SlideShare a Scribd company logo

Adopting Modern SSL / TLS

Avi Networks
Avi Networks

Radical changes in security have dramatic impact on load balancing. SSL/TLS is changing so rapidly that enterprises are forced to do a forklift upgrade of their hardware load balancers. However, with Avi's software load balancer, it’s as simple as a version update. In this webinar, we will catch you up the latest SSL facts. - SSL termination can be done with only software. And it has better security, scalability, and lower cost. That’s how Facebook and Google do it. Let’s see how. - RSA and Elliptic-curve cryptography (ECC) have different implications for perfect forward secrecy (PFS), HTTP/2 and TLS 1.3 support. Let’s compare. - SSL health score allows you to manage expiring certificates, automated certificate renewals, and notification alerts from a centralized control plane. Full webinar: https://info.avinetworks.com/webinars-avi-tech-corner-episode-4

Technology
1 of 15
Copyright Avi Networks 2018 Avi Tech Corner #4 Adopting Modern SSL / TLS Nathan McMahon Product Management
Copyright Avi Networks 2018 SSL / TLS Termination • SSL termination has become synonymous with load balancing • Legacy hardware load balancers are sized and purchased by SSL TPS • HTTP/2 and HTTP/3 effectively mandate TLS encryption HTTPS HTTPS HTTP
Copyright Avi Networks 2018 Hardware Versus Software TLS termination in software is: • More secure • More scalable • Less expensive Software based encryption is used by: • The largest sites on the Internet • Avi Vantage Client connection encrypted Server connection encrypted Both sides encrypted Encryption is between client and server, no decryption at Avi
Copyright Avi Networks 2018 RSA Versus ECC • Elliptic Curve Cryptography is brand new, only about 33 years old • Every browser supports Elliptic Curve Cryptography • Avi supports both RSA and ECC • A VS may be configured with both cert types at once • The cert used is determined by the ordering of ciphers • ECC is 2.5x better TPS performance • ECC 256 bit key is equivalent security to an RSA 3k key • ECC provides better support for Perfect Forward Secrecy
Copyright Avi Networks 2018 Perfect Forward Secrecy Mitigate Man-in-the-Middle Attacks • Better security by rotating the private key • TLS 1.3 requires Perfect Forward Secrecy • PFS will blind network monitoring solutions TLS negotiated without forward secrecy TLS negotiated with forward secrecy
Copyright Avi Networks 2018 PFS Blinds Networking Monitoring Solutions Maintain Network Visibility • Avi provides very rich analytics – 500 metrics per VS – Billions of data points a day • Avi can mirror traffic to an IDS or NPM – Traffic can be encrypted using a new key – Traffic can be sent unencrypted HTTPS HTTPS HTTP IDS / NPM
Copyright Avi Networks 2018 TLS Performance PFS Performance • PFS with RSA takes ~ 40% hit over non-PFS • PFS with ECC takes ~ 15% hit over non-PFS Scale • Performance scales nearly linearly across CPU cores • Performance scales nearly linearly across Service Engines Cipher Key PFS TPS per Core ECDH-ECDSA-AES256-SHA EC N 3000 ECDHE-ECDSA-AES128-GCM-SHA256 EC Y 2500 AES128-GCM-SHA256 RSA N 1000 DHE-RSA-AES128-GCM-SHA256 RSA Y 550 3x active/active Service Engines 2x CPUs per Service Engine 12 cores per CPU ------------------------------------------ 3 * 2 * 12 * 2500 = 180,000 TPS
Copyright Avi Networks 2018 Certs / Keys Securing Private Keys • Keys are stored and encrypted in the Controller’s database – they are not stored on the SE • Export of the private key can only be done by account with WRITE access • Exporting a private key logs an event in the audit trail • Private key is scrubbed in the GET API unless export_key = True • Specify a passphrase to ensure key is not exportable in clear text • HSMs are supported for FIPs compliance
Copyright Avi Networks 2018 SSL Termination Automated Cert Renewal • Soon to expire certs incur a security health score penalty • Set Alerts to remind admins of expiring certs at 30 day, 7 day, 1 day intervals • Automate certificate renewal via: – Venafi – CERT+ – Custom scripts via Security > “Certificate Management”
Copyright Avi Networks 2018 Hardware Versus Software TLS termination in software: • More secure Software allows for quick adoption of fixes and new TLS tech • More scalable Software allows for incremental capacity scaling • Less expensive Software leverages inexpensive x86 compute for better price/perf
Copyright Avi Networks 2018 Workshops: avinetworks.com/workshop Webinars: 1 Million TPS Webinars: Next webinar is on Kubernetes avinetworks.com/webinars/
Copyright Avi Networks 2018 SSL Redirects HTTP to HTTPS Redirect • Via the HTTP application profile > Security > SSL Everywhere – HTTP (port 80) and HTTPS (port 443) configured on the same VS – Can include server redirect rewrites – SSL Everywhere enables HSTS. This is recommended for production, but potentially dangerous for lab environments. Leave disabled if you are unsure • Via HTTP Request Policy • Via DataScript avi.http.redirect( "https://" .. avi.http.hostname() .. avi.http.get_uri() )
Copyright Avi Networks 2018 SSL Redirects HTTP Strict Transport Security (HSTS) • HSTS forces browsers to connect only via HTTPS for a period of time (usually 1 year) • HSTS tells browsers to not connect if the cert is expired, wrong domain, or invalid • HSTS is recommended for stable, production sites • HSTS is not recommended for labs where certs are temporary or self-signed • HSTS is enabled by via HTTP profile’s SSL Everywhere, and is enabled in the Secure-HTTP-Profile • HSTS disabled does incur a Security Penalty on Avi and 3rd party SSL tools such as Qualys SSLlabs
Copyright Avi Networks 2018 SSL Redirects Server Name Indication • SNI often overlooked as it is labeled “Virtual Hosting” in the VS • Single VIP can accept SSL requests for multiple TLS encrypted sites or domain names • Similar to VS > Pool mapping, Avi uses a Parent VS > Child VS mapping • Parent VS contains VIP information, SSL profile, and is a catchall for requests that do not match a child VS • Child VS is mapped to a domain name, corresponding cert, and otherwise behaves as a normal VS a.avi.com b.avi.com c.avi.com 10.1.1.1:443 Parent VS Child VS pool_a pool_b pool_c1 pool_c2
Copyright Avi Networks 2018 <marketing> Bare Metal Virtualized Containers Public Cloud CONTROLDATA Service Engines Controller MESOS Universal Solution Both traditional and modern use cases Automation Highly programmable, Plug-n-Play Built-In Predictive Analytics Actionable insights key to automation Separate Control and Data Plane Manage as one, not many devices

