How often do you get a call in the middle of the night or during the weekend from someone complaining about an enterprise application being down? Surely, the frequency of these calls will only increase if application infrastructure is not better protected.
Organizations are continually increasing the amount of applications on their networks. With connectivity via the Web, users' access to an organization's network is easier than ever before. Employees are accessing e-mail in offices worldwide and from home, sales teams are checking for sales opportunities through CRM systems, manufacturing is working to supply demands via the ERP system, customers are accessing organization Web sites for information, and management teams are accessing all systems for operation reports to ensure organizations are standing to its targets.
Unfortunately, the increased usage of these myriad applications exposes organization networks to a range of security attacks. Attacks come in many forms, including "flooding" in high throughputs, which are generated automatically by Internet accessible BOT devices. "Floods" immediately consume all application resources to cause Denial of Service of the applications; the attack uses legitimate application requests to disguise its identity.
Also, hackers are more dangerous than ever. Application intrusion, viruses, phishing, spyware, commercial espionage, leakage of confidential information and worms can risk the service of an application or result in horrific business consequences. No wonder you find it hard to sleep well at night.
Application protection tools found lacking
Luckily, modern research and development have introduced a variety of protection mechanisms and state-of-the-art technologies that serve to protect networks against security threats. Some of the well-known ones are firewalls, IDS, IPS and antivirus products. Many organizations use a variety of such tools, which can be host-based to protect the end points or network-based to protect both network resources and applications through central management and control. All such tools perform two basic types of protection -- "signature-based-analysis" for detection of application-level intrusions and illegal traffic or "rate-based-analysis" for detection of abnormal application floods using legitimate application requests.
As mature as technology is, it leaves a lot of improvement to hope for. The use of most tools is accompanied by ongoing operational and administration hassles such as installation, observation, fine-tuning and configuration, so that it fits perfectly with the different behavior of each application. As a result, not only are protection tools time-consuming, but also, if application configuration is not done promptly or accurately they could deliver false positives. Without accurate detection, application activity may be flagged as rogue when in reality it is merely a spike in legitimate traffic. This may result in the loss of transactions and cause destructive consequences for any organization. Such obstacles emphasize the need for protection mechanisms with the ability to perform behavioral application analysis.
What else can you use?
Behavioral-based protection technology uses multiple engines that continuously inspect application usage patterns. The primary engine is a "learning engine" that follows application transactions and builds an understanding of the application activity, making it possible to identify between the distribution of user data and application data. That learning period considers both the amount of appearances and frequency of appearances of application events.
A second engine runs parallel to inspect basic parameters of actual application traffic and validate its legitimacy compared to the accepted learned behavior model. Once traffic is identified as unfamiliar, the engine triggers a suspicious behavior and activates deeper inspection level. At this level, a "statistical engine" operates a combination of "fuzzy logic determination" and "spectrum distribution analysis" for all application-level parameters. This evaluation resolves whether the suspicious behavior is a result of a legitimate burst of application traffic or a result of a malicious application abuse. If the latter is true, the "decision engine" further identifies the characteristics of the malicious traffic.
With traffic characteristics identified, a "blocking engine" will then inspect all incoming application traffic and selectively block the malicious traffic, allowing undisrupted service for legitimate users.
As all the engines and related procedures are automated, the behavioral-based protection is extremely efficient and requires minimal administration. It blocks all kinds of SYN flooding, UDP flooding, RST flooding, and other such network-based floods. It identifies and blocks application-level floods on DNS servers, Web servers, mail servers and most network protocol-based applications.
Behavioral-based protection technology is designed to automatically learn the correct behavioral parameters of any application. This capability saves time and ensures that applications are protected in an optimized manner from all possible security threats. This technology is right here at your door to make you job easier. Sleep easy…
About the author: Amir Peles is vice president and chief technology officer of Radware, an application delivery solution provider focused on delivering full availability, maximum performance and complete security of all business critical networked applications.
This was first published in April 2006