SSL Insight & TPS

Accelerating and Securing Applications & Networks

Arzu Akkaya Sinan İlkiz

aakkaya@a10networks.com silkiz@a10networks.com

©A10 Networks, Inc. 09242014

 3400+ Customers in 65 Countries
Service Providers Enterprises Web Giants

3 of Top 4
U.S. WIRELESS CARRIERS

7 of Top 10
U.S. CABLE PROVIDERS

Top 3
WIRELESS CARRIERS IN JAPAN

©A10 Networks, Inc. 2

SSL Insight
Uncover Hidden Threats in Encrypted Traffic
Uncover Hidden Threats in Encrypted Traffic

25% of Internet traffic is average performance loss

35% encrypted with SSL 81% of leading firewalls when
decrypting traffic

Less of organizations with a firewall,

than IPS or UTM appliance decrypt
more of the most
20% inbound or outbound SSL traffic
48% popular websites use
SSL in 2014 than 2013

More of all attacks will use encrypted

than traffic to bypass controls by
50% 2017  NSS Labs, “SSL Performance Problems"
 StackExchange analysis on key lengths
 NetCraft SSL Survey
©A10 Networks, Inc. 4
Uncover Hidden Threats in Encrypted Traffic

Challenge

Malicious users leverage SSL encryption to conceal their exploits.

Organizations need a powerful, high-performance platform to decrypt
SSL traffic.

Solution

A10 Networks enables organizations to analyze all data, including

encrypted data, by intercepting SSL communications and sending it to
3rd party security devices such as firewalls, threat prevention platforms
and forensic tools for inspection.

©A10 Networks, Inc. 5

SSL Insight Traffic Flow

1. Encrypted traffic from the client is decrypted by the

internal, client-side Thunder ADC

2. Thunder ADC sends the unencrypted data to a security

appliance which inspects the data in clear text

3. The external Thunder ADC re-encrypts the data and sends

it to the server

4. The server sends an encrypted response to the external

Thunder ADC

5. Thunder ADC decrypts the response and forwards it to the

security device for inspection

6. The internal ADC receives traffic from the security device,

re-encrypts it and sends it to the client

©A10 Networks, Inc. 6

 SSL Insight

With SSL Insight, organizations can,

 Achieve high performance with SSL acceleration

hardware

 Scale security with load balancing

 Reduce load on security infrastructure by

controlling which types of traffic to decrypt

 Granularly control traffic with aFleX policies

 Selectively bypass sensitive web applications*

* With ACOS 4.0.1

©A10 Networks, Inc. 7
A Single Point for Decryption and Analysis

Thunder ADC can work with

– Firewalls

– Intrusion Prevention Systems

(IPS)

– Unified Threat Management

(UTM) platforms

– Data Loss Prevention (DLP)

products

– Threat prevention platforms

– Network forensics and web

monitoring tools

Inline Non-Inline

©A10 Networks, Inc. 8

SSL Insight Performance & Summary

 Scalability, with up to 23.8 Gbps of SSL inspection performance in a standard configuration

 Load Balancing of security devices to maximize uptime and scale security
 Advanced SSL Insight features like URL classification subscriptions, untrusted certificate handling,1 and more

 Hardware Security Module (HSM) integration for FIPS 140-2 Level 3 compliant SSL key management
 Traffic steering to intelligently route traffic, optimize performance and reduce security appliance costs
 Validated interoperability with FireEye, RSA, IBM and other leading inspection products ensure that our solutions work together

©A10 Networks, Inc. 9

Threat Protection System
High-performance, Network-wide DDoS Protection
DDoS Problems

Q3 2010 Q4 2012 Q1 2013 Q1 2013 Q1 2014

PayPal Bank of the West al Qassam Cyber Fighters Credit Union Regulators CloudFlare
Discloses cost $900k stolen, DDoS 10-40 Gbps attacks target Recommend 400 Gbps NTP
of attack £3.5M as a distraction 9 major banks DDoS protection to amplification
(~$5.8 million) all members attack

Q4 2013 Q4 2013 Q4 2013 Q4 2013

60 Gbps attacks regularly 26% YoY attack PPS reaches 35 million 6.8 million mobile devices
seen,100 Gbps not increase (17% L7, 28% L3-4) are potential attackers
uncommon (LOIC and AnDOSid)

“High-bandwidth DDoS attacks are becoming the new norm and will
continue wreaking havoc on unprepared enterprises”
Source: Gartner

©A10 Networks, Inc. 11

Thunder Threat Protection System (TPS)
Multi-vector Protection
 Detect & mitigate application &
network attacks
 Flexible scripting & DPI for rapid
High Performance response
Mitigation

