Application networking solutions provider A10 Networks has added distributed denial-of-service (DDoS) protection to its Thunder CGN (Carrier Grade Networking) products, and has introduced a new product family that leverages the company’s Security and Policy Engine (SPE).
Thunder CGN solutions are built upon the company’s Advanced Core Operating System (ACOS) platform and provide high-performance address and protocol translation that enables organizations to extend their IPv4 network connectivity, and provides them with IPv6 migration capabilities. According to A10 Networks, the new DDoS protections are designed to help carriers and service providers secure their IPv4 and IPv6 address pools, and guard networks against both internal and external attacks.
The DDoS protection includes features like connection rate limiting, which limits per user connection rate and the total number of sessions to mitigate malware and botnet attacks; selective dynamic filtering, which prevents spoofing, reflection and flood attacks (DNS, NTP, SYN); IP anomaly filtering, which automatically checks inbound traffic for over 30 IP packet anomalies; and adaptive traffic distribution to prevent congestion.
There are three main use cases for the new DDoS protections, the company told SecurityWeek. First, the appliances incorporate features designed to protect the device itself against external attacks. Next, the protection mechanisms are highly efficient in protecting internal hosts and services against outside cyberattacks, A10 said.
Finally, the appliances can also provide protection against internal attacks. These cases occur when an internal host is compromised and used to attack external hosts, and to bring down all users behind a Network Address Translation (NAT) pool.
Kishore Inampudi, director of product marketing for A10 Networks, told SecurityWeek that Thunder CGN products include logging mechanisms that can help IT teams track down the compromised host.
“DDoS has rapidly become a significant and escalating threat to all customers, and is particularly worrisome for large service providers, enterprise and web giants whose business is entirely or largely predicated on network and application availability,” said Jason Matlof, A10 Networks vice president of marketing. “By adding DDoS mitigation functionality at the critical network perimeter NAT gateway, A10 gives customers another important layer of security and uptime protection.”
The Thunder SPE product family launched by A10 Networks enables enterprises to implement security and policy enforcement functions at high speed. The robust security and processing hardware incorporated into these solutions is designed to ensure full system functionality even during volumetric attacks, the company said.
According to A10 Networks, Thunder SPE appliances are capable of performing security and any other policy-based networking actions in hardware. Furthermore, policies are enforced at high speeds even in dynamic cloud environments where changes occur frequently.
Top of the line products like Thunder 6435(S) SPE come with Dual Xeon processors with 24 cores and they deliver up to 40% boost in processing performance. The appliance can handle 155 Gbps throughput, 100 million packets per second, 7.5 million setups per second, and 256 million concurrent sessions, data sheets provided by the company show.
“Threat detection and mitigation is rapidly becoming a performance game, where the sophistication and volume of attacks are specifically designed to overwhelm lesser performing network devices, thus rendering a provider’s network infrastructure and applications vulnerable to downtime and further threats,” Matlof explained. “With leading high-performance hardware systems, A10 is able to offer protection against aggressive attacks to customers in the most challenging threat environments.”
In January 2014, the company launched a line of standalone, high performance DDoS protection appliances targeted to service providers and large enterprises, putting the company in direct competition with other vendors such as Arbor Networks, Radware, Corero Network Security and NSFOCUS, among others.