Recommended

How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
id.net APIs for Hosts
id.net APIs for Hostsid.net APIs for Hosts
id.net APIs for HostsEdwin J.
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
 
Overdracht
OverdrachtOverdracht
OverdrachtCloudia Clearskies
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 

Recommended

How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Simple tips to improve Server Security
Simple tips to improve Server SecuritySimple tips to improve Server Security
Simple tips to improve Server SecurityResellerClub
 
id.net APIs for Hosts
id.net APIs for Hostsid.net APIs for Hosts
id.net APIs for HostsEdwin J.
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Apache Kafka Security
Apache Kafka Security Apache Kafka Security
Apache Kafka Security DataWorks Summit/Hadoop Summit
 
Cisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadCisco ASA Firewall Presentation - ZABTech center Hyderabad
Cisco ASA Firewall Presentation - ZABTech center HyderabadMehtabRohela
 
Overdracht
OverdrachtOverdracht
OverdrachtCloudia Clearskies
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Cloudflare
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
What's new in NGINX Plus R19
What's new in NGINX Plus R19What's new in NGINX Plus R19
What's new in NGINX Plus R19NGINX, Inc.
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youCloudflare
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX, Inc.
 
Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA SmalltalkESUG
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integrationVMUG IT
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
Nethawk installation
Nethawk installationNethawk installation
Nethawk installationShaharyar Rao nethawk.com.pk
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXNGINX, Inc.
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersNGINX, Inc.
 
Network Security
Network SecurityNetwork Security
Network SecurityEng Hasan Shamroukh CISCO Exams Author
 
What's New in NGINX Plus R7?
What's New in NGINX Plus R7?What's New in NGINX Plus R7?
What's New in NGINX Plus R7?NGINX, Inc.
 
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...MehtabRohela
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projectsOwaspCzech
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 
Remote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPRemote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPАнтон Еремин
 
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 

More Related Content

What's hot

Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Cloudflare
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and securityBen Bromhead
 
What's new in NGINX Plus R19
What's new in NGINX Plus R19What's new in NGINX Plus R19
What's new in NGINX Plus R19NGINX, Inc.
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youCloudflare
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXAbhishek Mallick
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Cloudflare
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX, Inc.
 
Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA SmalltalkESUG
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integrationVMUG IT
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXNGINX, Inc.
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersNGINX, Inc.
 
What's New in NGINX Plus R7?
What's New in NGINX Plus R7?What's New in NGINX Plus R7?
What's New in NGINX Plus R7?NGINX, Inc.
 
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...MehtabRohela
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projectsOwaspCzech
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 

What's hot (20)

Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
 
Cassandra and security
Cassandra and securityCassandra and security
Cassandra and security
 
What's new in NGINX Plus R19
What's new in NGINX Plus R19What's new in NGINX Plus R19
What's new in NGINX Plus R19
 
Overview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for youOverview of SSL: choose the option that's right for you
Overview of SSL: choose the option that's right for you
 
Apache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOXApache Knox setup and hive and hdfs Access using KNOX
Apache Knox setup and hive and hdfs Access using KNOX
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
 
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEANGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
NGINX Controller: Configuration, Management, and Troubleshooting at Scale – EMEA
 
Security with VA Smalltalk
Security with VA SmalltalkSecurity with VA Smalltalk
Security with VA Smalltalk
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
Nethawk installation
Nethawk installationNethawk installation
Nethawk installation
 
Load Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINXLoad Balancing and Scaling with NGINX
Load Balancing and Scaling with NGINX
 
Supercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy UsersSupercharge Application Delivery to Satisfy Users
Supercharge Application Delivery to Satisfy Users
 
Network Security
Network SecurityNetwork Security
Network Security
 
What's New in NGINX Plus R7?
What's New in NGINX Plus R7?What's New in NGINX Plus R7?
What's New in NGINX Plus R7?
 
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
Device security master (ASA Firewall) - project thesis - SZABIST-ZABTech Hyde...
 
Owasp crypto tools and projects
Owasp crypto tools and projectsOwasp crypto tools and projects
Owasp crypto tools and projects
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX Amplify
 
Remote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPRemote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDP
 

Similar to Adopting Modern SSL / TLS

DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXKevin Jones
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerHoward Greenberg
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfMenakaDevi14
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX, Inc.
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...Amazon Web Services
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSLSagar Mali
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overviewowaspindy
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Harin Vadodaria
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 

Similar to Adopting Modern SSL / TLS (20)

DockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINXDockerCon Live 2020 - Securing Your Containerized Application with NGINX
DockerCon Live 2020 - Securing Your Containerized Application with NGINX
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
 
BRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdfBRKSEC-3771 - WSA with wccp.pdf
BRKSEC-3771 - WSA with wccp.pdf
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
NGINX: High Performance Load Balancing
NGINX: High Performance Load BalancingNGINX: High Performance Load Balancing
NGINX: High Performance Load Balancing
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...AWS Cryptography Services – Addressing your data security and compliance need...
AWS Cryptography Services – Addressing your data security and compliance need...
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Securing TCP connections using SSL
Securing TCP connections using SSLSecuring TCP connections using SSL
Securing TCP connections using SSL
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
 
SSL overview
SSL overviewSSL overview
SSL overview
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 

More from Avi Networks

DR On Demand At Fraction of the Cost (1).pptx
DR On Demand At Fraction of the Cost (1).pptxDR On Demand At Fraction of the Cost (1).pptx
DR On Demand At Fraction of the Cost (1).pptxAvi Networks
 
Cloud_controllers_public_webinar_aug31_v1.pptx
Cloud_controllers_public_webinar_aug31_v1.pptxCloud_controllers_public_webinar_aug31_v1.pptx
Cloud_controllers_public_webinar_aug31_v1.pptxAvi Networks
 
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load Balancer
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load BalancerTop 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load Balancer
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load BalancerAvi Networks
 
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptxAvi Networks
 
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptx
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptxEnterprises-Have-Replaced-12000-ADCs-See-Why.pptx
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptxAvi Networks
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxAvi Networks
 
Virtualize Application Security Today - Hardware is No Longer Needed.pptx
Virtualize Application Security Today - Hardware is No Longer Needed.pptx Virtualize Application Security Today - Hardware is No Longer Needed.pptx
Virtualize Application Security Today - Hardware is No Longer Needed.pptxAvi Networks
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingAvi Networks
 
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptx
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptxNSX_Advanced_Load_Balancer_Solution_with_Oracle.pptx
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptxAvi Networks
 
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation Avi Networks
 
Bringing SaaS Simplicity to Proactive Support & Live Threat Updates
Bringing SaaS Simplicity to Proactive Support & Live Threat UpdatesBringing SaaS Simplicity to Proactive Support & Live Threat Updates
Bringing SaaS Simplicity to Proactive Support & Live Threat UpdatesAvi Networks
 
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI Avi Networks
 
Deploying Elastic, Self-Service Load Balancing for VMware NSX-T
Deploying Elastic, Self-Service Load Balancing for VMware NSX-TDeploying Elastic, Self-Service Load Balancing for VMware NSX-T
Deploying Elastic, Self-Service Load Balancing for VMware NSX-TAvi Networks
 
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load Balancing
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load BalancingAvi v20.1 — What’s New in Scalable, Multi-Cloud Load Balancing
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load BalancingAvi Networks
 
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)Avi Networks
 
Multi Cloud Load Balancing 101 and Hands On Lab
Multi Cloud Load Balancing 101 and Hands On LabMulti Cloud Load Balancing 101 and Hands On Lab
Multi Cloud Load Balancing 101 and Hands On LabAvi Networks
 
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Avi Networks
 
Multi Cloud Load balancing 101 and Hands-on Lab
Multi Cloud Load balancing 101 and Hands-on LabMulti Cloud Load balancing 101 and Hands-on Lab
Multi Cloud Load balancing 101 and Hands-on LabAvi Networks
 
Multi-Cloud Load Balancing 101 and Hands-On Lab
Multi-Cloud Load Balancing 101 and Hands-On LabMulti-Cloud Load Balancing 101 and Hands-On Lab
Multi-Cloud Load Balancing 101 and Hands-On LabAvi Networks
 

More from Avi Networks (20)

DR On Demand At Fraction of the Cost (1).pptx
DR On Demand At Fraction of the Cost (1).pptxDR On Demand At Fraction of the Cost (1).pptx
DR On Demand At Fraction of the Cost (1).pptx
 
Cloud_controllers_public_webinar_aug31_v1.pptx
Cloud_controllers_public_webinar_aug31_v1.pptxCloud_controllers_public_webinar_aug31_v1.pptx
Cloud_controllers_public_webinar_aug31_v1.pptx
 
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load Balancer
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load BalancerTop 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load Balancer
Top 4 Reasons to Migrate From NSX Load Balancing to NSX Advanced Load Balancer
 
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
 
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptx
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptxEnterprises-Have-Replaced-12000-ADCs-See-Why.pptx
Enterprises-Have-Replaced-12000-ADCs-See-Why.pptx
 
One And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptxOne And Done Multi-Cloud Load Balancing Done Right.pptx
One And Done Multi-Cloud Load Balancing Done Right.pptx
 
Virtualize Application Security Today - Hardware is No Longer Needed.pptx
Virtualize Application Security Today - Hardware is No Longer Needed.pptx Virtualize Application Security Today - Hardware is No Longer Needed.pptx
Virtualize Application Security Today - Hardware is No Longer Needed.pptx
 
Deploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load BalancingDeploying Elastic Self-Service Load Balancing
Deploying Elastic Self-Service Load Balancing
 
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptx
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptxNSX_Advanced_Load_Balancer_Solution_with_Oracle.pptx
NSX_Advanced_Load_Balancer_Solution_with_Oracle.pptx
 
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation
Delivering Turnkey Load Balancing in VMware Cloud with Day 0 Automation
 
Bringing SaaS Simplicity to Proactive Support & Live Threat Updates
Bringing SaaS Simplicity to Proactive Support & Live Threat UpdatesBringing SaaS Simplicity to Proactive Support & Live Threat Updates
Bringing SaaS Simplicity to Proactive Support & Live Threat Updates
 
Avi workshop-101
Avi workshop-101Avi workshop-101
Avi workshop-101
 
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI
Working From Anywhere​ with​ Advanced Load Balancing​ and ​ VMware Horizon VDI
 
Deploying Elastic, Self-Service Load Balancing for VMware NSX-T
Deploying Elastic, Self-Service Load Balancing for VMware NSX-TDeploying Elastic, Self-Service Load Balancing for VMware NSX-T
Deploying Elastic, Self-Service Load Balancing for VMware NSX-T
 
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load Balancing
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load BalancingAvi v20.1 — What’s New in Scalable, Multi-Cloud Load Balancing
Avi v20.1 — What’s New in Scalable, Multi-Cloud Load Balancing
 
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)
Enterprise-Grade Load Balancing for VMware Cloud on AWS (VMC)
 
Multi Cloud Load Balancing 101 and Hands On Lab
Multi Cloud Load Balancing 101 and Hands On LabMulti Cloud Load Balancing 101 and Hands On Lab
Multi Cloud Load Balancing 101 and Hands On Lab
 
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
Deliver Modern Applications with an Elastic Load Balancing Fabric Powered by ...
 
Multi Cloud Load balancing 101 and Hands-on Lab
Multi Cloud Load balancing 101 and Hands-on LabMulti Cloud Load balancing 101 and Hands-on Lab
Multi Cloud Load balancing 101 and Hands-on Lab
 
Multi-Cloud Load Balancing 101 and Hands-On Lab
Multi-Cloud Load Balancing 101 and Hands-On LabMulti-Cloud Load Balancing 101 and Hands-On Lab
Multi-Cloud Load Balancing 101 and Hands-On Lab
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Adopting Modern SSL / TLS

