SOLUTION BRIEF

LEVERAGING RSA SECURID AND A10 FOR

OPTIMIZED AUTHENTICATION
Protect, Offload and Scale AAA Servers While Ensuring Availability

The accelerated use of cloud computing, mobile devices and social networks have
Challenge: radically changed the way organizations administer their IT operations. Employees,
In the age of complex Web-based partners, customers and vendors alike now demand secure access to a growing range
applications, unmanaged mobile of applications—from anywhere and on any device. The support of secure, web-
devices and an expanded worldwide based solutions allows end-users to easily switch between applications, as well as
user base, it is increasingly difficult to to send and receive information as required to maximize productivity in today’s fast
ensure data center and resource security.
faced environment.
Organizations must implement strong
authentication systems that properly Whether from on premise or web-based client access, organizations need to validate
validate client access in real time while user identities and ensure protection of sensitive information while eliminating data
providing an enhanced user experience. loss. Resources must be accessible yet remain secure and in regulatory compliance. At
the same time the end user experience must be enhanced with automatic resetting of
Solution:
passwords and with quick access to content.
Combine RSA’s Authentication Manager
and its array of SecurID authenticators Authentication Challenges
with A10 Thunder ADC and AAM module
As networks, data centers and application resources become more complex, it is increasingly
to secure enterprise and cloud-based
difficult to ensure the necessary security. This is compounded by an ever increasing user
operations. This interoperable joint
solution is fully tested and certified base accessing network resources from unmanaged mobile devices via uncontrolled access
to provide a rapid and transparent points such as web portals. With innumerable BYOD clients accessing confidential and
integration of authentication services. sensitive information, it is a constant challenge for IT administrators to identify attempts to
compromise passwords, determine suspicious behavior based on login monitoring, and
Benefits: distinguish end users and machines that deviate from network policies.
• Automatically identify and block
At the same time, organizations of all types, from enterprise to government to cloud services,
unauthorized access using client
run many mission-critical web and business applications – often including Oracle, SAP and
behavioral analysis
Exchange. In most cases, these operations must provide end users and employees with
• Expand security though multi-factor
access to these applications over the Internet, and this brings up a potential security concern
authentication while simplifying login
for IT teams. Organizations need stringent network design and enhanced security policies to
• Scale network security by offloading provide secure remote access to these high value assets.
computational tasks from the
authentication server To protect application servers and other resources from unauthorized access, organizations
turn to strong authentication. This key technique is used to determine whether access should
• Ensure server availability through
be granted to each individual client. Such tools can determine if end users are consuming
advanced load balancing and health
monitoring too many network resources, misusing the network by running restricted protocols or
accessing inappropriate websites. Client admission can be evaluated regardless of location,
• Offer seamless sign-on and validity
time or type of requested resources. Access to public websites, sensitive applications such
checks for BYOD via OCSP
as online banking or shopping portals, and external access to internal assets where internal
• Eliminate multiple authentication
users do not otherwise need authentication are all fully protected.
points from diverse application servers

