Finding a Home for Application Security
Traffic-management switches are quickly becoming easier to deploy and support, with greater intelligence to repel more sophisticated application attacks
While enterprises deploy ever more elaborate security systems, the intruders and hackers releasing viruses, worms, and Trojan horses counter with ever more diabolical methods to overcome the ramparts. Firewalls, antivirus software, and lectures about the dangers of opening attachments from strangers are not enough. You need to deploy application-layer security devices.
An application-layer security device provides:
- A trusted, secure channel for client remote access, B2B, and intra-enterprise communication.
- User authentication, authorization, and audits of all application-level transactions using common standards.
- Traffic inspection for malicious payload content, and filtration of malicious traffic to protect from application-layer attacks such as buffer overflows and command injection.
Although there are several alternatives for where to conduct application security in an enterprise, there is one logical location: traffic-management and application switches. Traffic-management devices, also known as Layer 7 devices, are not only close to enterprise applications and aware of their transactions and availability but they are also used as Secure Sockets Layer (SSL) proxies for applications and are optimized for Layer 7 inspection.
These devices often terminate SSL sessions and are capable of decrypting these sessions and looking deep into the content of the application, which is necessary to stop malicious code from doing damage within an enterprise. Traffic-management switches, given their location behind the network firewall and DMZ and in front of the application, are in an ideal position to stop unwanted traffic and protect critical business applications from internal and external attacks.
Critics of this approach say it makes more sense to perform application security on the firewall and the application core level. Some say this extra security is not necessary and adds complexity and overhead. I believe relying solely on the firewall and application for security still leaves customers vulnerable to attacks, especially the new types of attacks that exploit application-layer vulnerabilities.
Performing application security at the application core level is risky and difficult to manage. Acquiring a multitude of security patches for Web servers, application servers, and other systems is costly and reactive.
Furthermore, it is an unreliable way to cope with attacks and other security flaws because it's difficult to keep track of which patches are needed for each system, and whether a patch is the latest one available.
Other people make good arguments for placing application security at the network firewall. Firewall developers boast years of experience in providing robust network security and managing complex rule sets. Modern firewalls offer some session awareness and enough processing horsepower to support high-performance filtering at the IP transport level. They can even analyze and filter traffic for a given network connection.
This approach has flaws, however. Firewalls are not optimized for Layer 7 inspection, and they are incapable of decrypting and filtering encrypted SSL content. Typically, firewalls are not optimized for high performance application-layer processing and can't look into the content of encrypted application traffic. As a result, they can't filter that content.
Although enterprises need firewalls for other purposes, firewalls lack the ability to secure the applications that conduct online banking, e-commerce transactions, and secure intranet applications.
Placing application security at the router level is also ineffective. Routers are usually the first point of entry into a network and are therefore a natural place to filter unwanted traffic, but they are not the best solution for application security. Routers can handle basic packet-level security, but don't have the processing power or the intelligence to perform deep-packet inspection. Like firewalls, routers don't support Layer 7 encryption and decryption.
Application security on traffic-management switches is in the early deployment stage. However, traffic-management switches are quickly evolving to be much easier to deploy and support, with even greater intelligence to repel ever more sophisticated application attacks.