Security Days Geneva 2015 Security Overview and Cisco ACE Replacement March, 2014 Tobias Kull tobias.kull@eb-qual.ch
A10 Corporate Introduction Headquarters in San Jose 800+ Employees Offices in 32 countries Customers in 65 countries CUSTOMER GROWTH 1,000+ 2,000+ 4000+ Q4' 11 Q4' 12 Today COMPANY GROWTH $142M $120M $91.5M 54.7M 2010 2011 2012 2013 2
Network Performance and Security Challenges Application Performance Scalability & Availability New Data Center Designs Increasingly Sophisticated Security Threats Scaling Infrastructure Performance Mobile Device Explosion Big Data Analytics IPv4 Address Exhaustion 100G Backbones Cloud Automation (IaaS) Software-Defined Networking (SDN) Network Function Virtualization (NFV) Targeted Resource Denial (DDoS) Rapid Volume Growth (Botnets) 3
A10 Product Portfolio Overview CGN Carrier Grade Networking ADC Application Delivery Controller TPS Threat Protection System Product Lines ADC Application Acceleration & Security CGN IPv4 Extension / IPv6 Migration TPS Network Perimeter DDoS Security ACOS Platform Application Networking Platform Performance Scalability Extensibility Flexibility Dedicated Network Managed Hosting Cloud IaaS IT Delivery Models 4
3400+ Customers in 65 Countries Service Providers Enterprises Web Giants 3 of Top 4 U.S. WIRELESS CARRIERS 7 of Top 10 U.S. CABLE PROVIDERS Top 3 WIRELESS CARRIERS IN JAPAN 5
A10 ACOS Platform Software & Hardware
ACOS Platform: Scaling Application Networking with Moore s Law High-Value Services: Optimization, Availability, Security Shared Memory Architecture OSI Reference Model Application 1 2 3 N Presentation Session Transport Network Data Link Physical IP: 192.168.1.1 Flexible Traffic Accelerator MAC: f4:f9:51:f0:d5:9d IP: 192.168.1.1 Switching and Routing MAC: f4:f9:51:f0:d5:9d Low-Value Services: Forwarding, Segmentation Highly Extremely Scalable Efficient Application-Layer Network Pre-Processing*: Processing: Hardware-Assisted L2-4 Pre-Processing Scalable Optimized Symmetric Hardware-Assisted Multi-Processing Flow Distribution Unique Hardware-Assisted Shared Memory Security Architecture Functions Linear Growth in Scale via Parallel Processing * Hardware Assist Features Available on Most Thunder Appliances 7
ACOS: Platform for Application Service Gateway Portfolio Policy Mgmt agalaxy axapi aflex acloud acloud Services Architecture (SDN & Cloud Integration) Software Product Lines Platform OS & Services Optimization & Acceleration ADC CGN ACOS Advanced Core Operating System IPv6 SLB SSL GSLB TCP Opt NAT Security TPS DDoS SSL WAF AAM DAF Dedicated Data Centers Multi-Tenant Data Centers Form Factors Thunder TM & AX Series Appliances Virtual Chassis (avcs ) Application Delivery Partitions (ADPs) Thunder HVA Appliances vthunder Perpetual License vthunder Pay-as-you-Go License IT Delivery Models Dedicated Network Managed Hosting Cloud IaaS 9
Thunder ASG Products & Example Deployment Use Cases TPS DDoS Detection & Mitigation CGNAT, NAT44, NAT64, DS-Lite CGN acloud Pay-as-you-Go Licensing Model Managed Hosting Provider & IaaS ADC SLB, Cache, SSL Offload, WAF Carrier Network ADC FWLB & SSL Intercept Data Center Demilitarized Zone (DMZ) 12
A10 ACOS Platform Security Solutions
Enterprise Data Center Application availability To maintain uptime SLB, GSLB, high-availability (HA), Healthchecks, more Application acceleration For equipment consolidation and faster user experience Caching, compression, network optimization, more Application security services For brand and asset protection while enhancing your existing security FWLB, WAF, SSL services, more Backup Data Center Availability: GSLB High-availability Health-checks A10 ADC Security: DDoS Mitigation WAF DAF AAM Acceleration: SSL Offload TCP Reuse RAM Caching Compression Web App DNS Other App 14
