In-Depth

Finding a Home for Application Security

Traffic-management switches are quickly becoming easier to deploy and support, with greater intelligence to repel more sophisticated application attacks

While enterprises deploy ever more elaborate security systems, the intruders and hackers releasing viruses, worms, and Trojan horses counter with ever more diabolical methods to overcome the ramparts. Firewalls, antivirus software, and lectures about the dangers of opening attachments from strangers are not enough. You need to deploy application-layer security devices.

An application-layer security device provides:

  • A trusted, secure channel for client remote access, B2B, and intra-enterprise communication.
  • User authentication, authorization, and audits of all application-level transactions using common standards.
  • Traffic inspection for malicious payload content, and filtration of malicious traffic to protect from application-layer attacks such as buffer overflows and command injection.

Although there are several alternatives for where to conduct application security in an enterprise, there is one logical location: traffic-management and application switches. Traffic-management devices, also known as Layer 7 devices, are not only close to enterprise applications and aware of their transactions and availability but they are also used as Secure Sockets Layer (SSL) proxies for applications and are optimized for Layer 7 inspection.

These devices often terminate SSL sessions and are capable of decrypting these sessions and looking deep into the content of the application, which is necessary to stop malicious code from doing damage within an enterprise. Traffic-management switches, given their location behind the network firewall and DMZ and in front of the application, are in an ideal position to stop unwanted traffic and protect critical business applications from internal and external attacks.

Critics of this approach say it makes more sense to perform application security on the firewall and the application core level. Some say this extra security is not necessary and adds complexity and overhead. I believe relying solely on the firewall and application for security still leaves customers vulnerable to attacks, especially the new types of attacks that exploit application-layer vulnerabilities.

Performing application security at the application core level is risky and difficult to manage. Acquiring a multitude of security patches for Web servers, application servers, and other systems is costly and reactive.

Furthermore, it is an unreliable way to cope with attacks and other security flaws because it's difficult to keep track of which patches are needed for each system, and whether a patch is the latest one available.

Other people make good arguments for placing application security at the network firewall. Firewall developers boast years of experience in providing robust network security and managing complex rule sets. Modern firewalls offer some session awareness and enough processing horsepower to support high-performance filtering at the IP transport level. They can even analyze and filter traffic for a given network connection.

This approach has flaws, however. Firewalls are not optimized for Layer 7 inspection, and they are incapable of decrypting and filtering encrypted SSL content. Typically, firewalls are not optimized for high performance application-layer processing and can't look into the content of encrypted application traffic. As a result, they can't filter that content.

Although enterprises need firewalls for other purposes, firewalls lack the ability to secure the applications that conduct online banking, e-commerce transactions, and secure intranet applications.

Placing application security at the router level is also ineffective. Routers are usually the first point of entry into a network and are therefore a natural place to filter unwanted traffic, but they are not the best solution for application security. Routers can handle basic packet-level security, but don't have the processing power or the intelligence to perform deep-packet inspection. Like firewalls, routers don't support Layer 7 encryption and decryption.

Application security on traffic-management switches is in the early deployment stage. However, traffic-management switches are quickly evolving to be much easier to deploy and support, with even greater intelligence to repel ever more sophisticated application attacks.

comments powered by Disqus

Featured

  • AI for GitHub Collaboration? Maybe Not So Much

    No doubt GitHub Copilot has been a boon for developers, but AI might not be the best tool for collaboration, according to developers weighing in on a recent social media post from the GitHub team.

  • Visual Studio 2022 Getting VS Code 'Command Palette' Equivalent

    As any Visual Studio Code user knows, the editor's command palette is a powerful tool for getting things done quickly, without having to navigate through menus and dialogs. Now, we learn how an equivalent is coming for Microsoft's flagship Visual Studio IDE, invoked by the same familiar Ctrl+Shift+P keyboard shortcut.

  • .NET 9 Preview 3: 'I've Been Waiting 9 Years for This API!'

    Microsoft's third preview of .NET 9 sees a lot of minor tweaks and fixes with no earth-shaking new functionality, but little things can be important to individual developers.

  • Data Anomaly Detection Using a Neural Autoencoder with C#

    Dr. James McCaffrey of Microsoft Research tackles the process of examining a set of source data to find data items that are different in some way from the majority of the source items.

  • What's New for Python, Java in Visual Studio Code

    Microsoft announced March 2024 updates to its Python and Java extensions for Visual Studio Code, the open source-based, cross-platform code editor that has repeatedly been named the No. 1 tool in major development surveys.

Most   Popular

Subscribe on YouTube