High Performance
 Mitigate 10 – 155 Gbps of attack
Multi-vector Broad Deployment
throughput, 200 M packets per
Application & Network Options & 3rd Party
Protection Integration second (PPS) in 1 rack unit

Broad Deployment & 3rd Party

 Symmetric, asymmetric, out-of-band
 Open SDK/RESTful API for 3rd party
integration
Next Generation DDoS Protection

©A10 Networks, Inc. 12

Mitigating DDoS Attacks

Five principal methods for effective mitigation

Packet anomaly check: Protocol and

Network level packet application check:
sanity check Network and
(conformance) application

Black and white lists: Authentication Traffic rate control:

Network level high speed challenge: Network and
inspection and control Network and application application monitoring
level validation of client to rate limit traffic
origination integrity

©A10 Networks, Inc. 13

 Symmetric Deployment

 Symmetric Deployment
– Inline DDoS detection and mitigation in
one box

Real-time
– Inspect both inbound and outbound traffic
Detection
Flood Thresholds – Suitable for Enterprises
Protocol Anomalies UDP TCP HTTP DNS Telemetry  Protecting own services
Behavioral Anomalies  Permanent protection
L7 Scripts
Collection  Sub-second detection-to-mitigation
Device
Resource Starvation
 Profile
Black Lists

– Detect and inspect L3 – L7 traffic for both

DDoS
Detection
inbound and outbound traffic
System
– Deep statistics sFlow export
Services
– DDoS detection and mitigation at sub-second
scale

©A10 Networks, Inc. 14

Asymmetric Reactive Deployment

 Asymmetric Reactive deployment

– Classic deployment model
– Scalable solution for DDoS mitigation
Traffic Redirection
 Oversubscribed bandwidth deployment
 No additional latency in peace time
 Longer time to mitigate
Core
Network – Suitable for Service Providers
aXAPI /  Protecting select services
Telemetry
Manual  Large scale core network
Action
 Profile
End Customer
or Data Center DDoS – Traffic redirected to TPS for scrubbing as needed
Detection  Support BGP for route injection
System
– Valid traffic forwarded into network for services
Services
 Support GRE & IP-in-IP tunneling

©A10 Networks, Inc. 15

Asymmetric Reactive Deployment with CPE

 Asymmetric Reactive Model with CPE

– Recommended for Managed Security
Service Providers (MSSP)
Traffic – Enable a centralized scrubbing service with
Redirection
high performance TPS
– CPE device at end customer site
ISP aXAPI  Symmetric or Out-of-band deployment
Network
MSSP
Network  Profile
– CPE provides full local mitigation

Telemetry
– Detection system analyses CPE data and
Thunder TPS CPE
DDoS Detection
System
mitigate when needed
 BGP used to direct traffic to cloud based high
End performance Thunder TPS for scrubbing
Customer

Services

©A10 Networks, Inc. 16

Asymmetric Proactive Deployment

 Asymmetric Proactive Deployment

– For high performance DDoS detection and
mitigation
– DDoS detection and mitigation in one box
– Suitable for Large Enterprises and ISPs
 Protecting own services
Core Network  Protecting end customers
 Large-mid scale core network

 Profile
– Inbound traffic always routed toward TPS
End Customer  Insight in peace-time and war-time
or Data Center
– DDoS detection at sub-second scale

Services

©A10 Networks, Inc. 17

Out-of-Band (TAP) Deployment
 Out-of-Band (TAP) Deployment
– High Speed DDoS Detection Capability
– Receive and analyze mirrored traffic data from routers
– Build dynamic Black/White lists
Core Network
 Function as black/white list master
 Synchronize lists with cluster members

Mirrored Traffic – Hybrid mode supported

TAP TAP – DDoS statistics and counters for DDoS detection

Data Center
Protocol Anomalies
Services
Behavioral Analysis

Threat Intel Lists

Geolocation

Global Thresholds

User Thresholds

©A10 Networks, Inc. 18

Thunder TPS Performance

Thunder Thunder Thunder Thunder

3030S TPS (CPE) 4435 TPS 5435 TPS 6435 TPS

Mitigation Throughput 10 Gbps 38 Gbps 77 Gbps 155 Gbps

TCP SYN Auth/sec PPS* 6.5 million 35 million 40 million 70 million

SYN Cookies/sec PPS** 6.5 million 55 million 112 million 223 million

DDoS Attack Detection Software Software Software

Software
and Mitigation + hardware assist + hardware assist + hardware assist

* Packets per second - CPU-based performance

** Packets per second - Hardware(FTA)-based performance

©A10 Networks, Inc. 19

©A10 Networks, Inc. 20
Thank you