main

Application DeliveryData CenterWeb Application Firewall

How Application Delivery and Security Work Hand-in-Hand

March 29, 2013 — by Nir Ilani1

At first glance, application delivery and security might seem unrelated because they appear to solve and address different challenges from different domains. But a closer look actually reveals that they are entwined. In this post I’ll break down the ways in which application delivery and security work hand-in-hand.

To begin, let’s look at this from a customer viewpoint. The customer’s objective, regardless of the industry, and type of application they’re running, is to ensure that application SLA is constantly met and that the quality of experience (QoE) is satisfactory. Otherwise, they risk declining revenues and customer “churn” – end results that no one wants. As a result, it’s obvious that application delivery capabilities are needed in order to perform traffic reduction and health monitoring as well as maintain consistency and application acceleration. Otherwise, a specific server might get over-loaded and traffic sent to a non-available server, which may cause the entire application to crash. In addition, employing an application delivery solution will allow the customer to successfully handle seasonal traffic spikes.

Now, what happens if the application is under attack? Will the traffic redirection still work properly? Will checking the health of the servers be enough? Will persistently sending the user session to specific servers work? Not necessarily. In fact, failing to properly handle security attacks expeditiously might prove fatal when it comes to maintaining high QoE and SLA. It’s very important to detect application-level or network-level security threats BEFORE applying application delivery techniques. Otherwise, there are a number of odd scenarios that might take place. For example, attack packets may spread evenly throughout all servers, causing each and every server to become overloaded. In addition, today it’s commonplace to see more and more application-level threats and multi-vector attacks that are not fully mitigated by network security solutions. Mitigating these threats requires an application delivery controller (ADC) as well as additional security solutions, such as WAF and the Web Services Firewall/Gateway.

Because application delivery and security work hand-in-hand, today’s ADCs offer a set of comprehensive features that help address availability and security challenges, including SYS cookie protection, DoS protection, hardware DoS mitigation engine, behavioral DoS protection and more.

There is, however, more to security and application delivery than the ADC itself. Below is a list of best practices for deploying application delivery and security solutions in tandem:

  1. Place a dedicated DDoS mitigation device before the ADC and core switching – so that high-volume attacks can be stopped before getting to the ADC and from there to the server farms.
  2. Use behavioral DoS mitigation capabilities to generate signatures in real-time – in order to detect anomalies and defend from emerging threats such as low-and-slow attacks.
  3. Deploy a “clean pipe” service in the cloud – that can protect the Internet pipe of the organization from volumetric attacks that threaten to block it.
  4. Deploy a Web Application Firewall (WAF) adjacent to the ADC – to protect from Web application level threats and enable compliance.
  5. Deploy Web Services Firewall/Gateway – to protect from XML and Web Service specific threats that cannot be detected and blocked by a standard WAF. This mainly applies to organizations using service oriented architecture (SOA) concepts.
  6. Review and align your organizational security policies – to ensure the right authorization level for each user type – employee, partner, customers, etc.

As you can see, while application delivery and security may be two separate entities, a closer look reveals the ways in which they truly work hand-in-hand.

Nir Ilani

Nir Ilani owns the global product strategy and practices of Radware’s Cloud Security services including Cloud DDoS Protection, Cloud WAF and Cloud Acceleration. He has over two decades of diverse engineering and product management experience including managing the design, development and release of industry-leading, high-scale solutions. Nir is an expert in Cloud Computing, Cyber Security, Big Data and Networking technologies, and a frequent speaker in technology events. Nir holds a Bachelor in Computer Science and Business Administration as well as MBA, both from Tel-Aviv University. Nir writes about trends, technological evolution and economic impact related to Cloud, Security and everything in between.

One comment

  • Susan Bilder

    April 25, 2013 at 5:44 pm

    Nearly everything in the network is intertwined somehow. If there is a security threat it will affect how the applications work with one another and will affect the end user experience.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *