Application Security and Application Networks

Would your organization benefit from application security and the Application Network?

Consider your answer to the following hypothetical question from a line of business or the CIO:

“Our business demands that we use [insert any application here]; can we allow our [remote or internal] users access to it?”

“No, those users aren’t trusted.” “No, traffic is not encrypted.” “No, we can’t extend a VPN because of security.” “No, we don’t want to put that database server in the DMZ.” “No, we can’t route the traffic because of NAT and private IP addresses.” “No, we’d have to open non-standard ports and we can’t do that.” “No, that application is not webified.” “No, our firewall can’t handle dynamic port requests.” “No, we don’t allow any direct touch between networks.” “No…”

If any of these answers sound familiar, then application security and the Application Network can help.

The Access and security trade-off

Today, extending access to applications for the users who need them is no longer a “nice to have” - but a key determinant of who will win and who will lose. Legacy applications and databases, for example, contain invaluable customer information and provide a great resource for partners and other trusted third parties; email and other messaging applications are indispensable for seemingly instantaneous communication; and ‘emerging’ applications, such as audio and video conferencing, are now the critical enabler of ‘real-time business,’ resulting in huge gains in both productivity and profitability. Facilitating the rollout and accessibility of these applications, IP networks - both private and public, wired and wireless - make access to applications possible for any user from any corner of the globe. Why, then, are CIOs constantly refereeing a tug-of-war between the lines of business who want to realize the value of their applications by extending them to the users who need them and the network administrators who want to insulate their network from attack by increasingly limiting access for untrusted third parties?

What is driving this zero sum game where any access gained by the business results in a corresponding decrease in network security? The answer lies in the use of network security to deploy applications. That is, network security, which by its design disrupts and limits connectivity between networks, is also used to enable connectivity. These products - while critical for protecting the physical network - were not intended to protect and extend applications and consequently using them to deploy applications inevitably results in the access and security trade off.

The solution, however, is not to increase the IT budget to buy more point solutions or deploy an army of network administrators to provide the highly-oxymoronic ‘brute force flexibility,’ but to deploy a new conceptual network called the Application Network. The Application Network is a logical network that overlays the physical IP network and leverages its communications infrastructure while not undermining its physical security. The Application Network also underlies the applications that need the physical network for connectivity, providing robust and extensible application-layer security. When deployed, the Application Networks allow enterprises to use the applications their businesses require and securely extend those to the users who need them - while taking advantage of, not compromising, the network security infrastructure.

A Little History

Thirty years have passed since the U.S. Defense Advanced Research Projects Agency (DARPA) initiated the project to determine a method of linking together many disparate packet networks to enable cross-network communication. According to history, the initiative was referred to as the Internetworking project and the resulting mesh of linked packet networks was called the Internet. The Internet at that time was an aggregation of packet networks funded and hosted by government and educational enterprises throughout the United States. Enabling this inter-communication was the development of the Internet Protocol (IP), which defined how data packets are routed across the various networks. Until the 1980’s the Internet was a combination of public networks that allowed primarily academic and government to communicate freely and openly. Applications utilizing the TCP/IP protocol suite could be extended to users with routable IP addresses, a requirement of the early Internet. Soon, however, and by design, the Internet and its obvious business benefits began to get the attention of commercial enterprises as well as foreign governments and soon these organizations began to adhere to the IP protocol and connect their local networks to this public communications infrastructure. Now, users were diverse, unknown and not necessarily trusted while the information accessible was no longer academic, but sensitive business and governmental intelligence. Network security was born.

The Purpose of Network Security

Necessity certainly bred invention with the advent of network security. At a very high level, organizations needed to protect their physical networks from this ‘untrusted’ Internet and were eager to find solutions that allowed them limited access to the public networks while insulating their networks from potential attack and information theft. Answering this demand, firewalls were developed to protect the physical network. Firewalls, often utilizing Network Address Translation (NAT) for non-routable addresses that are hidden from the outside,were designed to limit network access by breaking the two fundamental rules of IP routing - that is that all network nodes must know of other nodes and all addresses of devices must be known. From the outset, the purpose of basic network security was to protect the physical network from attack by limiting connectivity between the two networks.

Emergence of the Security and Access Trade Off

The unfortunate downside of physical security that limits connectivity for untrusted users is that it also limits connectivity for trusted users. To provide access for trusted users,network administrators were forced to start ‘fixing’ the networking rules broken by the physical security as required by the users and the access they required. Opening holes in the perimeter security, however, to allow ingress and egress is exactly that: opening holes. Network administrators quickly realized that the amount of access granted to users was inversely proportional to the security of their network. A seemingly zero sum game, this network security and application access trade off is now a common dilemma within organizations large and small, domestic and international

