Optimize Enterprise Application Availability, Security and Responsiveness

Transcription

1 WHITE PAPER Optimize Enterprise Application Availability, Security and Responsiveness Replace Forefront Threat Management Gateways with A10 Networks Application Delivery Controllers

2 Table of Contents Executive Summary... 3 Replacing TMG... 3 A10 ADC Appliances: Secure and Optimize Microsoft Applications... 4 Forward and Reverse Proxy with Authentication... 4 Multifactor Authentication... 4 Application Security... 5 A10 Optimizes Microsoft Application Servers... 6 A10 Networks vs. TMG Key Feature Comparison... 7 Conclusion... 8 About A10 Networks... 9 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

3 Executive Summary Microsoft s now discontinued Forefront Threat Management Gateway 2010 (TMG) is a security and performance enhancement solution for SMB and enterprise users. A standard security product to protect and provide secure access to web content and applications, this gateway is widely used to safeguard applications via reverse proxy, SSL termination, Network Address Translation (NAT), application-layer protection and content filtering. It optimizes applications through web application acceleration, web caching, TCP connection reuse and server load balancing. Microsoft no longer offers TMG or its previous incarnation, Internet Security and Acceleration (ISA) Server, having announced its end-of sale 1. At the same time, the advancement of application delivery controllers (ADCs) has subsumed and expanded upon many of the capabilities and use cases for TMG. A10 Networks recommends A10 Networks Thunder ADC line of Application Delivery Controllers as a superior substitute for TMG deployments. Thunder ADC offers a cost-effective and all-in-one solution that goes far beyond TMG in maximizing server availability, accelerating response times and reducing required network pipe utilization. Thunder virtual and purpose-built hardware appliances offer an extensive array of security and optimization features that surpass TMG and are available in a variety of performance levels and form factors for any environment. With TMG at end-of-sale, administrators managing networks, applications and security will need to turn to newer, more modern solutions. Replacing TMG As a secure web gateway, TMG has principally been used to provide multiple levels of security to various Microsoft applications including Exchange, SharePoint and Lync as well as offerings from other software vendors. TMG protects these Internet-facing application servers from web-based threats and helps create a needed demarcation point between the Internet and internal data center operations. TMG is composed of four fully integrated elements for simplified management: Forefront TMG Server, TMG web protection service, Management Server and Management Console. Together, these offer multiple layers of security to protect internal servers and other corporate assets from malicious attack. TMG can be flexibly deployed as a virtual machine on industry standard servers or by various third parties as a hardened appliance. The choice depends on cost and performance requirements. The benefits derived from installing TMG include: Application-layer protection to application servers Data leakage prevention via content filtering Application response times improvement Peripheral security for controlled data center access Principal Microsoft TMG capabilities include: Authentication By providing authentication within the servers themselves, applications can be protected from unwanted access. Authentication is a process to identify a client that attempts to access a secure domain. TMG provides authentication support for the backend servers. Proxy Forward and reverse proxy features secure published applications in Internet-facing deployments, in part by providing network separation between remote clients and internal network servers. TMG s forward proxy capabilities include content filtering to provide more control over access to public content and to manage SSLbased traffic. TMG as a reverse proxy is deployed in front of the web and application servers to process client requests for content and support application firewall and other security techniques. URL Filtering URL filtering secures application servers by controlling client access. Sites that are known to be malicious or contain inappropriate content are blocked to protect the organization. TMG groups URLs into dozens of categories, including those based on security, productivity and liability. HTTPS Inspection To decode and inspect SSL encrypted sessions, TMG provides a software-based encrypt/ decrypt feature with HTTPS scanning. This feature allows the needed visibility into traffic flows to ensure that applications are protected during secure communications. Logging and reporting tools aide in determining if web access is compliant with the organization s policies. Routing and Remote Access TMG Secure Web Gateways provide Internet gateway, NAT server and routing functionality. They can be deployed as a basic router, as they offer static L2/L3 networking protocols to determine routes. TMG can also be deployed as an explicit HTTP proxy to control access to hosts based on lists of allowed traffic clients and hosts. In addition, the TMG can function as an NAT server that can remap one IP address space to another

4 Anti-Malware TMG has integrated an anti-malware engine to scan outbound web traffic such as attachments and files and block viruses and other malware. By placing the solution at the edge, internal servers without proper host-based protection can be secured. User experience is enhanced as partial content may be sent as inspection takes place and progress notifications via status HTML pages are provided. Optimization With the increase in web-based and mobile applications, the importance to accelerate and optimize enterprise applications is a critical requirement. Providing these features will enhance the user experience, productivity and security policy compliance. TMG has limited optimization features for applications such as Lync, SharePoint and Exchange. Deploying TMG will enhance these Microsoft applications with basic TCP features, health monitor options, caching and load balancing. A10 ADC Appliances: Secure and Optimize Microsoft Applications Application delivery controllers provide the most practical alternative to TMG installations. These solutions not only offer the critical security and optimization features of TMG but they go far beyond these security gateways. Whether the requirement is to expand upon security, authentication, server availability or application acceleration, A10 ADCs represent a quantum jump in feature set, performance, deployment flexibility and cost effectiveness. A10 ADCs accelerate, optimize and secure your mission critical applications. A10 Networks Thunder ADC line of Application Delivery Controllers offer a robust solution that ensures high performance throughput, the necessary robust feature set and high scalability to support the requirements of an enterprise network. A10 offers security features such as reverse and forward proxy, Web Application Firewall (WAF), authentication, DNS firewall and more. Consequently, these solutions offer an excellent replacement because of the all-inclusive licensing, security, acceleration, scalability, authentication, optimization and DDoS protection features. This comprehensive set of ADC solutions can be deployed on a single physical, virtual or hybrid appliance and is able to run any and all features simultaneously with no limits. Forward and Reverse Proxy with Authentication Installing an application delivery controller enabled with reverse proxy and pre-authentication at the network perimeter provides network isolation from external sources. Only authenticated and authorized clients are granted access to the internal network and the organization s resources. This reverse proxy terminates client connections at the perimeter, and once authenticated and authorized, a proxy connection to the internal network is set up. A10 ADCs advance upon TMG by allowing central control over all applications and other resources; administrators can configure and manage access to each and every server from one management interface. This central control point allows applications to be deployed with a consistent corporate security policy by one authorized administrator. A10 supports authentication of users from a wide variety of resources, including Active Directory, LDAP, RADIUS, Kerberos, OCSP and SAML. In order to be a viable replacement for TMG, however, the ADC has to be more than just a reverse proxy. A10 ADCs offer a superlative mix of security to manage increasing web attacks, and include the most common features found in TMG: Forward proxy Thunder ADC provides both TCP and HTTP forward proxy support. It proxies HTTP and provides web content filtering and caching services. Thunder ADC forward proxies also include authentication and authorization to provide more control over access to public content. URL filtering and reputation list Controls access to websites or web applications based on the categories and risks associated with the intended URLs. Application switching (URL and host support) Redirects client requests based on the specific server or a pool of web servers based on the client attributes. This feature provides application intelligence and strengthens server applications. Multifactor Authentication Typically, applications only natively support a basic level of authentication. Yet given the proliferation of remote user device types and an expanded group of those requiring access, authentication methods are constantly evolving in complexity. Remote access solutions leveraging dynamic multifactor authentication are becoming common. TMG supports a variety of authentication methods, including RSA SecurID and client-side certificates. A10 solutions support the following authentication schemes: 4

