8 Ocak 2015 tarihinde gerçekleştirilen Kurumsal SOME Yönetimi Ve Proaktif Güvenlik Çözümleri Etkinliği'ne ait sunumlardır.

1. ©A10 Networks, Inc.
SSL Insight & TPS
Accelerating and Securing Applications & Networks
09242014
Arzu Akkaya
aakkaya@a10networks.com
Sinan İlkiz
silkiz@a10networks.com

2. 2©A10 Networks, Inc.
3400+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4
U.S. WIRELESS CARRIERS
7 of Top 10
U.S. CABLE PROVIDERS
Top 3
WIRELESS CARRIERS IN JAPAN

3. SSL Insight
Uncover Hidden Threats in Encrypted Traffic

4. 4©A10 Networks, Inc.
Uncover Hidden Threats in Encrypted Traffic
of Internet traffic is
encrypted with SSL
25%
35%
of all attacks will use encrypted
traffic to bypass controls by
2017
More
than
50%
of organizations with a firewall,
IPS or UTM appliance decrypt
inbound or outbound SSL traffic
Less
than
20%
average performance loss
of leading firewalls when
decrypting traffic
81%
more of the most
popular websites use
SSL in 2014 than 2013
48%
 NSS Labs, “SSL Performance Problems"
 StackExchange analysis on key lengths
 NetCraft SSL Survey

5. 5©A10 Networks, Inc.
Challenge
Malicious users leverage SSL encryption to conceal their exploits.
Organizations need a powerful, high-performance platform to decrypt
SSL traffic.
Solution
A10 Networks enables organizations to analyze all data, including
encrypted data, by intercepting SSL communications and sending it to
3rd party security devices such as firewalls, threat prevention platforms
and forensic tools for inspection.
Uncover Hidden Threats in Encrypted Traffic

6. 6©A10 Networks, Inc.
SSL Insight Traffic Flow
1. Encrypted traffic from the client is decrypted by the
internal, client-side Thunder ADC
2. Thunder ADC sends the unencrypted data to a security
appliance which inspects the data in clear text
3. The external Thunder ADC re-encrypts the data and sends
it to the server
4. The server sends an encrypted response to the external
Thunder ADC
5. Thunder ADC decrypts the response and forwards it to the
security device for inspection
6. The internal ADC receives traffic from the security device,
re-encrypts it and sends it to the client

7. 7©A10 Networks, Inc.
SSL Insight
With SSL Insight, organizations can,
 Achieve high performance with SSL acceleration
hardware
 Scale security with load balancing
 Reduce load on security infrastructure by
controlling which types of traffic to decrypt
 Granularly control traffic with aFleX policies
 Selectively bypass sensitive web applications*
* With ACOS 4.0.1

8. 8©A10 Networks, Inc.
A Single Point for Decryption and Analysis
Thunder ADC can work with
– Firewalls
– Intrusion Prevention Systems
(IPS)
– Unified Threat Management
(UTM) platforms
– Data Loss Prevention (DLP)
products
– Threat prevention platforms
– Network forensics and web
monitoring tools
Inline Non-Inline

9. 9©A10 Networks, Inc.
SSL Insight Performance & Summary
 Scalability, with up to 23.8 Gbps of SSL inspection performance in a standard configuration
 Load Balancing of security devices to maximize uptime and scale security
 Advanced SSL Insight features like URL classification subscriptions, untrusted certificate handling,1 and more
 Hardware Security Module (HSM) integration for FIPS 140-2 Level 3 compliant SSL key management
 Traffic steering to intelligently route traffic, optimize performance and reduce security appliance costs
 Validated interoperability with FireEye, RSA, IBM and other leading inspection products ensure that our solutions work together

10. Threat Protection System
High-performance, Network-wide DDoS Protection

11. 11©A10 Networks, Inc.
DDoS Problems
Q3 2010
PayPal
Discloses cost
of attack £3.5M
(~$5.8 million)
Q1 2013
Credit Union Regulators
Recommend
DDoS protection to
all members
Q4 2012
Bank of the West
$900k stolen, DDoS
as a distraction
Q1 2013
al Qassam Cyber Fighters
10-40 Gbps attacks target
9 major banks
Q1 2014
CloudFlare
400 Gbps NTP
amplification
attack
Q4 2013
60 Gbps attacks regularly
seen,100 Gbps not
uncommon
Q4 2013
26% YoY attack
increase (17% L7, 28% L3-4)
Q4 2013
PPS reaches 35 million
Q4 2013
6.8 million mobile devices
are potential attackers
(LOIC and AnDOSid)
“High-bandwidth DDoS attacks are becoming the new norm and will
continue wreaking havoc on unprepared enterprises”
Source: Gartner