Limitations of Network Security for Enabling Application Access

As described above, network security was developed to protect the physical network and - as with network-layer Virtual Private Network (VPN) solutions - to extend the network. Protecting the network means identifying which packets have access to the protected network and which do not. Extending the network means identifying which remote devices or networks have access to the protected network and which do not. Applications, which use the network for a communications infrastructure, require far more granular control than network security can provide. For example, while literally thousands of applications utilize the UDP protocol, most network security simply prevents the UDP protocol - not individual applications - from traversing the network border. By operating at the network layer, network security has four major limitations when used as the sole enabler of secure application access:

Limited Application Connectivity

The use of network security severely limits connectivity for trusted applications as it prevents unwanted access. This connectivity is limited primarily by firewalls, which are further complicated by their use of NAT and non-routable private IP addresses. Firewalls are also often configured to block DNS traffic, which creates additional problems as application traffic is routed. These techniques, while critical for protecting the network, undermine an enterprise’s ability to utilize the applications its business requires.

Limited Application Support

By limiting the ability of applications to connect, the number and types of applications that are securely enabled by network security is limited, too. Each application that the network administrator chooses to support requires new policies to define and manage,which further exposes the network. Consequently, supported applications are kept to a minimum. Network security addresses this with application proxies and VPNs. Application proxies, however, support individual applications; many of these solutions, while functional, are unacceptably slow. VPNs represent an alternative for fully trusted users,but the number of users that qualify to be a network node is small in relation to the total number of users requiring access. Even with a patchwork of point solutions and voluminous firewall access rules,enterprise network security has very limited application support.

Limited Application Security

Network security,by definition, provides network-layer security, which is often insufficient for deploying mission critical applications. Network security protects network devices. It authenticates and authorizes the device, which implies that once authorized to attach to the network any user or application can use this connection to access the network - a huge security risk. Additionally, network security can provide network layer encryption, which is often not flexible enough to adapt to the varying application- specific encryption requirements. Network security also can provide very little security within an application through protocol filtering, as only standard applications such as telnet and FTP are supported.

Limited Application Traffic Management

Enabling and managing reliable application traffic is challenging for network security. Network security products divide physically connected networks into many logically disconnected networks. They force all the network traffic to pass through a single access point (i.e.,the network perimeter or DMZ). When the perimeter is compromised or experiencing a physical failure, no applications, including those that are allowed to cross the perimeter, will be accessible. In most network architectures, redirecting applications to a different perimeter is a labor intensive task. Additionally, managing reliable access proves challenging when routing rules are broken. Since network security is based on the isolation principle, routing rules must be set manually.Any changes or updates that are required can be time consuming and prone to error.

The Challenge

hen network security is used to deploy applications, the network security itself presents the biggest obstacle to unfettered access to applications. Network security is critical. Firewalls are critical. NAT is critical. Private IP addresses are critical. How, then, can applications be securely extended without compromising the network security? How can applications be securely extended to users independent of the network layer infrastructure and security? How can applications be securely extended to users who are on another private network behind third party network security and infrastructure? In short, can organizations separate protecting and securely extending the physical network from protecting and securely extending applications?

Introducing Application Security

As described above, network security is designed to protect and extend the network. It operates at layers two and three of the OSI network layer stack and is therefore not ideal for protecting and extending applications that operate at higher layers.

Application security represents the solution for securing applications and extending applications. As in any layered security model, application security complements and operates independent of the underlying security layers. Application security is an enabling technology that allows applications to be securely extended - akin to network security allowing networks to be securely extended to remote users or branch offices. Since applications are required everywhere, application security should not be constrained by physical network security, but at the same time it should not compromise it. Application security offers a more logical, virtual network - called the Application Network - that allows applications to be securely extended to any user anywhere in the world.

Defining the Application Network

The Application Network delivers the capabilities that allow organizations to now benefit both from unfettered access to the applications their businesses need and from enhanced application and network security. No longer required to make trade-offs between the productivity benefits of, for example, deploying real-time business applications and the consequential security risks of implementing and managing complex policies or point solutions.

Enterprises can now simply deploy the applications their businesses and the marketplace demands. The Application Network is not a physical network, but a conceptual one that is implemented to overcome the limitations of deploying applications using network security. Complementary to the physical IP network, the Application Network utilizes the underlying IP network to enable connectivity between trusted users and applications irrespective of their location and network security infrastructure. Working with network security, the Application Network enhances overall protection by securing the physical and logical network devices. It also provides security services to the individual users who use these network devices, such as laptops and application servers. Finally, it provides security services to the individual applications that run on the network devices.

When deployed, the Application Network represents a logical network that is layered over the physical networks while also serving as a logical network layered under the applications that require the physical network for communications and connectivity. The Application Network has the following four characteristics:

Physical Network Independent

The Application Network is independent of the underlying IP configuration and can be deployed over any physical network, such as wired line, wireless links, LAN,WAN, low bandwidth dialup link, and high latency satellite link. The Application Network is highly dependable through its bility to self-heal if it experiences component failures of its own or of the underlying physical network.

