A new generation of exploits threatens every element of a solid application service. Application software modules, network infrastructure components, server hardware and operating systems (OS) components are all vulnerable. When designing your security agenda, each component layer requires special attention and best-of-breed protection.
In the past, application architecture planning consisted of two parallel analyses. One analysis involved the application software architecture that allows the implementation of the complete business and service logic, while a second analysis focused on the infrastructure architecture including the hardware platform and the OS that could provide the best level of efficiency for running applications.
As deployed applications evolved from serving a limited number of local users to potentially serving an unlimited number of clients from distributed or remote locations, special attention was paid to the network infrastructure associated with the application set. This ushered in a wave of new technologies that allow optimized application access such as server load balancing, network bandwidth management, data compression, etc.
It's important to recognize that this shift has significant implications for your security planning. If you're in charge of protecting your company's application service, you should consider whether you've done your best to protect the application, its underlying infrastructure, and the network resources that allow your users to use the application. Here's why.
The network layer
Let's backtrack through the layers, starting with the first line under attack behind the conventional firewall – the network. The attacks on the network side are challenging today because network exploits are often so well-disguised that they appear to be normal application traffic. The multiple threat techniques can be grouped as follows: security evasion techniques (IP / TCP fragmented evasion, encrypted evasion, illegal packet evasion); resource consumption attacks SYN flooding, FIN flooding, reset flooding, connection flooding, UDP flooding); network flooding (worm propagation, ARPflooding, ICMP flooding); and exploitation of network infrastructure vulnerabilities. The big challenge in protecting applications from these attacks is the ability to distinguish valid traffic from malicious traffic. Newer technologies have been designed to help the statistical analysis of traffic patterns in order to detect and mitigate these attacks with minimal disruption of legitimate traffic. But only a handful of vendors can provide such state-of-the-art network behavioral IPS solutions.
The hardware and OS layer
At the hardware and OS infrastructure layer, threats tend to be less sophisticated but can be equally pernicious. Multiple tools already exist on the network that can be used to target known OS vulnerabilities and application infrastructure vulnerabilities – damaging your applications without the need to research your specific application logic. Examples of such attacks include engine exploits, OS and application viruses, and spyware. Protection tools for these attacks are commonly available from antivirus and network or host-based intrusion prevention vendors. These tools are typically supported with a protection update service that offers close to real-time protection from the constant barrage of newly developed attack tools.
The application layer
In the remaining layer, application threats consist of a range of attacks. Included on this list are: application specific manipulation (SQL injection, cross-site scripting, cookie poisoning, command injection); application engine attacks (buffer overflow, parameter tampering, malicious encoding, scanning); authentication mechanism manipulation, brute force login, session hijacking, phishing); and more. These attacks aim to create a denial of service for your application or disclose sensitive information through data or identity theft. There is never a complete guarantee of protection against these attacks because the tools currently available for automatic protection are limited, require a long learning period and are fairly costly in terms of the ongoing administrative investment required to continually tune the tools.
For all the reasons enumerated above, it is important that your applications enjoy equal protection across all layers. Application threats are the most damaging, but require some hacking experience. While OS attacks are simpler to perform, mature methods of protection are usually already in place to thwart them. Network attacks pose a high risk because of their potential to create a denial of application service. Overlook implementing proper protection in the network layer, and the rest of your security protection investments may be rendered useless.
There is no single vendor that provides unified protection from this wide range of attacks. While there is market demand for a Unified Threat Management (UTM) device that addresses all layers, these tools have yet to emerge commercially. If you target 100% protection of your application service, choose wisely from the best-of-breed solutions for each category. In the end, it's not just about smart application networking, it's about smart business.
-----------------------------------
About the author: Amir Peles is chief technical officer at Radware.
