The Internet is possibly the most critical resource for businesses today. As an information-driven economy, organisations are growing increasingly dependent on Internet connectivity as tasks previously driven by call centres or surface mail move online. Behind the scenes, complex infrastructure allows citizens and businesses across the world to process millions of Internet related transactions every second. The loss of Internet connectivity, even for a few minutes, can dramatically and negatively impact organisations of all shapes and sizes, leading to significant financial loss or damage to reputation. As websites become more business and mission critical they naturally become a candidate for malicious attacks for a variety of reasons.
Webservers and Application Delivery Controllers (ADCs)
The Internet has matured quickly from simple static websites to an environment that hosts complex, powerful, dynamic applications. Improvements in web application responsiveness are a now a key enabler for cloud computing, ecommerce and related improvements in data centre design and optimization.
ADCs are becoming critical central aggregation points for application traffic. ADCs are now a mature and established tool in the arsenal of the network designer, extremely effective at providing application acceleration, sophisticated load balancing and high availability, application level security, IPv4/IPv6 migration support, and Carrier Grade Network Address Translation (CGNAT).
ADCs sit at the boundary between data centres serving web applications and the wider Internet, effectively acting as a load balancing proxy and intelligent cache for application transactions and content. ADCs also provide value-add security and performance features to improve information security and availability. These security features include SSL Offload, SSL Intercept, pre-authentication, Web Application Firewall (WAF), and DDoS mitigation. Typically a high-end ADC will also include custom scripting to enable Deep Packet Inspection (DPI) and manipulation of both traffic and endpoint information.
The evolution of threat and response
This deployment of distributed web applications behind ADCs, within highly virtualised datacentres, serving users via the Internet is becoming the dominant template for application delivery. The first part of creating a better security framework must start with fundamental coding and application design. The many software layers and components needed to create an application, together with the need to regularly patch operating systems and third party extensions all pose risks. So it remains a key requirement for InfoSec professionals to mitigate as many threats as possible while they are on route – whether that be at the firewall or the ADC.
Security attacks are becoming increasingly sophisticated, subtle, and ‘volumetric’ in nature, and the issues are simply not going away in – given the absence of greater Internet controls and any major improvements in online identity tracking.
In essence, DDoS attacks typically flood a webserver or IP address range with a huge volume of data generated by malware that has infected thousands or even hundreds of thousands of machines across the Internet. Attacks may further stress servers by making requests that each generate a larger response – so called amplification attacks. Since there may be multiple types of DDoS attack in operation – some volumetric, some perhaps more subtle – one needs a range of strategies in place to mitigate these attacks.
The role of the ADC
Whilst the ADC can shield the web applications servers from Denial of Service (DoS) attacks that either try to overwhelm the target with traffic or consume resources thereby stifling legitimate user sessions and resources, the ADC needs to be capable of dealing first with volumetric attacks in a highly scalable manner, as well as possessing intimate knowledge of what is ‘acceptable’ Layer 4 and Layer 7 flow behaviour over time.
Since the ADC acts as the gatekeeper for all transactions flowing to servers, these devices have to demonstrate extremely high throughput, whilst performing L4/L7 DPI of both plaintext and (increasingly) encrypted (i.e. SSL/TLS) message streams. The latest generation of ADC appliance typically incorporates dedicated hardware ASICs (or programmable chips called FPGAs) in order to be able to analyse packets at wire speed for handling volumetric attacks. With an ADC the network designer is also free to choose where SSL keys are managed, whether secure sessions should be passed through, inspected, re-encrypted or forwarded as plaintext.
Another area where the DPI capability offered by the ADC can help is in mitigation of a known issue or remediation of an underlying application security weakness (such as poor business rule handling, or SQL Injection vulnerabilities in a legacy application for example). An ADC equipped with a Web Application Firewall (WAF) can assist with PCI compliance, and potentially turn around serious vulnerabilities very quickly. ADCs therefore act as both a strategic and tactical tool in the security context, by understanding applications intimately, and working in tandem with conventional firewall, anti-virus and intrusion detection/prevention systems.
It is also possible to offload security functions from the servers and applications themselves onto the ADC, using a combination of DPI, WAF, pre-authentication and SSL Intercept features. The ADC offers centralised security control that can establish secure channels, authenticate, authorise, enforce intrusion prevention and alleviate application attacks, with full reporting capabilities. Both current and future applications can have a policy-based security procedure without any recoding of the application.
In summary, the notion of using the ADC as in effect a next generation firewall is starting to become a reality. As more applications head onto the web, the role of the ADC will become more critical. From humble beginnings as simple load balancers, the modern ADC is increasingly useful as an addition to the security armoury. Information security professionals would do well to utilise its Deep Packet Inspection, DDoS protection and SSL Intercept capabilities as part of a multi layered security architecture.