Today’s blog is a continuation of our exploration into Application Security. The first half of this duscussion can be found on our August 31st entry found here: http://theflexit.com/exhibit-1-application-security/
An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond port and protocol to examine the signature (or actual content) of network traffic to identify and stop threats. With APS, we are protecting layer 3 and layer 4 regions of the network against DDoS attacks by combining hardware and programmable software solutions. In addition to the protecting layer 3 and layer 4 threats, the enhanced we can deliver functions with the capabilities to include layer 4 routing and load balancing to increase efficiency and availability of application traffic in the network.
Application Delivery Controllers (ADCs) are network devices that manage client interfaces to complex Web and enterprise applications, beyond the scope of SMB and home office applications. An ADC functions primarily as a server load balancer, resulting in optimized end-user system performance and reliability by increased Gbps of layer 4 throughput, accessibility to data center resources, and enterprise application security. ADC controllers are deployed in data centers, strategically placed behind the firewall and in front of application server(s). They act as the point of control for application security and provide authentication, authorization, and accounting.
Application Delivery Controller (ADC)
The ADC is part of a larger process that makes applications available, responsive, and secure for users. This end-to-end model is called the Application Delivery Network (ADN). It consists of an application delivery controller, firewall, and link load balancer.
A typical ADN infrastructure
When applications outgrow a single server, an ADC manages multiple servers to enable applications beyond a single server. This essentially creates a single virtual server. Once the ADC selects the best server for the application, the ADC uses Connection Persistence to maintain a connection back to the server where the transaction began. The ADC routes traffic to the best available server based on configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however, the ADC may reduce the need for additional servers by as much as 25%.
The security core is where the tools and services that defend applications from threats reside. Capabilities include a strong firewall, VPN, antivirus and antimalware scanning, and other security features. Other security features may include NGFW with IPS and deep packet scanning, application control, and user access policies to enhance protection.
Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple WAN links. If application use includes multiple data center access for operations such as disaster recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic between multiple data centers. This allows either automatic or programmable data center routing based on infrastructure performance needs.
An advanced, modern ADC provides enhanced capabilities that bring both security and efficiency to networks. Let’s take a look the capabilities brought by ADCs to the server side of the ADN.
Server Load Balancing
The ADC allows the use of software-based intelligent load balancing to enhance performance over hardware-based simple load balancing. This not only provides a path-to open server capability, but also matches the best server for the incoming traffic based on programmed policies and application-layer knowledge that supports business requirements.
Because the ADC conducts continuous health checks of network servers, only routes traffic to online devices, and routes to the best performing devices using intelligent load balancing capability, server load balancing provides a 25% increase in capacity and reduces server hardware requirements by 25% over traditional DNS round-robin configurations.
Intelligent Load Balancing
L7 Content Routing
By designating different servers for different types of data functions, the ADC may be configured to route traffic to the server(s) that are best configured to process applications based on their specific needs
By using L7 content routing, the ADC can optimize data center resources while protecting the network and applications from security threats.
This capability is critical to transaction-based applications. For example, if you begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different server for checkout without a persistent connection back to the original server, your cart will be empty at checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers remain persistent throughout the transaction.
By maintaining a persistent connection to the original server that started the transaction, the transaction may be completed without loss of data or loss of connection.
SSL traffic may result in overloading servers, reducing capacity to a range in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate management from servers, the ADC enables web and application servers to focus CPU and memory
resources to deliver application content, responding more quickly to user requests. This offloading boosts capacity up to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users.
Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the need for additional servers in order to accommodate data volume.
SSL offloading and HTTP compression
One of the challenges, as the number of network users grow, is that application programming becomes more complex, and data sets become larger, is bandwidth limitations. One way that an ADC reduces bandwidth constraints is by using HTTP compression to prevent non-essential data from traversing network links from servers to web browsers.
By reducing bandwidth demands, HTTP compression creates increased throughput capability, which increases data flow efficiency to the user.
In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing between the server side and outer perimeter. To accomplish this function in a content-focused, application-level environment, the WAF is used.
