Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

Published byBarnard Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks."— Presentation transcript:

1 1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks

2 2

3 3 4000+ Customers in 65 Countries Web Giants Enterprises Service Providers 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN

4 4 A10 Product Portfolio Overview Dedicated Network Managed Hosting Cloud IaaS IT Delivery Models Application Networking Platform  Performance  Scalability  Extensibility  Flexibility CGN TPS ADC ACOS Platform Product Lines  ADC – Application Acceleration & Security  CGN – IPv4 Extension / IPv6 Migration  TPS – Network Perimeter DDoS Security Carrier Grade Networking Application Delivery Controller Threat Protection System

5 5 IPSEC in your LAN Because this rabbit is totally legit and is clearly not a threat

6 6 Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Require IPSEC communication inside your network as the default Used at large organizations as a first line against worms Most malware lives ~200 days before detection Stops spread during off-hours from APTs

7 7 Smart Tactics: IPSEC domain boundaries with 2FA IPSEC domain boundaries with 2 Factor Authentication Adversaries frequently attempt replication laterally during off-hours. Without a valid IPSEC connection malware is default denied without using cumbersome endpoint firewall rules. Non-repudiation – Users identified by their certs and presence of their card/PIN combo

8 8 You’ve got to get into that data stream. SSLi

9 9 Network Threats Hidden in SSL Traffic –~40% of Internet traffic is encrypted –50% of attacks will use encryption to bypass controls by 2017 –80%+ of organizations with firewalls, IPS, or UTM do not decrypt SSL traffic 70%+ SSL Traffic in some organizations Sources: “SSL Performance Problems,” NSS Labs, 2013 “Security Leaders Must Address Threats From Rising SSL Traffic,” 2013

10 10 How Malware Developers Exploit Encrypted Traffic Botnet Herder Clients Data exfiltration over SSL channels Command and Control Servers HTTPS Malicious file in instant messaging Drive-by download from an HTTPS site Malicious attachment sent over SMTPS Encryption obscures : –Bot installation –C&C communication –Data exfiltration

11 11 Benefit: –Eliminate encryption blind spot to inspect encrypted traffic, including malware and advance persistent threats (APTs) Advantage: –Optimized decryption with dedicated security processors for CPU intensive 2048-bit keys –Offloads firewalls that can’t scale SSL decryption –Freedom to work with any traffic inspection/mitigation device SSL Insight: Eliminate the Outbound SSL Blind Spot Other FW UTM IDS Server A10 ADC encrypted decrypted encrypted Inspection/ Protection Client 1 6 2 5 3 4 Next Generation Firewalls /DLP/IPS/IDS 81%: The average performance loss across 7 NG Firewalls Source: “SSL Performance Problems,” NSS Labs, 2013

12 12 Thunder ADC Hardware Appliances Price Performance Thunder 930 ADC 5 Gbps (L4&L7) 200k L4 CPS 1 M RPS (HTTP) Thunder 1030S ADC 10 Gbps (L4&L7) 450k L4 CPS 2M RPS (HTTP) SSL Processor Thunder 3030S ADC 30 Gbps (L4&L7) 750k L4 CPS 3M RPS (HTTP) SSL Processor Thunder 4430(S) ADC 38 Gbps (L4&L7) 2.7M L4 CPS 11M RPS (HTTP) Thunder 5430S ADC 77/75 Gbps (L4/L7) 2.8M L4 CPS 17M RPS (HTTP) SSL Processor Hardware FTA Thunder 5430(S)-11 ADC 79/78 Gbps (L4/L7) 3.7M L4 CPS 20M RPS (HTTP) SSL Processor Hardware FTA Thunder 5630 ADC 79/78 Gbps (L4/L7) 6M L4 CPS 32.5M RPS (HTTP) SSL Processor Hardware FTA Thunder 6430(S) ADC 150/145 Gbps (L4/L7) 5.3M L4 CPS 31M RPS (HTTP) SSL Processor Hardware FTA Thunder 6630 ADC 150/145 Gbps (L4/L7) 7.1M L4 CPS 38M RPS (HTTP) SSL Processor Hardware FTA

13 13 Expecting The Inquisition DDOS Protection

14 14 Benefits: –Large-scale DDoS protection –Advanced protection features –Predictable operations Advantage: –Full DDoS defense covers network and application attacks –Hardware DDoS protection for common attacks –SYN flood protection to 200 M per second DDoS Protection: Multi-vector Edge Protection SYN Flood Rate Limiting Connection Limiting Slow L7 Attacks Geographic Control Infrastructure Protection DDoS More… L7 aFleX Control

15 15 Thunder TPS Hardware Appliances CPE class platform MSSP integrated solution Price Performance Thunder 5435(S) TPS 77 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 6435(S) TPS 155 Gbps 16x10/1G (SFP+) 4x40G (QSFP+) SSL Processor* Hardware FTA Mitigation Thunder 3030S TPS 10 Gbps 6x1G Copper, 2x1G (SFP) 4x10/1G (SFP+) SSL Processor Thunder 4435(S) TPS 38 Gbps 16x10/1G (SFP+) SSL Processor* Hardware FTA Mitigation High performance extended platforms for Web Giants, Service Providers, Large Enterprise. E.g. MSSPs, Gaming, etc. * “S” model must be purchased

16 16 Trophies

17 Thank You

Download ppt "1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks."

Similar presentations

1 May 19th, 2009 Announcement. 2 Drivers for Web Application Delivery Web traffic continues to increase More processing power at data aggregation points.

1 May 19th, 2009 Announcement. 2 Drivers for Web Application Delivery Web traffic continues to increase More processing power at data aggregation points.
Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Palo Alto Networks Jay Flanyak Channel Business Manager

Palo Alto Networks Jay Flanyak Channel Business Manager
Stonesoft Roadmap WHAT FEATURES WILL COME IN 2013-2014.

Stonesoft Roadmap WHAT FEATURES WILL COME IN
New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Citrix NetScaler as part of a TMG replacement

Citrix NetScaler as part of a TMG replacement
Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.

Palo Alto Networks Threat Prevention. Palo Alto Networks at a Glance Corporate Highlights Founded in 2005; First Customer Shipment in 2007 Safely Enabling.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Nasca 2007 200 400 600 800 1000 Internet Ch. 5Internet Ch. 8 Networking and Security Ch. 6 Networking and Security Ch. 8.

Nasca Internet Ch. 5Internet Ch. 8 Networking and Security Ch. 6 Networking and Security Ch. 8.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
1 Integrating ISA Server and Exchange Server. 2 How email works.

1 Integrating ISA Server and Exchange Server. 2 How works.
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Similar presentations

Ads by Google