Application Delivery Controller
Oplon ADC is the solution created to solve the needs for Application Visibility and Security in enterprise environments. With high performance and advanced balancing and security features, it can optimize application reliability while improving the user experience.
Oplon ADC is the Application Delivery Control platform created to work in modern virtualized environments both on premise and in the Cloud, taking advantage of the enormous computing power available today and allowing them to be used natively in these environments.
Oplon ADC offers a traffic balancing and routing system L2-3 and application level 4 TCP UDP, 7 (HTTP/S, DNS) with session affinity features, capable of high scalability on modern multiprocessor/multithreaded systems with on-chip encryption features (AES-NI or on-board/on-chipencryption functionality).
In a modern, high-reliability information system, the ADC component thus becomes the fulcrum from which the service requests of the operators to the delivery points flow.
From the architectural point of view the positioning is a Full Reverse Proxy going to insert a layer of Application Delivery Control to manage the multiple applications that make up a service and to offer a data analysis engine to L4/L7.
With Oplon ADC, various types of both static and dynamic L2-L3, L4-L7 balancing can be used. Oplon ADC is intended for high reliability environments and allows session routing data to be maintained even if one of the two nodes goes down.
The balancing functions are ensured by Adaptative (adaptive-active) algorithms able to route requests in weighed mode to backend services. The algorithm, by detecting application stress, dynamically assigns new requests for the most discharged services ensuring maximum efficiency of supply. The ability to associate routing rules by real-time verification of the geographical origin of the request are an integral part of the solution.
The Oplon ADC solution, acting as a Full Reverse Proxy, allows to inspect, analyze and react in the event of abnormal use of resources. All connections passing through ADC layer are terminated and constantly analyzed and catalogued, identifying abnormal events and implementing actions to guarantee the continuity of supply.
Within the Oplon product suite, in addition to the ADC component, additional functionalities that can be enabled through an appropriate licensing model are available.
Oplon ADC can terminate SSL/TLS connections. The Oplon ADC solution, through its advanced end-to-end tunneling and encryption functionalities, is able to guarantee a secure access to services natively, guaranteeing a single point of control and security.
Oplon ADC offloading acceleration uses the latest on-chip encryption technologies (AES-NI or on-chip encryption functionality) even in virtual and Cloud environments.
The use of these parallel encryption technologies allows to drastically accelerate the activities that were once delegated to external ASICs chips that in multi-core environments formed bottlenecks and introduced latencies due to the dislocation external to the processor as well as presenting problems of use in heterogeneous virtualized or Cloud environments.
The ability to use digital certificates is guaranteed by the powerful offloading system that allows SSL connections to be terminated, strong authentication clients to be required, client certificates to services to be forwarded, and re-encryption operations to be performed at different security levels in the backend.
With Oplon ADC, it is possible to differentiate the SSL/TLS charcateristics of the front-end (client connections) from those of the back-end (connections to end-points/services) at both the SSL/TLS protocol and cipher-suite level.
The SSL/TLS encryption system guarantees the dynamism of the SSL/TLS session to increase the security of the protocol in line with the latest specifications (Perfect Forward Secrecy). SSL Re-encryption technology allows to obtain an encrypted transmission both in the front-end from the clients that require the services to Oplon ADC, and in the back-end, allowing to use different SSL/TLS protocol and cipher-suites while maintaining an efficient routing based on the information transiting within the Oplon ADC.
This makes it possible to maintain a very high level of protection in a centralized manner and to always keep it up-to-date, thus significantly reducing the interventions on the multiple application-server platforms used for application delivery, which can then be updated at different times.
The encryption and digital certificate processing system can make use of TLS-SNI (Server Name Indication) technology that can concentrate the use of multiple digital certificates in a single port-address, drastically reducing the number of exposed IP addresses. This functionality allows for a drastic simplification in terms of networking and firewall rules.
This technology is very useful and when dealing with high volumes of confidential or sensitive information, it allows for the highest available security in service delivery and simultaneously with the application routing functionality that a modern ADC must provide.
Centralized digital certificate management
The extended use of digital certificates must be supported by appropriate tools that allow easy management.
Through the web interface it is possible to create, update, import, export and destroy digital certificates covering the whole life cycle.
The ACME (Automatic Certificate Management Environment) protocol is a protocol for automating interactions between Certification Authorities and users' web servers, allowing digital certificates to be generated and deployed easily and inexpensively.
The ACME protocol is a protocol maintained by IETF and promoted by the Internet Security Research Group which provides a free Certification Authority service for the generation of digital certificates of the Domain Validation type. This service, called Let’s Encrypt, is generally associated with the ACME protocol.
With Oplon ADC, with a simple click it is easy to create and renew Let’s Encrypt certificates directly from a browser or a smartphone.
The data traffic balancing and routing system integrates an Application Firewall system with advanced security features for the prevention of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks that can monitor and catalogue the dynamics of service requests and their evolution in real time.
The system also incorporates a signature-based Web Application Firewall (WAF) functionality that can protect web applications and counter OWASP threats. The WAF features are integrated with the Learning Machine Attack Prophecy system (Powered by PluribusONE) that can detect and remediate application vulnerabilities that would otherwise be impossible to detect.
The Virtual Appliance deployment allows the product to retain all the features of the Enterprise Datacenter appliances while retaining all the functionality and minimizing the initial costs.
The functional characteristics allow to climb towards higher configurations without changing the platform and acquired know-how.
DoS/DDoS VIP iRedCarpet
Oplon DDoS Attack Mitigation leverages the advanced features of the forwarding engine to mitigate and resolve DoS/DDoS attacks. The DDoS Attack Mitigation solution is based on application stress (with a reaction time within 50 milliseconds) and is able to control traffic flows by discriminating them at the application level, by type of user, service, IP, subnet, geographical region.
Oplon DDoS Attack Mitigation detects the application stress without the use of agents (agentless) by checking the connections from Layer 4 to Layer 7 and can intervene by deleting/limiting the requests that are causing the stress.
Oplon DDoS Attack Mitigation also allows to temporarily confine attacks from individual IP addresses/subnets.
The algorithm has been designed to identify dynamic IPs and place them temporarily in the condition of not harming without any human intervention.
The innovative algorithm (VIP iRedCarpet ©) allows, in particular moments of “application stress”, to filter up to Layer 7 “useful” traffic from “less useful” traffic, reacting differently depending on the stress conditions and the individual application function or transaction. The system, by means of simple rules, has been designed to privilege the access of connections according to the application type of the requested service, for example by privileging the connections/users who are making payments or those who have already authenticated to the portal or, in the transactional sphere, those who have already started the transaction and have an associated session compared to those who are only browsing in consultation only.
The technology makes it possible to set up application “privileges” in the event of an attack or overload of the entire infrastructure, ensuring unprecedented operational continuity.
DDoS Address in Quarantine is a function capable of identifying sophisticated attempts by a few parties to use resources exclusively. The latter are automatically recognized and excluded by placing the addresses, source of the disruption, in “quarantine” for a fixed period of time. Normally these attacks in fact come from dynamic addresses and therefore can not be entered on public “black lists” directories. Once the “quarantine” time has expired, access to services is made available again.
All features described are included in the single DDoS Mitigation license.