Array Networks - A Layered Approach to Web and Application Security
Encryption creates the need for at least two levels of security. ADC’s provide high availability and a secure layer for SSL traffic termination, decryption, inspection and forwarding to advanced security appliances for further inspection.
Ed Keiper is a senior systems engineer with Array Networks. His background includes 10+ years of experience in cloud computing, infrastructure and security.
2. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 2
Array Networks at-a-glance
Founded
2000
Headquarters
Milpitas, CA, USA
Employees
250+
Market
Application Delivery Networking
Products
Application Delivery Controllers (ADC)
Secure Access Gateways (SSL VPN)
Segments
Enterprise, Service Provider, Public Sector
Technology
30+ Patents
Customers
5000+ Worldwide
Meeting Enterprise-Class Requirements For Over 10Years
3. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 3
Why a multi-layer approach?
§ Encryption creates the need for at least two levels of security
- SSL (HTTPS) traffic passes directly through traditional firewalls,
bypassing rules, policies and inspection
- SSL traffic on the rise, used for both remote and mobile access and for
an ever increasing number of Web sites and applications
SSL
4. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 4
multi-layer security protects against…
DoS (Deny Of Service)
Back Doors
Flash
Events
Web Exploitation& DefacingLand Attack
Ping Attack
SynFlood Attack
Unreachable Host Attack
Tear Drop Attack
Buffer Overflow Attack
Parser Evasion Attacks
Directory Traversal Attack
High Bit Shellcode Protection
Security Exploitation (Port scan)
Cross Site Scripting
Impersonation & Breach of Privacy
Code Red
SQL InjectionHeartbleed
5. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 5
Multi-layer security architecture (cont.)
§ Firewall perimeter security
- The first line of defense, rules-based network level packet filtering; no
visibility to SSL
§ SSL termination and traffic inspection
- Traffic from secure applications are terminated on ADCs, decrypted
and inspected traffic may be sent to servers or to advanced security
appliances for further inspection
- Traffic from remote access users are terminated on SSL VPNs,
decrypted and inspected traffic may be sent to servers or to advanced
security appliances
§ Advanced security appliances
- Further inspection of smaller volume of pre-screened traffic
7. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 7
Multi-layer security architecture (cont.)
§ Layer-3 stateful packet filtering
- Per-customer interface (VLAN/MNET), ingress packet filtering
(source/destination IP, port, protocol), 1000 ACLs, packet deny/drop log,
dynamic access list, permit-only network access
§ Layer-4 TCP stateful inspection
- TCP stateful inspection, L4 packet sanitization, reverse proxy (client packet
does not touch server), syn-cookie protection against TCP syn floods and
DOS attacks
§ Layer-7 content filtering, WAF & DDoS
- URL filtering, configurable access control (limit connections per port to
prevent DDoS attack), application session control, HTTP protocol
validation and policy filtering, attack signature filtering, input validation,
XSS prevention, virtual patching
8. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 8
SSL VPN multi-layer security
§ End-point security
- Scan for personal firewalls, anti-virus software, browsers, operating
systems, service packs, patches – apply adaptable remediation options for
non-compliant clients
§ Advanced authentication, authorization and auditing
- LDAP, Microsoft Active Directory, RADIUS, RSA SecurID, LocalDB, SSL client
certificates, multi-factor authentication including RSA, Duo, Swivel,
Syferlock and others
§ Deep packet inspection and WRM
- Buffer overflow protection, syn-flood protection, URL filtering,
configurable access control (limit connections per port to prevent DDoS
attack), Web resource mapping with payload inspection and HTTP NATing
9. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016
9
SSL VPN security architecture
End Point Security
Host Checking
Adaptive Policies
Secure Desktop
Cache Cleaning
• Eliminates all elements of browser cache
• Local sandbox prevents data leakage
S
S
L
AAA
• Supports all industry
standards (AD, RADIUS,
LDAP, SecureID)
• RSA certified
• Unique SSL integration
• Fine grain ACLs
• L3, L4 and L7
• External mapping
• Black list and white list
• Full audit trail
• Who, what and when
• Syslog support
• Configurable email alerts
F
W
P
r
o
x
y
File Shares
• Clientless
access to
shared
directories
• CIFS/NFS
Web Apps
• Clientless Web
application
support
Networks
• Full L3 VPN
• Any IP protocol
• L4 redirection
• Denial of Service (DoS) attack protection
• ACLs (Layer 4)
• URL filtering (Layer 7)
• Network probe logging
• All standard cipher-suites
• Hardware-accelerated
• 2048-bit key lengths
• Client-side certificates
• Complete separation between
non-secured and secured
networks
Desktops
• Desktops
• Terminal
Server
Applications
10. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 10
SSL VPN secure remote and mobile access
§ Any resource, any access method, any device, anywhere
Remote Workers &
Road Warriors
on Laptops
Home & Small Office
Workers on PCs
Mobile Workers on
Smart Phones & Tablets
Physical & Virtual
Desktops
Client Server &
Mobile Apps
File Sharing
Web
Applications
Limits network exposure and
guards against data leakageImproves productivity
Remote Networks
& Infrastructure
11. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 11
Multi-layer security architecture (cont.)
§ Security
- SSL encryption, WAF, Web proxy
- Application-level data protection
§ Acceleration
- SSL offloading, compression,
caching, traffic shaping, etc.
- 10x better server efficiency
and application performance
§ High availability
- Server load balancing, GSLB, link
load balancing
- 24/7 application uptime Application
Servers
External
Users
Internal
Users
Storage
12. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 12
Hardware and software portfolio
APV Series
Application Delivery
Controllers
AG Series
Secure Access
Gateways
Availability, scalability, performance, control
and security for applications, Web sites,
online transactions and cloud services
Load balancing, SSL offloading, caching,
compression, application security, L7
scripting and other network functions
Achieves ROI by improving application
performance and server efficiency
Secure access to business applications
from any remote or mobile device for any
user anywhere
SSL VPN virtual portals, L3 – L7 access,
AAA, end-point security, single sign-on,
Web firewall and dual-factor authentication
Achieves ROI by increasing productivity and
mitigating business disruptions
13. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 13
Security-hardened OS and platform
§ Only exposes service ports – no backdoors
§ Secured network management – SSL and HTTPS
- Explicit disallows Telnet due to security risk of account/password sniffing
§ Tested and hardened against a range of network attacks
- Hacking tools from eEye (ncx.exe, iishack.exe)
- Nessus scan
- NMAP
- Filters malformed packets such as Smurf attach and local broadcast
attacks
§ High-availability and cluster capability
14. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 14
Proprietary secured SSL stack
§ Used for all production traffic, proven immune to Heartbleed, Bash,
Shellshock and other recent vulnerabilities
- Customers did not need to patch or remediate any Array products
- Bought time for remediation and patching of backend servers as
necessary
§ Delivers both better security and higher levels of performance
- Pared-back, buttoned-down design runs faster and presents fewer attack
vectors
- Cannot guarantee 100% immune for all potential vulnerabilities, but has
proven provide a higher level of security and immunity vs. OpenSSL
15. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 15
Flexible appliance options
• Dedicated, multi-tenant and virtual ADC appliances
• Enables IaaS providers to offer customers a full range of load balancing service
options optimized either for flexibility or performance
• VMware, XenServer,
OpenXen and KVM
• Scalable from
10Mbps to 4Gbps
• Up to 32 vAPV ADC
instances
• Dedicated SSL, I/O,
compute resources
• Scalable from 2Gbps
to 120Mbps
• Proven cloud track
record
vAPV
Virtual ADC
AVX10650
Multi-Tenant ADC
APV Series
Dedicated ADCs
Flexibility Performance
16. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 16
APV Series platforms
APV1600/T
3.5/2.5 Gbps
2/2K SSL TPS
APV2600
18 Gbps
5.5K SSL TPS
APV6600
35 Gbps
25K SSL TPS
APV10650
120 Gbps
70K SSL TPS
APV7600
80 Gbps
70K SSL TPS
APV11600
140 Gbps
70K SSL TPS
APV3600
37 Gbps
35K SSL TPS
APV3650
30 Gbps
25K SSL TPS
Supports 1 to 16 vCPUs
VMware, XenServer,
OpenXen, KVM, Hyper-V
AVX Series
Virtualized multi-tenant appliances – up to
16 or 32 vAPV instances, 65 or 115 Gbps
and 35K or 70K SSL TPS per system
APV6600FIPS
35 Gbps
9K SSL TPS
PHYSICAL & VIRTUAL APPLIANCES SCALING UP & OUTFOR
17. @NTXISSA #NTXISSACSC4NTX ISSA Cyber Security Conference – October 7-8, 2016 17
AG Series product line
PHYSICAL & VIRTUAL APPLIANCES SCALING UP & OUTFOR
10,000 Concurrent Users
VMware, XenServer,
OpenXen, KVM
AG1000
300 Concurrent
Users
AG1100
3000 Concurrent
Users
AG1200
25,000 Concurrent
Users
AG1600
128,000 Concurrent
Users
AG1500/
AG1500FIPS
72,000 Concurrent
Users
AG1150
10,000 Concurrent
Users
AG1000T
600 Concurrent
Users
18. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 18
Thank you