5 Logon Portal for client (HTTP basic, form-based) Authentication Server (LDAP, RADIUS, OSCP, SAML) Authentication Relay (RSA SecurID, client-side certificates, HTTP Basic, Kerberos) A10 also supports advanced dynamic authentication. Now, Microsoft applications such as ActiveSync, Outlook Web Access and Outlook Anywhere can be published on the same socket (IP address/port) while using different authentication methods for each. A10 solutions obtain user attributes such as assigned mailbox database, device IDs and group memberships from Active Directory; in turn, these characteristics are used to dynamically apply policies on a very granular basis for superior security from mobile and other Bring Your Own Device (BYOD) access devices. Application Security With today s shortened development cycle times and the strong demand for new applications, validation and checks for vulnerabilities may be incomplete. Such application weaknesses are not addressed by lower layer network firewalls or Intrusion Prevention Systems (IPS). What s needed is a firewall that inspects and secures traffic at Layer 7 to provide protection to the applications themselves; malicious traffic such as form field tampering, cross-site scripting, cookie poisoning and many more attack vectors must be blocked. TMG only provides signature-based inspection that blocks known attacks while day zero attacks are left undefended. To protect against an array of these unknown attacks that target application vulnerabilities, A10 provides a Web Application Firewall that can filter inbound HTTP requests. This is a critical task to protect the network infrastructure against the increasing problem of malware and vulnerabilities. To simplify deployment with Microsoft applications, this WAF is initially placed in a training mode to learn the normal and expected behavior of the applications. Once the training period is complete, it can be placed in protection mode to isolate and block traffic that does not comply with normal usage. Protections include: Cross-site request forgery (CSRF)prevention SQL injection check XSS (cross-site scripting, cookie/url/query/post args checking for JavaScript) Buffer overflow check URL white/black listing (up to 8 million individual host addresses and up to 64,000 subnet addresses) Bad bots protection Credit card, Social Security Number (SSN), sensitive content check Form field consistency check Field formats check Volumetric Distributed Denial of Service (DDoS) attacks, particularly at L7, are increasingly common. TMG has some basic support built-in; however, it does not provide the advanced protection or the performance required. A10 ADC appliances, many with hardware assisted DDoS processing, provide enhanced protection against these malicious assaults. A10 ADCs come equipped with IP anomaly filters to drop packets that contain common DDoS attack signatures. This feature comes standard in all the A10 ADC form factors: virtual, physical, hybrid and cloud-based offerings. Security protection features include: Frag Drops all IP fragments, which can be used to attack hosts running IP stacks that have known vulnerabilities in their fragment reassembly code IP-option Drops all packets that contain any IP options Land-attack Drops spoofed SYN packets containing the same IP address as the source and destination, which can be used to launch an IP land attack Ping-of-death Drops all jumbo IP packets, known as ping of death packets System-wide Policy-Based Server Load Balancing (PBSLB) IP anomaly filters, which include: -- Invalid HTTP or SSL payload -- Out of sequence packet -- Zero-length TCP window Access control lists (ACLs) permit and deny based on address and protocol information in the packets with support for standard and extended IPv4 and IPv6 addresses. 5

6 A10 Optimizes Microsoft Application Servers When deploying a secure web gateway such as TMG, the impact on the network infrastructure must be evaluated. The multiple functional modules result in substantial processing and degrade server availability, overall scalability and ultimately the performance of the network. The result is reduced capacity of various critical Microsoft applications such as SharePoint and Exchange. As TMG is server-based, it does not have the inherent power of a built-for-purpose ADC appliance. This means TMG servers with their basic load-balancing methods and limited ability to scale are typically installed in an array with an external physical load balancer. This adds needless complexity, capital expenditures and lengthened design-in time. Utilizing a single A10 ADC appliance provides the essential functionality of TMG, yet ensures the level of performance required while obviating the need for load balancers and other point solutions. Replacing TMG with A10 ADC solutions provides the scalability, availability and security demanded, while permitting throughput from 1 Gbps to over 1 Tbps. A10 appliances streamline the network topology and optimize the Microsoft application server farm. A10 ADCs offers a cost-effective and all-in-one solution that goes far beyond TMG in maximizing server availability, accelerating response times and reducing required network pipe utilization. A10 features include: Load balancing The most common use of a reverse proxy appliance is to provide load balancing to web applications. The A10 ADC provides a comprehensive list of load balancing algorithms to suit any type of application deployment. The load-balancing feature can be applied with a Microsoft application such as Microsoft Exchange, Lync or SharePoint, and it can be configured based on customer load-balancing requirements. Caching To optimize web content in today s networks, A10 caches web content on the ADC device to enhance website performance for clients. A10 ADCs can support up to 24 GB of HTTP/S objects, which reduces the number of connections needed between the A10 ADC and the server. HTTP compression This feature reduces the needed bandwidth and results in a faster download of application content by enabling ultra-high-speed compression and decompression of HTTP/HTTPS requests and responses. TCP connection reuse This feature is commonly deployed on web-based applications which can accelerate and optimize the data center infrastructure. It enhances the user web experience by reducing the number of TCP connection setups required; persistence is such that existing connections can be used for future TCP requests. SSL acceleration This offloads SSL processing from application servers. A10 ADCs have built-in security hardware to process SSL encode/decode SSL traffic with up to 4096-bit SSL certificates. In addition, A10 ADCs also provide STARTTLS support to enable secure traffic to and from Simple Mail Transfer Protocol (SMTP) servers by encrypting mail traffic to and from clients. Multi-tenancy This enables the configuration of up to 40 independent instances of Thunder ADC and Carrier Grade Networking (CGN) on one Thunder hybrid virtual appliance (HVA) platform. This provides the ability to load many instances of TMG functionality onto one appliance. Each instance is afforded its own dedicated portion of computing, memory, SSL and I/O resources and can be uniquely tuned to the exact needs of particular users, applications or servers. 6

