At first glance, application delivery and security might seem unrelated because they appear to solve and address different challenges from different domains. But a closer look actually reveals that they are entwined. In this post I’ll break down the ways in which application delivery and security work hand-in-hand.
To begin, let’s look at this from a customer viewpoint. The customer’s objective, regardless of the industry, and type of application they’re running, is to ensure that application SLA is constantly met and that the quality of experience (QoE) is satisfactory. Otherwise, they risk declining revenues and customer “churn” – end results that no one wants. As a result, it’s obvious that application delivery capabilities are needed in order to perform traffic reduction and health monitoring as well as maintain consistency and application acceleration. Otherwise, a specific server might get over-loaded and traffic sent to a non-available server, which may cause the entire application to crash. In addition, employing an application delivery solution will allow the customer to successfully handle seasonal traffic spikes.
Now, what happens if the application is under attack? Will the traffic redirection still work properly? Will checking the health of the servers be enough? Will persistently sending the user session to specific servers work? Not necessarily. In fact, failing to properly handle security attacks expeditiously might prove fatal when it comes to maintaining high QoE and SLA. It’s very important to detect application-level or network-level security threats BEFORE applying application delivery techniques. Otherwise, there are a number of odd scenarios that might take place. For example, attack packets may spread evenly throughout all servers, causing each and every server to become overloaded. In addition, today it’s commonplace to see more and more application-level threats and multi-vector attacks that are not fully mitigated by network security solutions. Mitigating these threats requires an application delivery controller (ADC) as well as additional security solutions, such as WAF and the Web Services Firewall/Gateway.
Because application delivery and security work hand-in-hand, today’s ADCs offer a set of comprehensive features that help address availability and security challenges, including SYS cookie protection, DoS protection, hardware DoS mitigation engine, behavioral DoS protection and more.
There is, however, more to security and application delivery than the ADC itself. Below is a list of best practices for deploying application delivery and security solutions in tandem:
- Place a dedicated DDoS mitigation device before the ADC and core switching – so that high-volume attacks can be stopped before getting to the ADC and from there to the server farms.
- Use behavioral DoS mitigation capabilities to generate signatures in real-time – in order to detect anomalies and defend from emerging threats such as low-and-slow attacks.
- Deploy a “clean pipe” service in the cloud – that can protect the Internet pipe of the organization from volumetric attacks that threaten to block it.
- Deploy a Web Application Firewall (WAF) adjacent to the ADC – to protect from Web application level threats and enable compliance.
- Deploy Web Services Firewall/Gateway – to protect from XML and Web Service specific threats that cannot be detected and blocked by a standard WAF. This mainly applies to organizations using service oriented architecture (SOA) concepts.
- Review and align your organizational security policies – to ensure the right authorization level for each user type – employee, partner, customers, etc.
As you can see, while application delivery and security may be two separate entities, a closer look reveals the ways in which they truly work hand-in-hand.