Thinking about Data Center Solutions

Engineers from La Salle-URL share the latest news and projects in the field of network solutions in telematic engineering.

16 April 2019 | Posted by bernat.rovirosa

Application security in new DC

In this post, we are going to summarize the most important concepts about the talk we had last Tuesday (April 9th, 2019), where Miguel Garcia, Major Account Manager at F5 Networks, explained how to secure and protect an application, the most important asset for a company (Facebook, Starbucks, Uber...).

In order to take care of the application, Miguel presented different problems and threads that an organization must consider, and how to deal with them:

  • Datacenter (clients)
    • Load balancing
    • Traffic optimization: to reduce the number of petitions to the server
    • SSL Offload
    • DNS services: to avoid bots increasing the response time
  • Business continuity (clients)
    • GSLB: Global Server Load Balancing
    • DNS security
  • Access Control (remote workers)
    • SSL VPN
    • Pre-authentication
    • Multifactor auth (MFA): using a mobile phone to authenticate
    • Single sign-on (SSO): if a worker needs different applications (like office 365), with SSO he only needs to identify once
    • End Point Inspection
  • Firewall (attacker)
    • ACL's/Rules
    • IP Intelligence: list of IP addresses that are tagged as dangerous
    • DDoS Mitigation: using a scrubbing center
    • CGNAT: used by operators with a lot of networks

Even though all these functionalities and "protections", if the security of the application itself is weak (it is not protected against SQL Injection or Cross-site Scripting), any of what is listed previously will help. That's why it is needed another level of protection:

  • Web Application Firewall (or WAF): hides information that mustn't be shown to clients (it protects against SQL Injection for example).
    • Application Security
    • L7 Firewalling
    • Bot Protection

This technology must take developers into account, so it accepts new functionalities

Finally, the last problem that an organization must consider is attacks to the customers and credentials theft. This threat can be avoided with the last level of protection:

  • Web Fraud Protection
    • Advanced Phishing Detection
    • Application Layer Encryption: to avoid Man in the browser
    • Malware Detection
    • Transaction Anomaly Detection: hiding important data that must not be shown (like DNI, Security Social numbers...)

An ADC is a device that can perform some of these functionalities, like load balancing, proxy, and WAF. The ADC is an aid: it helps firewalls decrypting the data. This way, the firewall can be smaller and its processing power can be reduced.

Miguel also explained what is their role in security, differentiating three contexts:

  • User context: we can know the web browser, the operative system, the IP address... allowing us to filter the petitions.
  • Traffic context: we can avoid bots, unauthorized access, SQL Injection...
  • App context: we can detect and diagnose the source of petitions, allowing us to analyze them and know what characteristics have petitions with slower response times.

Finally, Miguel also showed us some websites that, given an email address, shows if its password has been leaked:

Share

Add new comment

CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
3 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.