Cost-Effective Strategies for Countering Security Threats:  IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks

Agenda A10 Overview IPSEC – Surviving BYOD SSLi – Cracking the code DDOS – Expecting the Inquisition Notes Advanced Platform Advanced Threat Intelligence IPS doing Prevention (Beta in Q1 and Launch in Q1/Q2) Leveraging Forensics and Advanced Signatures from Mandiant for IPS Millions of VMs from FE now combined with Millions of Endpoint Sensors creates a Powerful Grid -> Real time Endpoint to Network Platform Global Presence Global Infrastructure in 7 major regions Sales and Marketing presence in 41 countries R&D in US and India

4000+ Customers in 65 Countries Service Providers Enterprises Web Giants 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN

A10 Product Portfolio Overview CGN TPS ADC ACOS Platform Product Lines ADC – Application Acceleration & Security CGN – IPv4 Extension / IPv6 Migration TPS – Network Perimeter DDoS Security Application Delivery Controller Carrier Grade Networking Threat Protection System Application Networking Platform Performance Scalability Extensibility Flexibility Managed Hosting Dedicated Network Cloud IaaS IT Delivery Models

IPSEC in your LAN Because this rabbit is totally legit and is clearly not a threat

Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Require IPSEC communication inside your network as the default Used at large organizations as a first line against worms Most malware lives ~200 days before detection Stops spread during off-hours from APTs

Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules. Non-repudiation – Users identified by their certs and presence of their card/PIN combo

SSLi You’ve got to get into that data stream.

Network Threats Hidden in SSL Traffic ~40% of Internet traffic is encrypted 50% of attacks will use encryption to bypass controls by 2017 80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic 70%+ SSL Traffic in some organizations Sources: “SSL Performance Problems,” NSS Labs, 2013 “Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

How Malware Developers Exploit Encrypted Traffic Malicious file in instant messaging Malicious attachment sent over SMTPS Drive-by download from an HTTPS site Botnet Herder Clients Encryption obscures: Bot installation C&C communication Data exfiltration HTTPS Data exfiltration over SSL channels C&C commands can be sent via cloud storage or even as comments on legitimate websites Command and Control Servers

SSL Insight: Eliminate the Outbound SSL Blind Spot Benefit: Eliminate encryption blind spot to inspect encrypted traffic, including malware and advance persistent threats (APTs) Advantage: Optimized decryption with dedicated security processors for CPU intensive 2048-bit keys Offloads firewalls that can’t scale SSL decryption Freedom to work with any traffic inspection/mitigation device Server 4 encrypted 3 A10 ADC decrypted 5 Inspection/ Protection Other FW UTM IDS Next Generation Firewalls /DLP/IPS/IDS 2 A10 ADC 6 encrypted 1 SSL Termination for client/SSL Termination for server From either server of client perspective, this is end-to-end encryption Many existing solutions, but not in ADCs Traffic flow Encrypted traffic from client is decrypted by the Thunder Traffic is forwarded through the security device (e.g. UTM/IDS/DLP) The Thunder encrypts the traffic again and it is sent to its destination/target server On return encrypted server traffic is decrypted by the Thunder Traffic is forwarded through the security device The Thunder then encrypts the traffic again and sends it to the client 81%: The average performance loss across 7 NG Firewalls Source: “SSL Performance Problems,” NSS Labs, 2013 Client

Thunder ADC Hardware Appliances 150/145 Gbps (L4/L7) 7.1M L4 CPS 38M RPS (HTTP) SSL Processor Hardware FTA Thunder 6430(S) ADC 150/145 Gbps (L4/L7) 5.3M L4 CPS 31M RPS (HTTP) SSL Processor Hardware FTA Thunder 5630 ADC 79/78 Gbps (L4/L7) 6M L4 CPS 32.5M RPS (HTTP) SSL Processor Hardware FTA Thunder 5430(S)-11 ADC 79/78 Gbps (L4/L7) 3.7M L4 CPS 20M RPS (HTTP) SSL Processor Hardware FTA Price Thunder 5430S ADC 77/75 Gbps (L4/L7) 2.8M L4 CPS 17M RPS (HTTP) SSL Processor Hardware FTA Thunder 4430(S) ADC 38 Gbps (L4&L7) 2.7M L4 CPS 11M RPS (HTTP) Thunder 3030S ADC 30 Gbps (L4&L7) 750k L4 CPS 3M RPS (HTTP) SSL Processor Thunder 1030S ADC 10 Gbps (L4&L7) 450k L4 CPS 2M RPS (HTTP) SSL Processor Thunder 930 ADC 5 Gbps (L4&L7) 200k L4 CPS 1 M RPS (HTTP) Performance

DDOS Protection Expecting The Inquisition

DDoS Protection: Multi-vector Edge Protection Benefits: Large-scale DDoS protection Advanced protection features Predictable operations Advantage: Full DDoS defense covers network and application attacks Hardware DDoS protection for common attacks SYN flood protection to 200 M per second Infrastructure Protection Connection Limiting Slow L7 Attacks L7 aFleX Control Geographic Control Rate Limiting SYN Flood More… DDoS DDoS Brand reputation Customers cannot use resources Revenue impact Recovery costs

Thunder TPS Hardware Appliances Thunder 6435(S) TPS 155 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 5435(S) TPS 77 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 4435(S) TPS 38 Gbps 16x10/1G (SFP+) SSL Processor* Hardware FTA Mitigation Price Thunder 3030S TPS 10 Gbps 6x1G Copper, 2x1G (SFP) 4x10/1G (SFP+) SSL Processor High performance extended platforms for Web Giants, Service Providers, Large Enterprise. E.g. MSSPs, Gaming, etc. CPE class platform MSSP integrated solution Extended platforms feature additional hardware for advanced DDoS mitigation. Performance * “S” model must be purchased

Trophies

Thank You