You never know what you are going to get when you take something from a box of chocolates. I can guarantee you that sometimes you will get one that you like, and other times, well, you know. When I was younger, my mom used to pick up a chocolate and poke through the bottom of it to see what was inside. If she didn’t like it, she would put it back in the box for someone else (read: the kids) to eat.
Managing security on the network is very similar. There are many different types of attacks and it is important to have security solutions that can manage as many as possible. Some of the attacks are easy to identify and mitigate, while others are less appetizing to deal with. Different attack types need to be detected and mitigated. Like my mom, some attacks are better suited to be identified in one location and mitigated (eaten) in another.
Chocolate covered peanuts
Some attacks are easy to identify. These are usually network-based attacks that are designed to DoS and DDoS your network and applications. Advanced and behavior-based detector/mitigators can identify and drop these security threats quickly and efficiently. These solutions can create negative and positive policies based on various identifiable packet and session characteristics such as IP address (source/destination), TCP/UDP port, IP protocol, TTL, and TCP flags. All of this can be done without resorting to looking into the payload and content of the traffic.
Caramel chew or coconut cream?
Today, attacks are encrypted more often than not. The encryption is like a chocolate shell that hides the actual content of the item. Only when exposed can we determine the actual threat vector. This means that it is not a simple matter of looking at the shape or size of the traffic to determine if it is malicious. Someone or something needs to poke through the chocolate shell, so to speak, or decrypt the content to be able to analyze its purpose.
Mom for the network
Application delivery controllers (ADC) are like my mom. They are designed to do high performance decryption and re-encryption. When this function is combined with a content inspection engine like a web application firewall (WAF), then the application content of all traffic can be inspected. If the traffic is benign, the ADC can pass the traffic to the application server.
The ADC is actually better than my mom. Instead of putting the malicious traffic back on the network, the security solution and ADC can block the security threat. Unfortunately, this is resource-intensive and if there is a persistent attack, this can consume valuable application inspection resources. I can imagine my mom knowing what chocolates nobody liked and knowing that they should be thrown away.
Secret codes in the swirls
Did you know that with a little research, one does not need to poke into every chocolate to know what kind it is? Each type of chocolate has a specific swirl pattern on top of it. It is no longer necessary to poke into every single chocolate to identify it. The inspection can be done on one chocolate and one only needs to correlate the swirl pattern on the top to be able to pick out all chocolates like it.
If the ADC and security solution that is doing the application content inspection can create a fingerprint based on the unencrypted aspects of the traffic, then this information can be shared with other security solutions such as the DDoS mitigation solution at the edge of the network. This is called defense messaging. The DDoS mitigation solution can apply this shared fingerprint to its security policies and block all future versions of the same threat. This frees up the ADC resources to continue to inspect the application content for other threats.
In today’s world, managing security threats requires multiple technologies and the detection and mitigation of the threats should be two independent functions linked through defense messaging.