12. 12©A10 Networks, Inc.
Thunder Threat Protection System (TPS)
Next Generation DDoS Protection
Multi-vector
Application & Network
Protection
High Performance
Mitigation
Broad Deployment
Options & 3rd Party
Integration
Multi-vector Protection
 Detect & mitigate application &
network attacks
 Flexible scripting & DPI for rapid
response
High Performance
 Mitigate 10 – 155 Gbps of attack
throughput, 200 M packets per
second (PPS) in 1 rack unit
Broad Deployment & 3rd Party
 Symmetric, asymmetric, out-of-band
 Open SDK/RESTful API for 3rd party
integration

13. 13©A10 Networks, Inc.
Five principal methods for effective mitigation
Mitigating DDoS Attacks
Packet anomaly check:
Network level packet
sanity check
(conformance)
Authentication
challenge:
Network and application
level validation of client
origination integrity
Black and white lists:
Network level high speed
inspection and control
Traffic rate control:
Network and
application monitoring
to rate limit traffic
Protocol and
application check:
Network and
application

14. 14©A10 Networks, Inc.
Real-time
DetectionFlood Thresholds
Protocol Anomalies
Behavioral Anomalies
Resource Starvation
L7 Scripts
Black Lists
HTTP DNSTCPUDP
 Symmetric Deployment
– Inline DDoS detection and mitigation in
one box
– Inspect both inbound and outbound traffic
– Suitable for Enterprises
 Protecting own services
 Permanent protection
 Sub-second detection-to-mitigation
 Profile
– Detect and inspect L3 – L7 traffic for both
inbound and outbound traffic
– Deep statistics sFlow export
– DDoS detection and mitigation at sub-second
scale
Symmetric Deployment
Telemetry
DDoS
Detection
System
Collection
Device
Services

15. 15©A10 Networks, Inc.
 Asymmetric Reactive deployment
– Classic deployment model
– Scalable solution for DDoS mitigation
 Oversubscribed bandwidth deployment
 No additional latency in peace time
 Longer time to mitigate
– Suitable for Service Providers
 Protecting select services
 Large scale core network
 Profile
– Traffic redirected to TPS for scrubbing as needed
 Support BGP for route injection
– Valid traffic forwarded into network for services
 Support GRE & IP-in-IP tunneling
Asymmetric Reactive Deployment
Core
Network
End Customer
or Data Center
Services
DDoS
Detection
System
aXAPI /
Manual
Action
Traffic Redirection
Telemetry

16. 16©A10 Networks, Inc.
MSSP
Network
 Asymmetric Reactive Model with CPE
– Recommended for Managed Security
Service Providers (MSSP)
– Enable a centralized scrubbing service with
high performance TPS
– CPE device at end customer site
 Symmetric or Out-of-band deployment
 Profile
– CPE provides full local mitigation
– Detection system analyses CPE data and
mitigate when needed
 BGP used to direct traffic to cloud based high
performance Thunder TPS for scrubbing
Asymmetric Reactive Deployment with CPE
ISP
Network
End
Customer
Services
DDoS Detection
System
aXAPI
Traffic
Redirection
TelemetryThunder TPS CPE

17. 17©A10 Networks, Inc.
 Asymmetric Proactive Deployment
– For high performance DDoS detection and
mitigation
– DDoS detection and mitigation in one box
– Suitable for Large Enterprises and ISPs
 Protecting own services
 Protecting end customers
 Large-mid scale core network
 Profile
– Inbound traffic always routed toward TPS
 Insight in peace-time and war-time
– DDoS detection at sub-second scale
Asymmetric Proactive Deployment
Core Network
Services
End Customer
or Data Center

18. 18©A10 Networks, Inc.
 Out-of-Band (TAP) Deployment
– High Speed DDoS Detection Capability
– Receive and analyze mirrored traffic data from routers
– Build dynamic Black/White lists
 Function as black/white list master
 Synchronize lists with cluster members
– Hybrid mode supported
– DDoS statistics and counters for DDoS detection
Out-of-Band (TAP) Deployment
Core Network
Data Center
Services
Mirrored Traffic
TAPTAP
Protocol Anomalies
Behavioral Analysis
Threat Intel Lists
Geolocation
Global Thresholds
User Thresholds

19. 19©A10 Networks, Inc.
Thunder TPS Performance
Thunder
3030S TPS (CPE)
Thunder
4435 TPS
Thunder
5435 TPS
Thunder
6435 TPS
Mitigation Throughput 10 Gbps 38 Gbps 77 Gbps 155 Gbps
TCP SYN Auth/sec PPS* 6.5 million 35 million 40 million 70 million
SYN Cookies/sec PPS** 6.5 million 55 million 112 million 223 million
DDoS Attack Detection
and Mitigation
Software
Software
+ hardware assist
Software
+ hardware assist
Software
+ hardware assist
* Packets per second - CPU-based performance
** Packets per second - Hardware(FTA)-based performance

20. 20©A10 Networks, Inc.

21. Thank you