  • 1. Copyright Avi Networks 2018 Avi Tech Corner #4 Adopting Modern SSL / TLS Nathan McMahon Product Management
  • 2. Copyright Avi Networks 2018 SSL / TLS Termination • SSL termination has become synonymous with load balancing • Legacy hardware load balancers are sized and purchased by SSL TPS • HTTP/2 and HTTP/3 effectively mandate TLS encryption HTTPS HTTPS HTTP
  • 3. Copyright Avi Networks 2018 Hardware Versus Software TLS termination in software is: • More secure • More scalable • Less expensive Software based encryption is used by: • The largest sites on the Internet • Avi Vantage Client connection encrypted Server connection encrypted Both sides encrypted Encryption is between client and server, no decryption at Avi
  • 4. Copyright Avi Networks 2018 RSA Versus ECC • Elliptic Curve Cryptography is brand new, only about 33 years old • Every browser supports Elliptic Curve Cryptography • Avi supports both RSA and ECC • A VS may be configured with both cert types at once • The cert used is determined by the ordering of ciphers • ECC is 2.5x better TPS performance • ECC 256 bit key is equivalent security to an RSA 3k key • ECC provides better support for Perfect Forward Secrecy
  • 5. Copyright Avi Networks 2018 Perfect Forward Secrecy Mitigate Man-in-the-Middle Attacks • Better security by rotating the private key • TLS 1.3 requires Perfect Forward Secrecy • PFS will blind network monitoring solutions TLS negotiated without forward secrecy TLS negotiated with forward secrecy
  • 6. Copyright Avi Networks 2018 PFS Blinds Networking Monitoring Solutions Maintain Network Visibility • Avi provides very rich analytics – 500 metrics per VS – Billions of data points a day • Avi can mirror traffic to an IDS or NPM – Traffic can be encrypted using a new key – Traffic can be sent unencrypted HTTPS HTTPS HTTP IDS / NPM
  • 7. Copyright Avi Networks 2018 TLS Performance PFS Performance • PFS with RSA takes ~ 40% hit over non-PFS • PFS with ECC takes ~ 15% hit over non-PFS Scale • Performance scales nearly linearly across CPU cores • Performance scales nearly linearly across Service Engines Cipher Key PFS TPS per Core ECDH-ECDSA-AES256-SHA EC N 3000 ECDHE-ECDSA-AES128-GCM-SHA256 EC Y 2500 AES128-GCM-SHA256 RSA N 1000 DHE-RSA-AES128-GCM-SHA256 RSA Y 550 3x active/active Service Engines 2x CPUs per Service Engine 12 cores per CPU ------------------------------------------ 3 * 2 * 12 * 2500 = 180,000 TPS
  • 8. Copyright Avi Networks 2018 Certs / Keys Securing Private Keys • Keys are stored and encrypted in the Controller’s database – they are not stored on the SE • Export of the private key can only be done by account with WRITE access • Exporting a private key logs an event in the audit trail • Private key is scrubbed in the GET API unless export_key = True • Specify a passphrase to ensure key is not exportable in clear text • HSMs are supported for FIPs compliance
  • 9. Copyright Avi Networks 2018 SSL Termination Automated Cert Renewal • Soon to expire certs incur a security health score penalty • Set Alerts to remind admins of expiring certs at 30 day, 7 day, 1 day intervals • Automate certificate renewal via: – Venafi – CERT+ – Custom scripts via Security > “Certificate Management”
  • 10. Copyright Avi Networks 2018 Hardware Versus Software TLS termination in software: • More secure Software allows for quick adoption of fixes and new TLS tech • More scalable Software allows for incremental capacity scaling • Less expensive Software leverages inexpensive x86 compute for better price/perf
  • 11. Copyright Avi Networks 2018 Workshops: avinetworks.com/workshop Webinars: 1 Million TPS Webinars: Next webinar is on Kubernetes avinetworks.com/webinars/
  • 12. Copyright Avi Networks 2018 SSL Redirects HTTP to HTTPS Redirect • Via the HTTP application profile > Security > SSL Everywhere – HTTP (port 80) and HTTPS (port 443) configured on the same VS – Can include server redirect rewrites – SSL Everywhere enables HSTS. This is recommended for production, but potentially dangerous for lab environments. Leave disabled if you are unsure • Via HTTP Request Policy • Via DataScript avi.http.redirect( "https://" .. avi.http.hostname() .. avi.http.get_uri() )
  • 13. Copyright Avi Networks 2018 SSL Redirects HTTP Strict Transport Security (HSTS) • HSTS forces browsers to connect only via HTTPS for a period of time (usually 1 year) • HSTS tells browsers to not connect if the cert is expired, wrong domain, or invalid • HSTS is recommended for stable, production sites • HSTS is not recommended for labs where certs are temporary or self-signed • HSTS is enabled by via HTTP profile’s SSL Everywhere, and is enabled in the Secure-HTTP-Profile • HSTS disabled does incur a Security Penalty on Avi and 3rd party SSL tools such as Qualys SSLlabs
  • 14. Copyright Avi Networks 2018 SSL Redirects Server Name Indication • SNI often overlooked as it is labeled “Virtual Hosting” in the VS • Single VIP can accept SSL requests for multiple TLS encrypted sites or domain names • Similar to VS > Pool mapping, Avi uses a Parent VS > Child VS mapping • Parent VS contains VIP information, SSL profile, and is a catchall for requests that do not match a child VS • Child VS is mapped to a domain name, corresponding cert, and otherwise behaves as a normal VS a.avi.com b.avi.com c.avi.com 10.1.1.1:443 Parent VS Child VS pool_a pool_b pool_c1 pool_c2
  • 15. Copyright Avi Networks 2018 <marketing> Bare Metal Virtualized Containers Public Cloud CONTROLDATA Service Engines Controller MESOS Universal Solution Both traditional and modern use cases Automation Highly programmable, Plug-n-Play Built-In Predictive Analytics Actionable insights key to automation Separate Control and Data Plane Manage as one, not many devices

Editor's Notes

  1. Keys are stored and encrypted (AES-256-CBC)