1
The A10 Networks and RSA Joint Solution methods. Deployed in the DMZ area of the network, the self-
service portal allows users to change their own PIN, request a
RSA® and A10 Networks® have partnered to offer an optimized,
replacement token, request emergency access and access other
proven and interoperable strong authentication solution for
troubleshooting services.
organizations of all sizes and types. The RSA Authentication
Manager combines the strength of RSA SecurID with the Flexibility
convenience and flexibility of risk-based authentication. This RSA Authentication Manager is designed to deliver choice and
tool authenticates requests and centrally administers user flexibility, including a range of authenticators such as hardware
authentication policies for access to enterprise networks. tokens, software tokens, on-demand authentication and risk-based
The A10 Thunder® line of Application Delivery Controllers (ADC) authentication. An organization can mix and match the preferred
provides a multitude of features for intelligent traffic management, type of authenticator and easily provision and manage users on a
application security, content delivery optimization and SSL offload. single console.
With the A10 Thunder ADC Application Access Management (AAM) Choice and flexibility extend to deployment options. RSA
module, authentication servers are divested of excess processing Authentication Manager is offered on a hardware appliance and a
and an extra layer of security is provided. For this solution, RSA virtual appliance. The virtual appliance allows organizations to take full
Authentication Manager and Thunder ADC’s AAM have been jointly advantage of VMware ESX or ESXi virtualization, which dramatically
tested and validated to ensure compatibility and ease of deployment. simplifies deployment. RSA Authentication Manager is designed to
The RSA Authentication Manager Solution support a wide range of options, even including a combination of
virtual and physical appliances.
RSA Authentication Manager provides two-factor authentication to
secure access to virtual private networks (VPNs), wireless networks, Interoperability
web applications, business applications and all kinds of operating RSA Authentication Manager is interoperable with many of the major
environments. This tool leverages the largest set of RSA SecurID network infrastructure and operating system products on the market.
authenticators in the industry with support for numerous soft and The Secured by RSA program, one of the largest alliance programs
physical tokens. Available as a physical or virtual appliance, this server of its type, brings together hundreds of complementary solutions.
provides the flexibility to support a wide range of authentication Including more than 400 products from over 200 vendors, Secured
methods, an advanced risk engine, ease of manageability, and by RSA helps assure that organizations have maximum flexibility and
interoperability with industry-leading products and vendors, including investment protection. Leading vendors of remote access products,
A10 Networks. VPNs, firewalls, wireless network devices, web servers and business
Risk-based Authentication applications have built-in support for RSA Authentication Manager.
And RSA has worked with A10 Networks to ensure full system level
Risk-based authentication (RBA) is designed to protect access to
compatibility of A10 Thunder ADC.
the most common web-based applications, including SSL VPNs,
web portals, Outlook Web Access (OWA) and Microsoft SharePoint A10 Thunder ADC with Application Access Management
environments. With the addition of RBA into the RSA Authentication Authentication Offload
Manager portfolio, organizations can now cost-effectively secure A10’s Application Access Management (AAM) solution, included with
access to a wider range of applications than ever before. all A10 Thunder ADC appliances, is a set of services for optimizing and
The RSA Risk Engine is a proven technology that powers the most enforcing authentication and authorization for client-server traffic.
convenient method of strong authentication. Not a static, rules-based This module functions transparently, and it is interoperable with
system, the risk engine employs a combination of real-time device RSA Authentication Manager to offload computational tasks from
and behavioral analytics and dynamically adapts its risk model as new both application and RSA’s authentication servers. Authentication
information is collected. Low-risk users are authenticated transparently, processing adds overhead, and when multiple servers are involved,
while high-risk users are prompted to provide an additional proof of management complexity increases. Authentication servers can also be
identity. RBA offers strong authentication that is cost-effective and vulnerable to attacks.
convenient for both end users and IT administrators. With AAM, the A10 Thunder ADC appliance acts as an edge
Manageability authentication point for web services. Administrators can offload the
RSA Authentication Manager includes a suite of built-in features drain of authentication processing to the A10 Thunder ADC, thereby
that address the most time-consuming and costly tasks associated increasing server efficiency and adding an extra layer of protection for
with managing an enterprise authentication suite. The user web servers. AAM also offers Online Certificate Status Protocol (OCSP),
dashboard is a convenient single-pane view designed to enable which enables seamless sign-on and validity checks for BYOD and
Help Desk administrators to quickly address the most common similar devices using certificate-based authentication.
user inquiries without needing to run multiple reports or searches. The AAM solution provides centralized management of authentication
The customizable Self-Service Console is another feature that saves for web servers. For example, an IT team can use AAM to require
IT staff time by empowering users to manage their authentication authentication to a previously internal-only wiki or website when
2
accessed by external users. AAM serves as the central authentication
AAA Servers
point for external users. AAM can also eliminate the need to maintain
separate authentication points on each web server.

