Introducing Application Delivery Networking

Next Generation

Firewalls

Presented by:

Bill Beverley

Security Technology Sales Manager

2

Security at the heart of the network

3

Comprehensive Security?

“Securing access to and delivery of data and

applications.”

Network and Application security are both “well known”

disciplines

4

Application Security: HTTP

Most people associate app security with HTTP

and the Web

Internet traffic is growing at 50%–60% annually*

– In 2006 the US was averaging 450-800 PB / month*

On top of HTTP:

– HTML, XML, AJAX, PHP, JavaScript, etc…

Limitless attack vectors and scope*Andrew Odlyzko: University of Minnesota – Feb 2008

5

The Port 80 Hole: HTTP

DATA

“64% of the 10 million security incidents tracked targeted port 80.”

Information Week

6

Application Vulnerability Statistics

7

What’s Driving Application Attacks?

Secure Networks– Effectiveness of Network Firewalls

Target-rich Application Environments– “Webification”: Fat Browsers

– Feature rich & data rich environments

– Increasingly trusted environments

(SSL offers a False Sense of Security)

– Technology adoption is still running ahead of security appreciation

Profit– Applications deliver data & data delivers $ (or £ or €)

8

Just fix the App!! Easy to say, harder to deliver...

Application

Security

Application

Scalability

Application

Performance

Application

Patching

Add: application availability

Application

Development

9

The Result: A Growing Network Problem

CRM

CRM

SFA

ERP

ERP ERP

SFACRM

SFA

SSL Acceleration

Server Load Balancer

Rate Shaping

DoS Protection

ApplicationFirewall

ContentAcceleration

TrafficCompression

Connection Optimization

Customize

Application

Mobile Phone

PDA

Laptop

Desktop

Co-location

Users Network Point Solutions Applications

10

Application

…And Then Who Owns It?

New Security Hole

High Cost To Scale

Slow Performance

Applications Focus on

Business Logic and

Functionality

Traditional Networks

are Focused on

Connectivity

Network Administrator Application Developer

?

11

…And Then, Who’s Responsible?

View specific application

Control only defined applications

Test only defined applications

Grant limited control

Grant limited views

Grant limited monitoring

High cost of operation

Operations

Network

Guy

Application Architecture

Security

12

Branch Office

HeadquartersCorporate Users

•Application Availability/Performance

•Information Theft

•Unauthorized Access

•Viruses


•Equipment/Power Failures

•Maintenance Downtime

•Natural Disaster



•ISP Availability/Bandwidth


•Viruses

•WAN Availability/Performance

ISP availability

ISP bandwidth






•Natural Disaster



•Viruses

Remote Users

Fix it in the Network?

Applications

Web Servers

Application Servers

Databases

13

Branch Office

HeadquartersCorporate Users




•Viruses




•Natural Disaster





•Viruses


ISP availability

ISP bandwidth






•Natural Disaster



•Viruses

Remote Users

Segment #1: Perimeter Firewalls

Applications

Web Servers

Application Servers

Databases

14

Current Network Solutions

• Network Firewalls

• Perfect Socket Management Devices

• They Live in Layers 3-4

• What about Layers 2, 5, & 7?

• IPS

• Packet Re-assembly Devices

• What about Application Session Awareness?

• What about SSL?

• >70% of Customers Run IPS in Transparent

Mode.

15

Application Solutions: WAFs

• Web Application Firewalls are a great start

• Have insight into the application and

business logic

• Terminate SSL

• Plug the Port 80 Hole

• But…

• What about other Apps?

• What about other Layers?

16

Web Application Firewalls

Stateful inspection of

application traffic in the context

of the application

Bidirectional

Policy-based solution tailored

for each app

– Positive + negative security

Sits inline

New type of device,

spanning operations,

network, and application

personal

Conclusion: The Right Tool for the Job for HTTP

But …

17

Applications Tunnel Through Traditional

Firewalls

18

Next Generation Firewalls

A marriage of Application Intelligence and

Network Control

– Secures Layers 2 – 7

– Secures any port, any protocol, any application

Apply Security at the same point as the rest

of the Application Business Logic

– Provide Security during delivery, not just at

ingress or egress

Application Delivery Security

19

Solution Requirements

Secure Applications With Application-Aware Security

Must be Session Aware

Must be Behavior Policy Bound

Must Understand Business Logic

Let the firewalls do what they do

They’re perfect socket management devices

They’re not perfect session management devices.

Accountability

Audit Trail

Flexibility

Adaptable to Application AND Environmental Changes

Leverage the 3 Ps…

20

Three P’s

PROXY architecture to distinguish a good request and a

bad one by examining all information

POSITIVE security logic (i.e. Business Logic) to give zero

day protection

POLICIES centralised for ease of control, administration &

auditing

21

Secure Policy-Based Delivery

Context

“A”

Server

SideUnique Real-Time Enforcement

Security Optimization Availability New Services

Look At Application Security Holistically

Context

“B”

Only the Services Needed and Allowed are

Used and Available

HTTP Access to Intranet

CIFS Access to File Share

“Public”

HTTP Access to Intranet

22

Enterprise Resources

Internet

Branch Office

`

`

`

PMP, PEP and MS

Remote PEP and MS

Foreign City

Remote PEP and MS

TeleCommuters Mobile Users

EmployeesContractors

Visitors

Local Access

Redundant

PMP, PEP and MS

Separate ALL

Users from

Enterprise

Resources

Dynamically Provide

Optimized Service

based on Context

Stop Bad

Traffic Before it

Uses

Resources

Stop Bad

Traffic Before it

Uses Network

Resources

Optimize Bulk

Remote Traffic to

Centralized

Resources

Provide Single, but

Redundant Management,

Access and Auditing of

Each Unique Access and

Context. Who, What,

When, Why, Where and

How

23

Application Delivery Security

AAA for registration and access control to specific applications

Application Firewall to protect the portal’s web apps

Application Delivery Controllers to secure application transport

and delivery

Network Perimeter Security

(Firewall, Virus Scan, IDS, etc.)

Invalid transaction from a validsystem

Customer

Employee

Partner

Unauthorizeduser from avalid terminal

User/Transaction Validity

Applications & Data Access Authorization

Secure, High Performance Platform

Corporate Applications &

Data

24

7

6

5

4

3

2

1

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer

Data Link

(MAC) Layer

Physical Layer

SSL, SSH, XML Encryption, Images

Sockets, RPC, NetBIOS Auth, PPtP

Port filters, SYN/ACK Attacks,

Port Scans, MitM

IP Frag, Spoofing, Smurfs, Ping of death,

IPsec, TTL

VLANs, ARP Poisoning

Management Interface Segmentation

XSS, SQL Injection, Data Leaks, Spam,

User Sessions, Cookies, HTML…

Type of communication:

E-mail, file transfer,

client/server.

Encryption, data conversion:

ASCII to EBCDIC,

BCD to binary, etc.

Starts, stops session.

Maintains order.

Ensures delivery of entire

file or message.

Routes data to different

LANs and WANs based on

network address.

Transmits packets from

node to node based on

station address.

Electrical signals and

cabling.

Intelligent Application Controllers

are the Next Generation Firewalls

25

Bill Beverley - Security Technology Sales Manager

Email: [email protected]

Tel: +44 (0)1932 582 000

Mob: +44 (0)7974 678 664

mailto:[email protected]

Documents

Introducing Application Delivery Networking