DMZ Security Solutions Scaling security devices and encrypted communications SSL Intercept: Eliminate encryption blind spot and scale security appliances FWLB and SSL offload, more Defend against emerging DDoS attacks Network and application protection Selectively apply dynamic security chains Traffic steering and advanced ADC services A10 ADC A10 ADC Firewall Load Balancing DDoS Mitigation WAF DAF AAM Traffic Steering aflex Scripting SSL Offload Firewalls IDS/IPS DLP Other Firewall Load Balancing SSL Intercept Data Center Internal Users 15
A10 Security Alliance Partner Categories SSL Inspection and Load Balancing Certificate Management Authentication Intelligence Advanced Detection and Analysis Programmatic Security Control 16
SSL problematic
Trends are changing 21
Why those changes? 22
How attackers exploit encrypted traffic 23
Where do we need SSL inspection? 24
Deployment 25
Benefits to securing inbound & outbound SSL traffic 1. Security Threats discovery 2. Availability Faster backend server response time Automatic server redundancy 3. Performance Relieves security appliances 4. Scalability Certificate management Scale servers & security appliances 26
Why A10 Wins - Cisco ACE Replacement and in general
Easy transition features CLI/GUI Graphical User Interface (GUI) Fewer screens and steps for tasks Intuitive and easy to use Command Line Interface (CLI) Industry standard (Cisco-like CLI) Easy to use, comprehensive help ACOS Version 2.7.x Rest-based API JASON format Many integrations and SDKs available 28
Easy transition features CLI/SDP Cisco ACE config interface vlan 120 description Upstream VLAN_120 - Clients and VIPs ip address 192.168.120.1 255.255.255.0 fragment chain 20 fragment min-mtu 68 rserver host SERVER1 ip address 192.168.252.245 inservice rserver host SERVER2 ip address 192.168.252.246 inservice rserver host SERVER3 ip address 192.168.252.247 inservice serverfarm host SFARM1 probe UDP rserver SERVER1 inservice rserver SERVER2 inservice rserver SERVER3 inservice class-map match-all L4UDP-VIP_114:UDP_CLASS 2 match virtual-address 192.168.120.114 udp eq 53 policy-map type loadbalance first-match L7PLBSF_UDP_POLICY class class-default serverfarm SFARM1 A10 AX config vlan 120 tagged interface e 1 router-interface ve 120! interface ve 120 ip address 192.168.120.1 255.255.255.0! slb server SERVER1 192.168.252.245 port 0 udp! slb server SERVER2 192.168.252.246 port 0 udp! slb server SERVER3 192.168.252.247 port 0 udp! slb service-group SFARM1 udp health-check UDP member SERVER1:None member SERVER2:None member SERVER3:None! slb virtual-server vs_192_168_120_114 192.168.120.114 port udp name L4UDP-VIP_114:UDP_CLASS service-group SFARM1 29
Why A10 ACOS Wins Best-in-class application networking performance scalability Software-based platform with platform APIs for Cloud integration Flexible form factors & packaging Predictable Capex / Opex with all-inclusive licensing and support pricing Highly efficient design for data center OPEX Gold standard for quality & reliability 31
ACOS: Best-in-Class Performance Scalability Scalable Symmetric Multi-Core Processing (SMMP) Designed to Optimize Resource Utilization & Efficiency Shared-Memory Architecture (SMA) Architected for 64-bit multi-core, multi-threaded operations Fundamental benefits: memory, processor & I/O efficiency Linear performance scalability with x86 trajectory Flexible Traffic Accelerator (FTA) Multi-processor flow distribution Symmetric distribution of load across cores 32
Thank you