Optimization and Enhanced Security 2 OCSP Responder

1
Managing multiple authentication points for various application servers 1 Access Request
can be a daunting task and increases network complexity. Setting
Authentication Kerberos
up a client authentication scheme for each application may require 2
Challenge 3
AAM
costly and time-consuming custom development work. AAM provides Authentication
3
Request
centralized access policy management, while consolidation of multiple 4 LDAP
Authentication
authentication points reduces interoperability and integration issues. 4
Success
A10 Thunder ADC adds an extra layer of security by providing 5
5 Access Granted
RADIUS
pre-authentication functionality for business-critical web server
applications (such as Oracle Financials). Pre-authentication enables
secure access to internal systems without the need to change multiple Application Servers SAML
configurations in the existing infrastructure. AAM also offers a Kerberos
Single Sign-On (SSO) security solution that allows non-Kerberos end Figure 1: Optimized transparent client authentication with RSA and A10
users to access services protected by your Kerberos realm with a single Features and Benefits
login. End users do not need to log in again for subsequent requests The RSA and A10 joint authentication solution provides users with new
until the session expires. capabilities and important business benefits. These include:
The A10 Thunder ADC AAM feature supports the identity federation • Augmenting any application with a strong, multi-factor
standard – Security Assertion Markup Language (SAML). This authentication layer provided by SecurID
protocol is an XML-based process for exchanging authentication and • Offloading authentication servers from excessive processing for
authorization between Identity Providers (IdPs) and service providers. better performance, greater scalability and faster response times
The AAM feature has demonstrated SAML interoperability with RSA • Advanced authentication server load balancing and health
and other authentication service offerings. checks for ensured availability
Deploying RSA Authentication Manager and A10 AAM • Seamless integration of authentication services for rapid
The AAM solution from A10 can also be quickly and seamlessly installation and configuration
integrated into an existing application infrastructure. AAM • Validated interoperable support for a broad base of
provides enhanced protection and server efficiency by offloading authentication schemes
authentication processing from AAA servers such as RSA • Elimination of complex multiple authentication points from
Authentication Manager. every application server
HTML Form-based Authentication With RSA and A10 working together, organizations can ensure that
RSA and A10 solutions may be combined to enhance the their data center applications and networks remain highly available,
authentication process (see Figure 1). Basic HTTP or HTTPS accelerated and secure.
authentication uses a simple request to challenge clients for their Summary – Synergistic RSA Authentication Manager and
access credentials. Here’s the way this process works: Thunder ADC Solution
• The end user sends an HTTP/HTTPS access request to the Combining the sophistication of superior authentication from RSA
application server. with the power of an A10 Thunder ADC appliance and AAM module
• The A10 Thunder ADC AAM module intercepts this request helps organizations protect, offload and scale AAA servers while
and sends an authentication challenge (WWW authentication ensuring availability.
header) directly to the end user for authentication. The security of enterprise, government, cloud services and other
• The end user’s browser launches a login screen requesting the industries is greatly improved with strong multi-factor authentication
required credentials and then sends this to the A10 Thunder beyond simple username and password. At the same time, the end
ADC appliance. user experience is enhanced as genuine users are not hampered with
• The A10 Thunder ADC appliance transparently forwards the unnecessary challenges and authentication delays. Only suspicious
credentials to the RSA Authentication Manager for verification. activities will involve further proof of legitimacy with this industry-
• If the authentication is successful, the RSA Authentication leading solution.
Manager sends a success message to the A10 Thunder
ADC appliance.
• The A10 Thunder ADC appliance grants the end user access to
the requested application.
3
About RSA Security About A10 Networks
RSA, The Security Division of EMC, is the premier provider of A10 Networks is a leader in application networking, providing a
intelligence-driven security solutions. RSA helps the world’s leading range of high-performance application networking solutions that
organizations solve their most complex and sensitive security help organizations ensure that their data center applications and
challenges: managing organizational risk, safeguarding mobile networks remain highly available, accelerated and secure. Founded
access and collaboration, preventing online fraud, and defending in 2004, A10 Networks is based in San Jose, California, and serves
against advanced threats. RSA delivers agile controls for identity customers globally with offices worldwide. For more information,
assurance, fraud detection, and data protection; robust Security visit: www.a10networks.com
Analytics and industry-leading GRC capabilities; and expert
consulting and advisory services.

Corporate Headquarters Worldwide Offices To learn more about the A10 Thunder Application Service
Gateways and how it can enhance your business, contact
A10 Networks, Inc North America Taiwan
3 West Plumeria Ave. sales@a10networks.com taiwan@a10networks.com A10 Networks at: www.a10networks.com/contact or call
San Jose, CA 95134 USA to talk to an A10 sales representative.
Europe Korea
Tel: +1 408 325-8668 emea_sales@a10networks.com korea@a10networks.com
Fax: +1 408 325-8666 South America Hong Kong
www.a10networks.com latam_sales@a10networks.com HongKong@a10networks.com
Japan South Asia
jinfo@a10networks.com SouthAsia@a10networks.com
Part Number: A10-SB-19138-EN-01 China Australia/New Zealand
Mar 2015 china_sales@a10networks.com anz_sales@a10networks.com

©2015 A10 Networks, Inc. All rights reserved. The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, ACOS
Policy Engine, Affinity, aFleX, aFlow, aGalaxy, aVCS, AX, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, SSL Insight, Thunder, Thunder TPS, UASG,
VirtualN, and vThunder are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective
owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify,
4
transfer, or otherwise revise this publication without notice.