Load Balancing Security Gateways WHITE PAPER

Similar documents
White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Healthcare Security and HIPAA Compliance with A10

A10 Thunder and AX Series

PCI DSS and the A10 Solution

Avoid Microsoft Lync Deployment Pitfalls with A10 Thunder ADC

VALIDATING DDoS THREAT PROTECTION

A10 ADC Return On Investment

SSL Insight Certificate Installation Guide

Thunder ADC for Epic Systems

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

White Paper A10 Thunder and AX Series Application Delivery Controllers and the A10 Advantage

Thunder Series for SAP BusinessObjects (BOE)

Advanced Core Operating System (ACOS): Experience the Performance

AAM Kerberos Relay Integration with SharePoint

Setting Up a Kerberos Relay for the Microsoft Exchange 2013 Server DEPLOYMENT GUIDE

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Next Generation Application Delivery

Thunder ADC: 10 Reasons to Select A10 WHITE PAPER

PCI DSS and the A10 Solution

Microsoft Exchange 2016 DEPLOYMENT GUIDE

A10 Networks LBaaS Driver for Thunder and AX Series Appliances

Thunder Series for SAP Customer Relationship Management (CRM)

Uncover Threats in SSL Traffic: The Ultimate Guide to SSL Inspection WHITE PAPER

Microsoft Exchange 2013 DEPLOYMENT GUIDE

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

SAML 2.0 SSO Deployment with Okta

SharePoint Performance Optimization

Security Overview and Cisco ACE Replacement

AX ADC Application Delivery Controller

Configuring and Implementing A10

THUNDER TPS Next-generation DDoS Protection

Optimize Enterprise Application Availability, Security and Responsiveness

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

Where every interaction matters.

Deployment Guide MobileIron Sentry

Achieve Single Sign-on (SSO) for Microsoft ADFS

Deployment Guide Microsoft IIS 7.0

Brocade Virtual Traffic Manager and Microsoft IIS Deployment Guide

4 Delivers over 20,000 SSL connections per second (cps), which

NSFOCUS Web Application Firewall White Paper

APPLICATION ACCESS MANAGEMENT (AAM) Augment, Offload and Consolidate Access Control

FortiWeb for ISP. Web Application Firewall. Copyright Fortinet Inc. All rights reserved.

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Next-Generation Firewalls: Critical to SMB Network Security

Deployment Guide Oracle Siebel CRM

Deployment Guide AX Series with Citrix XenApp 6.5

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Firewall and UTM Solutions Guide

Brocade Virtual Traffic Manager and Magento Deployment Guide

Flexible Routing and Load Control on Back-End Servers. Controlling the Request Load and Quality of Service

Array Networks & Microsoft Exchange Server 2010

Deployment Guide Microsoft Exchange 2013

VMware Horizon Mirage Load Balancing

World Leading Application Delivery Controllers. Peter Draper Technical Director EMEA

Improving Web Application Firewall Testing (WAF) for better Deployment in Production Networks January 2009 OWASP Israel

Deployment Guide May-2015 rev. a. APV Oracle PeopleSoft Enterprise 9 Deployment Guide

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

A Layperson s Guide To DoS Attacks

Powered by. Incapsula Cloud WAF

A10 Device Package for Cisco Application Centric Infrastructure (ACI)

Content Scanning for secure transactions using Radware s SecureFlow and AppXcel together with Aladdin s esafe Gateway

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Getting More Performance and Efficiency in the Application Delivery Network

Thunder ADC for SAP Business Suite DEPLOYMENT GUIDE

The F5 Intelligent DNS Scale Reference Architecture.

Post-TMG: Securely Delivering Microsoft Applications

NSFOCUS Web Application Firewall

Brocade Virtual Traffic Manager and Oracle EBS 12.1 Deployment Guide

Business Case for a DDoS Consolidated Solution

White paper. Keys to SAP application acceleration: advances in delivery systems.

