White Paper A10 Thunder and AX Series Load Balancing Security Gateways June 2013 WP_LB FW 062013
Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. Copyright 2013 A10 Networks, Inc. All rights reserved. A10 Networks, A10 Thunder, vthunder, ACOS, acloud, aflex, axapi, avcs, Virtual Chassis, SoftAX, and aflow are trademarks or registered trademarks of A10 Networks, Inc. in the United States and other countries. 2
A10 Security Advantages Scalability 1 RU appliances can scale to 150 Gbps of application traffic with 5+ million new connections per second 8x ADC scaling with virtual chassis systems Acceleration Optimization 80% faster content retrieval Reduce round trip time Reduce server CPU utilization Reduce server hardware requirements Up to 174,000 new SSL (2048- bit) connections per second DDoS Protection Volumetric attack mitigation of 200+ million SYN requests per second Up to 140+ Gbps in 1 RU Web Application Firewall (WAF) OWASP Top Ten protection PCI Compliancy A10 Networks creates solutions to accelerate, optimize and secure customer networks. The A10 Thunder and AX Series Application Delivery Controllers (ADCs), the latest evolutionary steps in Server Load Balancers (SLBs), enable customers to get maximum scalability and value from their networked devices. Typically, these are application servers that are front-ended by an ADC device so that the application is operating at optimal performance for its end-users, the capacity can scale, and the application is always available. But the benefits of load balancing are not limited to application servers: network firewalls also can benefit greatly from being paired with an ADC/SLB solution. Efficient and secure network traffic flow is vital to an organization s fiscal health. For many organizations, Internet connectivity is an integral part of the core business. If the network is compromised, the results are often disastrous; leading to downtime, loss of revenue and loss of reputation. Network firewalls have evolved over the years to include deep packet inspection (DPI) and provide intrusion prevention services (IPS). Analyzing network traffic behavior and application data content is a very resource-intensive task. Firewalls and IPS devices have increased their capacity over time, yet the throughput of a security gateway device in a real network often is not enough to keep up with total network bandwidth demand. In these cases, an ADC solution is a great way to transparently scale multiple security gateways, improving speed and availability, without forcing a compromise between performance and security. Some key ADC technologies to enhance secure gateway deployments (such as firewalls, Intrusion Prevention System (IPS) and more) include: DNS Application Firewall 80% reduction in CPU utilization when under attack versus other solutions 70% reduction in DNS server traffic load Application Acceleration Traffic Optimization DDoS Protection Web Application Firewall DNS Application Firewall SSL Intercept With these value-added services, A10 can help companies to accelerate, optimize and secure the most demanding infrastructures. 3
1. Acceleration and Optimization A10 Thunder and AX Series ADCs can function as a load balancing solution for security gateway services. Flows can be distributed over available firewalls, providing maximum availability and seamless scalability. A10 s ADCs also can complement a security gateway with hardware accelerated defense solutions to complete the overall security solution set, without sacrificing performance. Key technologies to boost performance and reduce overhead include: SSL Offload TCP Connection Reuse Large-scale RAM Caching HTTP Compression. 4
1.1. High Performance DDoS Protection A10 s ADC solution provides software- and hardware-based DDoS protection; specific hardware components block multiple key high volume attacks. For example, the SYN Flood attack, which comprises around 25 percent of all DDoS attacks on the Internet today, can be mitigated directly in hardware, without adding load to the core CPUs. Additional techniques such as geographic filtering, rate limiting, connection limiting, "Slow HTTP" attack detection, aflex commands and more protect the entire network and application stack against more advanced attacks. 5
1.2. Web Application Firewall A Web Application Firewall (WAF) is a specialized firewall function that operates specifically on the application level (Layer 7) to protect against web code vulnerabilities. The WAF function is not included in traditional network firewalls, and therefore makes a perfect complementary solution to existing firewalls. Application layer attacks or exploitations include: SQL Injection attack (SQLIA) Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) More The OWASP 1 project maintains a list of the top ten web application vulnerabilities, many of which persistently reappear on the list. With A10 s WAF module, these top vulnerabilities can be addressed efficiently and cost effectively, as the WAF feature is part of A10 s all-inclusive license model. 1 www.owasp.org 6
1.3. DNS Application Firewall A10 s ADCs were the first to provide a DNS Application Firewall, and the DNS protection features have expanded over the years. The DNS infrastructure is one of the most attractive targets for attackers, as many essential Internet-based applications including web, email, and voice services rely heavily on DNS. Moreover, DNS traffic usually is unrestricted, meaning many organizations have limited defense mechanisms in place to monitor their DNS traffic, or to protect their DNS infrastructure from attacks, such as: DNS Flood Attacks DNS Amplification Attacks A10 offers mitigation technologies to deal with a DNS Amplification attack, using the DNS Firewall feature set in combination with IP Limiting and system-wide Policy-Based Server Load Balancing (PBSLB). Specific features for DNS application security include: Traffic validation: o Drop or redirect malformed DNS queries High performance surge protection: o DNS caching on per-vip or per-record basis o Rate-based DNS caching o Throttling based on domain name Dynamic traffic flow regulation: o Source-IP based connection rate limiting o PBSLB (black/white lists) 7
1.4. SSL Intercept Secured web traffic (HTTPS) is gaining in popularity for obvious reasons; the transaction between client and server cannot be read and abused by third parties. The SSL/TLS suite does provide added protection to web users, for financial transactions for example, because of this protection the use of SSL has become much more ubiquitous. Many web sites now support SSL access for their entire content. The disadvantage of this added security is that devices such as firewalls are unable to do deep packet inspection of an SSL encrypted packet for spyware or malware, hence cannot protect against spyware and malware that infiltrate an organization s network through SSL connections. 2. Summary A10 s ADCs are equipped with powerful, dedicated SSL processors that can deal effortlessly with many concurrent SSL sessions. The initial setup of an SSL connection requires significant resources, which is why SSL acceleration hardware is essential in a gateway that manages high level of concurrent SSL connections. The SSL Intercept feature can decrypt and then encrypt again these secured connections, at scale, even with processorintensive 2048-bit and 4096-bit key sizes. Previously unreadable network flows can be presented to a third party security device that inspects the decrypted traffic and takes action against offending traffic when needed. With A10 s Thunder and AX Series, organizations can accelerate and optimize their security solution set by load balancing their current security gateway solutions, with full benefit of the extreme hardware acceleration and additional security modules that A10 provides in its all-inclusive licensing model. Finally, in addition to network integrity, integrity of the environment also is important, making A10 s ADCs an ideal choice by providing the highest performance in a very energy efficient compact device. 8