Network Security Independent

The Application Network is enabled without compromising the security policies implemented by network security technologies, such as firewalls. The Application Network can be deployed over any network, including public networks, private networks, networks protected by firewalls and NAT devices, networks linked by VPNs, networks using the existing address scheme (IPv4) and network using the new address scheme (IPv6).

Application Independent

The Application Network supports any application that uses the physical networks, including web applications, non-web applications, legacy applications, emerging applications, client-server applications, peer-topeer applications, query-reply applications, interactive and collaborative applications, simple content applications, content-rich applications, time-insensitive applications, and real-time applications. In addition to supporting all of today’s applications, the Application Network is flexible and future-proof to support all of tomorrow’s applications irrespective of protocol or design.

Security Technology Neutral

The Application Network is flexible to provide security services required by different policies, authentication schemes, authorization engines, encryption algorithms, and auditing tools. The Application Network is also capable of seamlessly integrating new security technologies without disrupting the existing security services.

Deploying the Application Network

As described above, the Application Network is enabled by application security software. The Application Network, like any network, consists of three basic building blocks: application gateways, network access agents, and network management tools. The Application Network’s gateways and agents are not unlike the hardware and software components used to build the physical network. That is, gateways in the IP network are the components (e.g., switches and routers) that connect one network to another, such as connecting an internal network with the public Internet. Application Network agents enable client access and these agents also have physical network counterparts, such as modems or PC cards which are used to connect to the physical network.

Application Gateways

Application gateways are responsible for providing four key services:

Application connectivity over any physical or logical network

That is, the gateway should act as an intermediary to enable any user on any network to connect to any application on the same or different network

Proxy service for all applications

No packets for any application from one network should directly touch the other network; every packet should be regenerated for every application to eliminate IP layer attacks

AAA and application data protection services to any application that utilizes the gateway

The gateway ensures that each user is authenticated, all access is authorized, and all information is logged; data integrity is provided through data encryption

Application filtering for applications utilizing the gateway

The gateway should provide administrators with granular control of not only which applications can be accessed, but what individual users can do within an application. Application Network Agents. Application network access agents - either in the form of desktop agents or downloaded through a browser - perform the following two key services:

Identify and associate in real-time users and applications on the network devices

Agents request access to a specific application on behalf of the user

Discover the application gateways and route applications through right gateways

Once requested, the agent must route the request to the gateway that has access to the requested application Application Network Management Tools. Application network management tools perform the following three key services:

Centrally manage application gateways, including application networking and application security policies

Monitor, alert and collect information about gateway operations and error conditions

Manage policies used by agents and integration with third party AAA services

Benefiting from the Application Network

The Application Network provides enterprises with the ability to deploy the applications they want to the users who need them. A seemingly straightforward and simple proposition, the Application Network delivers three key benefits:

Reduce Risk of Attack

The Application Network mitigates the risk of both internal and external attacks by authenticating and authorizing all application access by user, logging all activity, and encrypting all traffic in SSL. The Application Network, by operating above the IP layer, significantly minimizes the threat of IP-layer attacks, such as Denial of Service attacks.

Maximize Application ROI

The Application Network allows enterprises to get the most value and utility from the enterprise applications. Applications are often not available to certain users or from certain locations because of security concerns. This significantly limits the value that can be derived from the applications. Additionally, firms can use the applications they want, not only those supported by their network security. For example, why don’t users use NetMeeting, which is bundled on most Microsoft desktops? With the Application Network, they can.

Minimize Application Security TCO

The Application Network is application independent and has extensible security for both today and tomorrow’s applications and protocols, such as SIP, VoIP, and SOAP. The Application Network provides a single solution enabling secure access to any application - significantly less expensive over time than a patchwork of standalone network security products. Most companies don’t realize it, but they struggle with elements of the Application Network every day. Issues such as securing dynamic ports at the firewall to enabling users to access applications from a WI-FI wireless zone all indicate the need for the Application Network. All of the elements of the Application Network have the common thread of allowing users to access the applications they need from and across any trusted or untrusted network. To understand your business’s Application Network needs, think about your secure access requirements along three dimensions:

Users - who are the users that require access?

Examples include:

• Remote employees
• Remote vendors and managed service providers
• Internal contractors

Access - where are the users and where are the applications or data sources?

Examples include:

• External users trying to access to internal servers
• Internal users trying to access external servers
• Internal users trying to access internal servers Applications
• what are the applications the users need access to?
• FTP and telnet
• Collaborative applications, such as NetMeeting
• Instant Messaging

Examples include:

• CPE technicians need secure remote access for telnet
• Internal employees need secure WLAN access for email and enterprise applications
• Internal employees need secure access to externally-generated data feeds
• And many more…

Any combination of users, access, and applications represent elements of the Application Network that solve today and tomorrow’s business problems. No longer must network administrators finesse network security to allow access to the applications they require. They now have the capability to keep their airtight network security in place while at the same time allowing users access to the applications they need.

Source :.planetindia.net

This is a sample footer. This text can be customized from the options page. Good luck.