Brocade Virtual Traffic Manager and Microsoft SharePoint 2010 Deployment Guide

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Smart Network. Smart Business. Application Delivery Solution Brochure

Networking for Caribbean Development

Background. Industry: Challenges: Solution: Benefits: APV SERIES CASE STUDY Fuel Card Web Portal

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

First Line of Defense to Protect Critical Infrastructure

Solution Brief. Load Balancing to Provide Scalable, Reliable, Secure Access Solutions

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Importance of Web Application Firewall Technology for Protecting Web-based Resources

Guideline on Firewall

Firewall Testing Methodology W H I T E P A P E R

Deployment Guide for Microsoft Lync 2010

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

F5 and Microsoft Exchange Security Solutions

Transcription:

Load Balancing Security Gateways WHITE PAPER

Table of Contents Acceleration and Optimization... 4 High Performance DDoS Protection... 4 Web Application Firewall... 5 DNS Application Firewall... 5 SSL Insight... 6 Summary... 7 About A10 Networks... 7 Disclaimer This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided as-is. The product specifications and features described in this publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks products and services are subject to A10 Networks standard terms and conditions. 2

A10 Networks creates solutions to accelerate, optimize and secure customer networks. The ADC product line of high-performance, next-generation application delivery controllers (ADCs), the latest evolutionary steps in Server Load Balancers (SLBs), enable customers to get maximum scalability and value from their networked devices. Typically, these are application servers that are front-ended by an ADC device so that the application is operating at optimal performance for its end-users, the capacity can scale, and the application is always available. But the benefits of load balancing are not limited to application servers: network firewalls also can benefit greatly from being paired with an ADC/SLB solution. Efficient and secure network traffic flow is vital to an organization s fiscal health. For many organizations, Internet connectivity is an integral part of the core business. If the network is compromised, the results are often disastrous; leading to downtime, loss of revenue and loss of reputation. Network firewalls have evolved over the years to include deep packet inspection (DPI) and provide intrusion prevention services (IPS). Analyzing network traffic behavior and application data content is a very resource-intensive task. Firewalls and IPS devices have increased their capacity over time, yet the throughput of a security gateway device in a real network often is not enough to keep up with total network bandwidth demand. In these cases, an ADC solution is a great way to transparently scale multiple security gateways, improving speed and availability, without forcing a compromise between performance and security. Some key ADC technologies to enhance secure gateway deployments (such as firewalls, Intrusion Prevention System (IPS) and more) include: Application Acceleration Traffic Optimization DDoS Protection Web Application Firewall DNS Application Firewall SSL Insight With these value-added services, A10 can help companies to accelerate, optimize and secure the most demanding infrastructures. A10 Security Advantages Scalability 1 RU appliances can scale to 150 Gbps of application traffic with 5+ million new connections per second 8x ADC scaling with virtual chassis systems Acceleration 80% faster content retrieval Reduce round trip time Optimization Reduce server CPU utilization Reduce server hardware requirements Up to 174,000 new SSL (2048-bit) connections per second Application Acceleration and Optimization Granular DNS Protection Secured Web Transactions Granular Website Protection Web App DNS Other App DMZ Internal Network Internet Firewall Scaling DDoS Mitigation Encrypted Content Inspection Faster Content Delivery (Caching) Firewalls Intrusion Detection Other Security Devices Trusted Untrusted DDoS Protection Volumetric attack mitigation of 200+ million SYN requests per second Up to 140+ Gbps in 1 RU Web Application Firewall (WAF) OWASP top ten protection PCI Compliancy DNS Application Firewall 80% reduction in CPU utilization when under attack versus other solutions 70% reduction in DNS server traffic load 3

Acceleration and Optimization and AX Series ADCs can function as a load balancing solution for security gateway services. Flows can be distributed over available firewalls, providing maximum availability and seamless scalability. A10 s ADCs also can complement a security gateway with hardware accelerated defense solutions to complete the overall security solution set, without sacrificing performance. Key technologies to boost performance and reduce overhead include: SSL Offload TCP Connection Reuse Large-scale RAM Caching HTTP Compression High Performance DDoS Protection A10 s ADC solution provides software- and hardware-based DDoS protection; specific hardware components block multiple key high volume attacks. For example, the SYN Flood attack, which comprises around 25 percent of all DDoS attacks on the Internet today, can be mitigated directly in hardware, without adding load to the core CPUs. Additional techniques such as geographic filtering, rate limiting, connection limiting, Slow HTTP attack detection, A10 Networks aflex commands and more protect the entire network and application stack against more advanced attacks. DDoS 4