Web Application Firewall (WAF) Characteristics
Essential for businesses that host web-based applications, WAFs deployed in the data center provide protection, load balancing, and content acceleration to and from web servers. The primary use of WAFs is to protect web-based applications from attacks. They protect web applications and associated database content by WAF Vulnerability Scanning, mitigating prevalent threats such as cross-site scripting (XSS), buffer overflows, DoS, SQL injection, and cookie poisoning. WAFs also focus on the OWASP top 10 web application vulnerabilities
Web Application Firewall (WAF)
The question may be asked why the NGFW or IPS cannot mitigate these threats. This is because IPS signatures only detect known problems, may produce false positives, do not protect against threats embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for network based attacks, not at application-based attacks. For these reasons, the WAF provides critical protection capabilities to the network security arsenal.
One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based—analysis. Behavior-based DDoS protection measures require different mitigating parameters than content-based protections. Some of these protection measures include configuring systems to identify potential threats based on source volume (intent vs. content), ping rates (hardcoded vs. custom), packet dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using these behavior based DDoS protection measures—focusing on traffic characteristics rather than content—policies do not require threat signature updates like content-based measures do.
WAFs and PCI DSS Compliance
The ability to provide secure data transactions is not limited to considerations of data and program corruption, throughput limitations, or network operational parameters in the strict sense of providing digital pathways and storage. Additional considerations regarding personally identifiable information (PII), credit security, and other personal account and data safety are regulated from outside the technology sector. Payment Card Industry Data Security Standards (PCI DSS) set requirements for security practices that apply to any vendors or organizations that process, store, or transmit cardholder data. Regulated also by government agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a necessary consideration for most of the technology industry.
PCI DSS consists of 12 requirements covering six common sense goals that reflect security best practices. Table 6 depicts the current standards for PCI DSS compliance . Of the six goals listed, goal number three most closely influences the ability of the network to maintain secure operations and effective monitoring against DDoS and other threats to network security. Of course, all appliances, software, policies, and processes within control of the network administrator should be regularly monitored and updated against modern, advanced, and emerging complex threats.
Payment Card Industry Data Security Standards (PCI DSS)
While the modern ADC provides enhanced capabilities to the server side of the ADN, an ADC also provides capabilities to the outer perimeter function of the ADN, which include:
This capability of the ADC provides redundancy while scaling applications across multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing between data centers using configurable business rules, with automatic response that switches between data centers for disaster recovery contingency when a data center or connectivity link becomes unavailable.
The disaster recovery and GSLB features provide important network security capabilities. The automatic switching feature provides the ability to survive data center or transmission link outages while ensuring data is automatically recovered. Because of intelligent switching, users are rerouted to the next best data center for their needs, making the process seamless to the end user.
Global Server Load Balancing (GSLB)
Mask Server IPs
A challenge to keeping individual servers secure from threats is to segregate them from access by unauthorized users. One way of accomplishing this is to mask the individual server ID by rewriting content—such as headers and other identifying information—to a single IP address when data is transmitted outside the internal network.
By masking individual server IDs behind the ID of the ADC routing data to individual servers, all data flows through the ADC, reducing chances for external threats to gain access to individual servers without passing through network security inspections.
Server ID masking with ADC
Quality of Service (QoS)
One of the challenges posed by the seemingly constant increase in data traffic is identifying and prioritizing important traffic over routine or less important traffic. QoS is managed by configuring rules and policies for traffic policing, traffic shaping, and queuing that ensure the most important traffic for the organization is prioritized above other data.
QoS results in higher quality data flow for the most critical traffic based on organizational priorities, whether it be VoIP for sales and customer support, eCommerce transactions, or corporate file transfers. By setting the appropriate rules and policies in the ADC, organization and user quality of service—and efficiency and satisfaction—may be enhanced.
Link Load Balancing (LLB)
LLB addresses the issues of bandwidth and redundancy by using multiple WAN links. A link load balancer connects many WAN links to the network, and routes inbound and outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost links. If a link should fail, traffic is routed to others to ensure your application remains available to users.
LLB provides redundancy to maintain application availability by rerouting traffic to users through another available link. By selectively routing traffic over the most available and appropriate links based on programmed rules and policies, LLB optimizes bandwidth use, reducing bandwidth needs. These two features both improve application response times to users.
FlexIT is a San Diego, CA based technology solutions company that specializes in IT Management and Engineering. Companies with technology challenges turn to FlexIT for unbiased solutions, adding value to their IT operations. To learn more about Managed Firewall and additional solutions, please visit the website here: http://theflexit.com/