main

Application DeliverySecurity

Security Threats Are Like a Box of Chocolates

September 14, 2016 — by Frank Yue2

You never know what you are going to get when you take something from a box of chocolates. I can guarantee you that sometimes you will get one that you like, and other times, well, you know. When I was younger, my mom used to pick up a chocolate and poke through the bottom of it to see what was inside. If she didn’t like it, she would put it back in the box for someone else (read: the kids) to eat.

Managing security on the network is very similar. There are many different types of attacks and it is important to have security solutions that can manage as many as possible. Some of the attacks are easy to identify and mitigate, while others are less appetizing to deal with. Different attack types need to be detected and mitigated. Like my mom, some attacks are better suited to be identified in one location and mitigated (eaten) in another.

adc-security-chocolate

Chocolate covered peanuts

Some attacks are easy to identify. These are usually network-based attacks that are designed to DoS and DDoS your network and applications. Advanced and behavior-based detector/mitigators can identify and drop these security threats quickly and efficiently. These solutions can create negative and positive policies based on various identifiable packet and session characteristics such as IP address (source/destination), TCP/UDP port, IP protocol, TTL, and TCP flags. All of this can be done without resorting to looking into the payload and content of the traffic.

Caramel chew or coconut cream?

Application layer attacks are harder to detect and mitigate. They require in depth content inspection to identify. SQL injections, cross-site scripting (XSS), and javascript vulnerabilities are just a few examples.

Today, attacks are encrypted more often than not. The encryption is like a chocolate shell that hides the actual content of the item. Only when exposed can we determine the actual threat vector. This means that it is not a simple matter of looking at the shape or size of the traffic to determine if it is malicious. Someone or something needs to poke through the chocolate shell, so to speak, or decrypt the content to be able to analyze its purpose.

Mom for the network

Application delivery controllers (ADC) are like my mom. They are designed to do high performance decryption and re-encryption. When this function is combined with a content inspection engine like a web application firewall (WAF), then the application content of all traffic can be inspected. If the traffic is benign, the ADC can pass the traffic to the application server.

[You might also like: The Maturing of ADC Technology: Moving Beyond Load Balancing]

The ADC is actually better than my mom. Instead of putting the malicious traffic back on the network, the security solution and ADC can block the security threat. Unfortunately, this is resource-intensive and if there is a persistent attack, this can consume valuable application inspection resources. I can imagine my mom knowing what chocolates nobody liked and knowing that they should be thrown away.

Secret codes in the swirls

Did you know that with a little research, one does not need to poke into every chocolate to know what kind it is? Each type of chocolate has a specific swirl pattern on top of it. It is no longer necessary to poke into every single chocolate to identify it. The inspection can be done on one chocolate and one only needs to correlate the swirl pattern on the top to be able to pick out all chocolates like it.

chocolate-swirl-adc-security

If the ADC and security solution that is doing the application content inspection can create a fingerprint based on the unencrypted aspects of the traffic, then this information can be shared with other security solutions such as the DDoS mitigation solution at the edge of the network. This is called defense messaging. The DDoS mitigation solution can apply this shared fingerprint to its security policies and block all future versions of the same threat. This frees up the ADC resources to continue to inspect the application content for other threats.

In today’s world, managing security threats requires multiple technologies and the detection and mitigation of the threats should be two independent functions linked through defense messaging.

6_tips_sla_document_cover

Read “Keep It Simple; Make It Scalable: 6 Characteristics of the Futureproof Load Balancer” to learn more.

Download Now

Frank Yue

Frank Yue is Director of Solution Marketing, Application Delivery for Radware. In this role, he is responsible for evangelizing Radware technologies and products before they come to market. He also writes blogs, produces white papers, and speaks at conferences and events related to application networking technologies. Mr. Yue has over 20 years of experience building large-scale networks and working with high performance application technologies including deep packet inspection, network security, and application delivery. Prior to joining Radware, Mr. Yue was at F5 Networks, covering their global service provider messaging. He has a degree in Biology from the University of Pennsylvania.

2 comments

  • Online Privacy Protection

    September 19, 2016 at 2:51 pm

    Hi Frank,

    Awesome job comparing security attacks to a box of chocolates. Unfortunately, you really don’t ever know what you’re gonna get. I really like the part you wrote about the swirl patterns. I never realized attacks (or the chocolates!) could be that easily identifiable.

    Thanks,
    Dennis

    Reply

    • Frank Yue

      September 20, 2016 at 4:39 pm

      Thanks foe the positive comments Dennis! The key is to correlate the identifiable information to the stealthier aspects of the attacks. Encryption, cadence, encoding, and other tricks are used by hackers to obfuscate the threats, but ultimately, a signature can be identified and created to detect similar future attacks. In the real world, this is not unlike fingerprint and facial recognition databases that can be used to identify known threats.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *