www.example.com
SSL Connection to www.example.com
FirewallIPS/IDS
encrypted
encrypted
Decryption, inspection & encrypted
decrypted
decrypted
17©A10 Networks, Inc.
aFleX is a powerful and flexible Thunder feature that you can use to manage your traffic and provide enhanced benefits/services– aFleX uses industry-standard TCL (Tools Command Language) based syntax
Standard TCL commands Special set of extensions provided by the Thunder
– aFleX allows: Content inspection (headers / data) Actions on traffic
– Block traffic– Redirect traffic to a specific Service Group (pool) or Server (node)– Modify traffic content
aFleX Overview
19©A10 Networks, Inc.
Provides a simple way to provide CAC Authentication
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set subject [X509::subject $cert]
regexp {\d{10}} $subject edipi
}
when HTTP_REQUEST {
HTTP::header insert edipi "$edipi”
}
Request CAC Auth
Sample aFleX Script: Pass CAC Information
21©A10 Networks, Inc.
Thunder ADC Hardware AppliancesPri
ce
Performance
Thunder 930 ADC
5 Gbps (L4&L7)200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7)450k L4 CPS
2M RPS (HTTP)SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7)750k L4 CPS
3M RPS (HTTP) SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7)2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7)2.8M L4 CPS
17M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7)3.7M L4 CPS
20M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7)6M L4 CPS
32.5M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7)5.3M L4 CPS
31M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7)7.1M L4 CPS
38M RPS (HTTP)SSL ProcessorHardware FTA
Thunder 1030S
Thunder 3030S
Thunder 4430S
Thunder 5430S
Thunder 6430S
SSL Insight CPS (2048-bit)
3,000 6,000 24,000 27,000 40,000
SSL Insight Throughput (2048-bit)
1.5 Gbps 3 Gbps 10.6 Gbps 11.2 Gbps 23.8 Gbps
22©A10 Networks, Inc.
ACOS designed for reliability– No HDD – SSD only
– No CPU fans – hot-swap fans only
– No moving parts on motherboard
Reliability Data– A10 DOA & RMA rate: < 2.0% (2013 rate)
– Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]
Gold Standard for Reliability & Quality