Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cost-Effective Strategies for Countering Security Threats:  IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

Published byOsborn Hampton Modified over 6 years ago

Similar presentations

Presentation on theme: "Cost-Effective Strategies for Countering Security Threats:  IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks."— Presentation transcript:

1 Cost-Effective Strategies for Countering Security Threats:  IPSEC, SSLi and DDoS Mitigation
Bruce Hembree, Senior Systems Engineer A10 Networks

2 Agenda A10 Overview IPSEC – Surviving BYOD SSLi – Cracking the code
DDOS – Expecting the Inquisition Notes Advanced Platform Advanced Threat Intelligence IPS doing Prevention (Beta in Q1 and Launch in Q1/Q2) Leveraging Forensics and Advanced Signatures from Mandiant for IPS Millions of VMs from FE now combined with Millions of Endpoint Sensors creates a Powerful Grid -> Real time Endpoint to Network Platform Global Presence Global Infrastructure in 7 major regions Sales and Marketing presence in 41 countries R&D in US and India

3 4000+ Customers in 65 Countries
Service Providers Enterprises Web Giants 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN

4 A10 Product Portfolio Overview
CGN TPS ADC ACOS Platform Product Lines ADC – Application Acceleration & Security CGN – IPv4 Extension / IPv6 Migration TPS – Network Perimeter DDoS Security Application Delivery Controller Carrier Grade Networking Threat Protection System Application Networking Platform Performance Scalability Extensibility Flexibility Managed Hosting Dedicated Network Cloud IaaS IT Delivery Models

5 IPSEC in your LAN Because this rabbit is totally legit and is clearly not a threat

6 Smart Tactics: IPSEC domain boundaries with 2FA
IPSEC domain boundaries with 2 Factor Authentication Require IPSEC communication inside your network as the default Used at large organizations as a first line against worms Most malware lives ~200 days before detection Stops spread during off-hours from APTs

7 Smart Tactics: IPSEC domain boundaries with 2FA
IPSEC domain boundaries with 2 Factor Authentication Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules. Non-repudiation – Users identified by their certs and presence of their card/PIN combo

8 SSLi You’ve got to get into that data stream.

9 Network Threats Hidden in SSL Traffic
~40% of Internet traffic is encrypted 50% of attacks will use encryption to bypass controls by 2017 80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic 70%+ SSL Traffic in some organizations Sources: “SSL Performance Problems,” NSS Labs, 2013 “Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

10 How Malware Developers Exploit Encrypted Traffic
Malicious file in instant messaging Malicious attachment sent over SMTPS Drive-by download from an HTTPS site Botnet Herder Clients Encryption obscures: Bot installation C&C communication Data exfiltration HTTPS Data exfiltration over SSL channels C&C commands can be sent via cloud storage or even as comments on legitimate websites Command and Control Servers

11 SSL Insight: Eliminate the Outbound SSL Blind Spot
Benefit: Eliminate encryption blind spot to inspect encrypted traffic, including malware and advance persistent threats (APTs) Advantage: Optimized decryption with dedicated security processors for CPU intensive 2048-bit keys Offloads firewalls that can’t scale SSL decryption Freedom to work with any traffic inspection/mitigation device Server 4 encrypted 3 A10 ADC decrypted 5 Inspection/ Protection Other FW UTM IDS Next Generation Firewalls /DLP/IPS/IDS 2 A10 ADC 6 encrypted 1 SSL Termination for client/SSL Termination for server From either server of client perspective, this is end-to-end encryption Many existing solutions, but not in ADCs Traffic flow Encrypted traffic from client is decrypted by the Thunder Traffic is forwarded through the security device (e.g. UTM/IDS/DLP) The Thunder encrypts the traffic again and it is sent to its destination/target server On return encrypted server traffic is decrypted by the Thunder Traffic is forwarded through the security device The Thunder then encrypts the traffic again and sends it to the client 81%: The average performance loss across 7 NG Firewalls Source: “SSL Performance Problems,” NSS Labs, 2013 Client

