1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

Slides:

Advertisements

Similar presentations

1 May 19th, 2009 Announcement. 2 Drivers for Web Application Delivery Web traffic continues to increase More processing power at data aggregation points.

Advertisements

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Palo Alto Networks Jay Flanyak Channel Business Manager

Stonesoft Roadmap WHAT FEATURES WILL COME IN

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Citrix NetScaler as part of a TMG replacement

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Security Issues and Challenges in Cloud Computing

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Firewall Configuration Strategies

Nasca Internet Ch. 5Internet Ch. 8 Networking and Security Ch. 6 Networking and Security Ch. 8.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

1 Integrating ISA Server and Exchange Server. 2 How works.

Barracuda Networks Steve Scheidegger Commercial Account Manager

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Networks. What is a Network? Two or more computers linked together so they can send and receive data. We use them for sending s, downloading files,

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

It’s Not Just You! Your Site Looks Down From Here Santo Hartono, ANZ Country Manager March 2014 Latest Trends in Cyber Security.

1 Managed Premises Firewall. 2 Typical Business IT Security Challenges How do I protect all my locations from malicious intruders and malware? How can.

Akamai Technologies - Overview RSA ® Conference 2013.

Pg 1 of 25 AGI IP-Based Network Solutions Phil Flores Major Account Manager – Cisco Systems, inc.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley

Module 9: Fundamentals of Securing Network Communication.

1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,

Security Version 6.1 | August Need for Complete Security Stop threats at the perimeter High volume spam, phishing, viruses and.

Security fundamentals Topic 10 Securing the network perimeter.

Threat Landscape Ryan Kane – SWAT Specialist - Secure Wireless, & Access Technologies Data Connectors ABQ December 2015.

Kona Security Solutions - Overview

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

CHAPTER - 4 COMPUTER NETWORK Dr. BALAMURUGAN MUTHURAMAN

2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist.

Confidential | © A10 Networks, Inc. When Your Security Measures Become the Threat: The Hidden Dangers of SSL Traffic February

1 Customer Driven Innovation 1 Do not distribute/edit/copy without the written consent of A10 Networks IPv6 Solutions Ralf Korschner Systems Engineer EMEA.

An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

No boundaries with Unified Web Security Solutions Steven Vlastra Sr. Systems Engineer - Benelux.

©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.

Security fundamentals

Chapter 40 Internet Security.

勒索軟體事件分析與SSL流量可視性.

Palo Alto Networks Certified Network Security Engineer

IoT Security Part 2, The Malware

Barracuda Firewall The Next-Generation Firewall for Everyone

TMG Client Protection 6NPS – Session 7.

Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

Barracuda Firewall The Next-Generation Firewall for Everyone

Real-time protection for web sites and web apps against ATTACKS

Securing the Network Perimeter with ISA 2004

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Threat Management Gateway

Configuring TMG as a Firewall

Matt G change over point ?

2018 Real CompTIA N Exam Questions Killtest

UNM Enterprise Firewall

Firewalls Purpose of a Firewall Characteristic of a firewall

Check Point Connectra NGX R60

Chapter 4: Protecting the Organization

Ron Carovano Manager, Business Development F5 Networks

AT&T Firewall Battlecard

Presentation transcript:

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks

2

Customers in 65 Countries Web Giants Enterprises Service Providers 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN

4 A10 Product Portfolio Overview Dedicated Network Managed Hosting Cloud IaaS IT Delivery Models Application Networking Platform  Performance  Scalability  Extensibility  Flexibility CGN TPS ADC ACOS Platform Product Lines  ADC – Application Acceleration & Security  CGN – IPv4 Extension / IPv6 Migration  TPS – Network Perimeter DDoS Security Carrier Grade Networking Application Delivery Controller Threat Protection System

5 IPSEC in your LAN Because this rabbit is totally legit and is clearly not a threat

6 Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Require IPSEC communication inside your network as the default Used at large organizations as a first line against worms Most malware lives ~200 days before detection Stops spread during off-hours from APTs