Web Application Firewall A Web Application Firewall (WAF) is a specialized firewall function that operates specifically on the application level (Layer 7) to protect against web code vulnerabilities. The WAF function is not included in traditional network firewalls, and therefore makes a perfect complementary solution to existing firewalls. Application layer attacks or exploitations include: SQL Injection attack (SQLIA) Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) More The OWASP 1 project maintains a list of the top ten web application vulnerabilities, many of which persistently reappear on the list. With A10 s WAF module, these top vulnerabilities can be addressed efficiently and cost effectively, as the WAF feature is part of A10 s all-inclusive license model. WAF DNS Application Firewall A10 s ADCs were the first to provide a DNS Application Firewall, and the DNS protection features have expanded over the years. The DNS infrastructure is one of the most attractive targets for attackers, as many essential Internetbased applications including web, email, and voice services rely heavily on DNS. Moreover, DNS traffic usually is unrestricted, meaning many organizations have limited defense mechanisms in place to monitor their DNS traffic, or to protect their DNS infrastructure from attacks, such as: DNS Flood Attacks DNS Amplification Attacks A10 offers mitigation technologies to deal with a DNS Amplification attack, using the DNS Firewall feature set in combination with IP Limiting and system-wide Policy-Based Server Load Balancing (PBSLB). Specific features for DNS application security include: 1 www.owasp.org 5

Traffic validation: Drop or redirect malformed DNS queries High performance surge protection: DNS caching on per-vip or per-record basis Rate-based DNS caching Throttling based on domain name Dynamic traffic flow regulation: Source-IP based connection rate limiting PBSLB (black/white lists) DMZ Reduce load by up to 70% Malicious and Invalid Non-DNS Traffic on Port 53 DMZ DDoS Small Requests Denied Surge Protection Allowed A10 Devices DNS Server(s) Standard CPU Usage Zombies Infected Clients Generating Requests DDoS Attack Targets Not Overwhelmed Regular Clients Perform as Expected Optional Malicious and Invalid Traffic Redirection SSL Insight Secured web traffic (HTTPS) is gaining in popularity for obvious reasons; the transaction between client and server cannot be read and abused by third parties. The SSL/TLS suite does provide added protection to web users, for financial transactions for example, because of this protection the use of SSL has become much more ubiquitous. Many web sites now support SSL access for their entire content. The disadvantage of this added security is that devices such as firewalls are unable to do deep packet inspection of an SSL encrypted packet for spyware or malware, hence cannot protect against spyware and malware that infiltrate an organization s network through SSL connections. A10 s ADCs are equipped with powerful, dedicated SSL processors that can deal effortlessly with many concurrent SSL sessions. The initial setup of an SSL connection requires significant resources, which is why SSL acceleration hardware is essential in a gateway that manages high level of concurrent SSL connections. The SSL Insight feature can decrypt and then encrypt again these secured connections, at scale, even with processor-intensive 2048-bit and 4096-bit key sizes. Previously unreadable network flows can be presented to a third party security device that inspects the decrypted traffic and takes action against offending traffic when needed. 6

Server Encrypted Internet ADC Inspection/ Protection DLP IDS Decrypted UTM Other ADC Encrypted Summary With ADCs, organizations can accelerate and optimize their security solution set by load balancing their current security gateway solutions, with full benefit of the extreme hardware acceleration and additional security modules that A10 provides in its all-inclusive licensing model. Finally, in addition to network integrity, integrity of the environment is also important, making A10 Networks Thunder ADCs an ideal choice by providing the highest performance in a very energy efficient compact device. About A10 Networks Client A10 Networks is a leader in application networking, providing a range of high-performance application networking solutions that help organizations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and serves customers globally with offices worldwide. For more information, visit: www.a10networks.com Corporate Headquarters A10 Networks, Inc 3 West Plumeria Ave. San Jose, CA 95134 USA Tel: +1 408 325-8668 Fax: +1 408 325-8666 www.a10networks.com Part Number: A10-WP-21113-EN-01 Oct 2014 Worldwide Offices North America sales@a10networks.com Europe emea_sales@a10networks.com South America latam_sales@a10networks.com Japan jinfo@a10networks.com China china_sales@a10networks.com Taiwan taiwan@a10networks.com Korea korea@a10networks.com Hong Kong HongKong@a10networks.com South Asia SouthAsia@a10networks.com Australia/New Zealand anz_sales@a10networks.com 2014 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo,, Thunder, vthunder, acloud, ACOS, and agalaxy are trademarks or registered trademarks of A10 Networks, Inc. in the United States and in other countries. All other trademarks are property of their respective owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. To learn more about the Application Service Gateways and how it can enhance your business, contact A10 Networks at: www.a10networks.com/contact or call to talk to an A10 sales representative. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information