12 Thunder ADC Hardware Appliances
150/145 Gbps (L4/L7) 7.1M L4 CPS 38M RPS (HTTP) SSL Processor Hardware FTA Thunder 6430(S) ADC 150/145 Gbps (L4/L7) 5.3M L4 CPS 31M RPS (HTTP) SSL Processor Hardware FTA Thunder 5630 ADC 79/78 Gbps (L4/L7) 6M L4 CPS 32.5M RPS (HTTP) SSL Processor Hardware FTA Thunder 5430(S)-11 ADC 79/78 Gbps (L4/L7) 3.7M L4 CPS 20M RPS (HTTP) SSL Processor Hardware FTA Price Thunder 5430S ADC 77/75 Gbps (L4/L7) 2.8M L4 CPS 17M RPS (HTTP) SSL Processor Hardware FTA Thunder 4430(S) ADC 38 Gbps (L4&L7) 2.7M L4 CPS 11M RPS (HTTP) Thunder 3030S ADC 30 Gbps (L4&L7) 750k L4 CPS 3M RPS (HTTP) SSL Processor Thunder 1030S ADC 10 Gbps (L4&L7) 450k L4 CPS 2M RPS (HTTP) SSL Processor Thunder 930 ADC 5 Gbps (L4&L7) 200k L4 CPS 1 M RPS (HTTP) Performance

13 DDOS Protection Expecting The Inquisition

14 DDoS Protection: Multi-vector Edge Protection
Benefits: Large-scale DDoS protection Advanced protection features Predictable operations Advantage: Full DDoS defense covers network and application attacks Hardware DDoS protection for common attacks SYN flood protection to 200 M per second Infrastructure Protection Connection Limiting Slow L7 Attacks L7 aFleX Control Geographic Control Rate Limiting SYN Flood More… DDoS DDoS Brand reputation Customers cannot use resources Revenue impact Recovery costs

15 Thunder TPS Hardware Appliances
Thunder 6435(S) TPS 155 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 5435(S) TPS 77 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 4435(S) TPS 38 Gbps 16x10/1G (SFP+) SSL Processor* Hardware FTA Mitigation Price Thunder 3030S TPS 10 Gbps 6x1G Copper, 2x1G (SFP) 4x10/1G (SFP+) SSL Processor High performance extended platforms for Web Giants, Service Providers, Large Enterprise. E.g. MSSPs, Gaming, etc. CPE class platform MSSP integrated solution Extended platforms feature additional hardware for advanced DDoS mitigation. Performance * “S” model must be purchased

16 Trophies

17 Thank You

Download ppt "Cost-Effective Strategies for Countering Security Threats:  IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks."

Similar presentations

Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Stonesoft Roadmap WHAT FEATURES WILL COME IN 2013-2014.

Stonesoft Roadmap WHAT FEATURES WILL COME IN
1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet High Performance Network Security Data Connectors – Los Angeles Edwin Mendoza – Manager.

1 © Copyright 2013 Fortinet Inc. All rights reserved. Fortinet High Performance Network Security Data Connectors – Los Angeles Edwin Mendoza – Manager.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg

Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.

IT-Partners Limited © 2011 IT Partners Limited Y OUR IT SOLUTION P ARTNERS Managing Director Confidential Data Loss Prevention Sunny Ho 1.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Akamai Technologies - Overview RSA ® Conference 2013.

Akamai Technologies - Overview RSA ® Conference 2013.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley

Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley
CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.
Threat Landscape Ryan Kane – SWAT Specialist - Secure Wireless, & Access Technologies Data Connectors ABQ December 2015.

Threat Landscape Ryan Kane – SWAT Specialist - Secure Wireless, & Access Technologies Data Connectors ABQ December 2015.
Kona Security Solutions - Overview

Kona Security Solutions - Overview

Similar presentations

Ads by Google