7 Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules. Non-repudiation – Users identified by their certs and presence of their card/PIN combo

8 You’ve got to get into that data stream. SSLi

9 Network Threats Hidden in SSL Traffic –~40% of Internet traffic is encrypted –50% of attacks will use encryption to bypass controls by 2017 –80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic 70%+ SSL Traffic in some organizations Sources: “SSL Performance Problems,” NSS Labs, 2013 “Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

10 How Malware Developers Exploit Encrypted Traffic Botnet Herder Clients Data exfiltration over SSL channels Command and Control Servers HTTPS Malicious file in instant messaging Drive-by download from an HTTPS site Malicious attachment sent over SMTPS Encryption obscures : –Bot installation –C&C communication –Data exfiltration

11 Benefit: –Eliminate encryption blind spot to inspect encrypted traffic, including malware and advance persistent threats (APTs) Advantage: –Optimized decryption with dedicated security processors for CPU intensive 2048-bit keys –Offloads firewalls that can’t scale SSL decryption –Freedom to work with any traffic inspection/mitigation device SSL Insight: Eliminate the Outbound SSL Blind Spot Other FW UTM IDS Server A10 ADC encrypted decrypted encrypted Inspection/ Protection Client Next Generation Firewalls /DLP/IPS/IDS 81%: The average performance loss across 7 NG Firewalls Source: “SSL Performance Problems,” NSS Labs, 2013

12 Thunder ADC Hardware Appliances Price Performance Thunder 930 ADC 5 Gbps (L4&L7) 200k L4 CPS 1 M RPS (HTTP) Thunder 1030S ADC 10 Gbps (L4&L7) 450k L4 CPS 2M RPS (HTTP) SSL Processor Thunder 3030S ADC 30 Gbps (L4&L7) 750k L4 CPS 3M RPS (HTTP) SSL Processor Thunder 4430(S) ADC 38 Gbps (L4&L7) 2.7M L4 CPS 11M RPS (HTTP) Thunder 5430S ADC 77/75 Gbps (L4/L7) 2.8M L4 CPS 17M RPS (HTTP) SSL Processor Hardware FTA Thunder 5430(S)-11 ADC 79/78 Gbps (L4/L7) 3.7M L4 CPS 20M RPS (HTTP) SSL Processor Hardware FTA Thunder 5630 ADC 79/78 Gbps (L4/L7) 6M L4 CPS 32.5M RPS (HTTP) SSL Processor Hardware FTA Thunder 6430(S) ADC 150/145 Gbps (L4/L7) 5.3M L4 CPS 31M RPS (HTTP) SSL Processor Hardware FTA Thunder 6630 ADC 150/145 Gbps (L4/L7) 7.1M L4 CPS 38M RPS (HTTP) SSL Processor Hardware FTA

13 Expecting The Inquisition DDOS Protection

14 Benefits: –Large-scale DDoS protection –Advanced protection features –Predictable operations Advantage: –Full DDoS defense covers network and application attacks –Hardware DDoS protection for common attacks –SYN flood protection to 200 M per second DDoS Protection: Multi-vector Edge Protection SYN Flood Rate Limiting Connection Limiting Slow L7 Attacks Geographic Control Infrastructure Protection DDoS More… L7 aFleX Control

15 Thunder TPS Hardware Appliances CPE class platform MSSP integrated solution Price Performance Thunder 5435(S) TPS 77 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 6435(S) TPS 155 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 3030S TPS 10 Gbps 6x1G Copper, 2x1G (SFP) 4x10/1G (SFP+) SSL Processor Thunder 4435(S) TPS 38 Gbps 16x10/1G (SFP+) SSL Processor* Hardware FTA Mitigation High performance extended platforms for Web Giants, Service Providers, Large Enterprise. E.g. MSSPs, Gaming, etc. * “S” model must be purchased

16 Trophies

Thank You