7 This table shows the many ways A10 ADCs support key TMG features and add expanded capabilities. A10 Networks vs. TMG Key Feature Comparison Feature Microsoft TMG Thunder ADC Reverse proxy Standard connection termination Full support, including customizable HTTP-aware connection termination, redirection and TCP multiplexing for server offload Forward proxy Load balancing and Layer 7 content switching TMG firewalls can forward web proxy requests Basic L4 load balancing with basic round robin Configurable web proxy and caching server with explicit HTTP proxy support Multiple L4/L7 load-balancing algorithms, including least connections, weighted round robin and more Over 18+ load-balancing algorithm options available Global Server Load Balancing (GSLB) None Full support DNS-based and IPbased Route Health Injection(RHI) High availability and failover Complex, requires 3 nodes Active/active, active/passive, VRRP-A, GSLB Server health monitoring Limited to 3 basic methods: HTTP Get, Ping and TCP connections Methods include basic multiple L2-4 connectivity checks and advanced customizable validations of server and backend database functionality Session persistence Source IP or cookie only Multiple options, including hashing, SSL session ID, cookiebased, source/destination IP Authentication Application acceleration Scalability HTTPS inspection and SSL capacity Basic, forms-based, integrated and certificates Multifactor: client certificates, RSA SecurID, RADIUS Basic compression and static caching Cluster up to 6 TMG modules with Windows-based software (aimed at smaller and medium enterprises) Policy based; software only with minimal bulk throughput and TPS Numerous, including HTTP basic, forms-based, LDAP, RADIUS, OSCP, SAML Multifactor: Client certificates, RSA SecurID, RADIUS High capacity compression, static and dynamic caching and TCP optimization Purpose-built 1U appliances with up to 150 Gbps A10 Networks avcs Virtual Chassis System cluster up to 8 appliances for over 1 Tbps HVA with up to 40 independent instances Up to 1,023 application delivery partitions per one unit Policy-based; hardware-based processing with over 40 Gbps and 1.5M SSL TPS (2048-bit certificates) IPv6 No support Complete support for IPv6 and all IPv4/6 translations Simultaneous support for ADC and CGN instances on the same HVA platform 7

8 Feature Microsoft TMG Thunder ADC DDoS protection Basic DDoS High performance DDoS with up to 200M SYN packets/sec Multiple DDoS and protocol anomaly protection methods Reporting and monitoring None; third-party add-ons needed On-appliance reporting tools with drilldowns, customization and filtering to monitor usage and trends Firewall Negative security model with signature base ICSA certified WAF for protection against dozens of day-zero app attacks No signature base needed Automatically learns expected server behavior DNS application firewall Not available DNS Application Firewall that shields DNS servers from attacks, including buffer overflow, malformed requests and DoS IP-based connection rate limiting and concurrent connection controls Web-based authentication Basic only Provided through the Application Access Management (AAM) module; HTTP-basic and formbased Routing Basic only Static and dynamic routing Simplified application policy configuration Data leakage protection Conclusion Multi-step process Categorization and time-based blocking Templates with built-in auto policy configurations Data leakage protection methods, including customized fields, credit card and SSN masking URL classification filtering Microsoft Forefront TMG has been a worthy secure web gateway. It has been relied upon by users around the globe and included a broad feature set encompassing security and application optimization. Now that it is at end-of-sale, administrators managing networks, applications and security will need to turn to newer, more modern solutions. A10 Networks Thunder ADC provides not only the key attributes of TMG secure web gateways but offer advanced functionality that goes far beyond those capabilities. These include such things as advanced L7 application firewall, sophisticated load balancing and content switching to ensure application availability, and multiple application acceleration methods to speed content to remote clients. A10 also provides smart templates and detailed guides to expedite deployment of A10 ADCs with Microsoft applications. 8

9 About A10 Networks A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA USA Tel: Fax: Part Number: A10-WP EN-01 Nov 2014 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com 2014 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, A10 Thunder, Thunder, vthunder, acloud, ACOS, and agalaxy are trademarks or registered trademarks of A10 Networks, Inc. in the United States and in other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. To learn more about the A10 Thunder Application Service Gateways and how it can enhance your business, contact A10 Networks at: or call to talk to an A10 sales representative. 9