​How firewall load-balancing optimises security functions in the DMZ

Author: Greg Barnes, ANZ Managing Director, A10 Networks

In protecting critical applications, IT professionals need to tread a fine line between enforcing application security against increasingly sophisticated cyber attacks while providing sufficient access for legitimate end users.

If security is too tight, the application may become unusable for the end user; if security is too light, then an organisation can be compromised, bringing revenue loss and brand damage. So as networks grow, security infrastructure needs to scale with it. As network capacity increases, organisations must consider transitioning to higher performance security devices, which can be costly and complex.

But securing content with encrypted communications, such as HTTPS, SSH, creates a heavy load on firewalls and other DMZ security devices, since they must implement resource-intensive encryption and decryption functions in order to inspect encrypted traffic. Organisations that do not decrypt and inspect traffic to unknown public sites create a blind spot that is open for exploitation by data extrusion and malware, including advanced persistent threats (APTs).

Emerging volumetric DDoS attacks

The rise in distributed denial of service (DDoS) attacks that hit websites and key network infrastructure gives cause for concern. These attacks flood publicly available infrastructure with high volume network attacks and harder to detect application attacks, leaving application servers unavailable for legitimate use.

This problem is compounded when these attacks cripple network infrastructure and applications that serve both external and internal users. While unavailable resources primarily threaten customer satisfaction, impact brand image and create revenue loss, DDoS attacks are also used to distract IT staff while other malicious activity occurs, for example theft from bank accounts.

When conventional network security services configurations are used, expensive equipment must be overprovisioned to handle all loads at all times, regardless of what type of service each individual flow actually requires. As budget and resources are not infinite, an optimised and more flexible approach to applying service chaining dynamically, only when needed, would be optimal.

Optimising DMZ security infrastructure

Advanced application delivery controllers (ADCs) can improve the security posture, the uptime and the capacity of DMZ security infrastructure. As networks grow in complexity and size, ADCs can help scale security devices and unburden firewalls from decrypting SSL and TLS traffic

Read more: Realtime firewall-endpoint links focus, accelerate IT-security response: Sophos exec

Firewall load-balancing (FWLB) in an ADC will enable simplified high availability (HA) and maximise the performance of existing network firewalls. The firewalls support HA typically in an active/passive configuration, which can be costly to upgrade if additional performance is needed.

FWLB scales DMZ security equipment by adding additional firewalls as needed, avoiding the need to rip-and-replace existing devices, while offloading resource-intensive functions from performance constrained security devices, such as SSL offload, DDoS mitigation, and IP address white and blacklists. FWLB enables easy firewall maintenance, minimising network interruption by load-balancing the traffic among the available firewalls, ensuring resilient, adaptable firewall operations.

TLS/SSL encryption, used for HTTPS, is the most common secure network communication method for sensitive Internet data from internal servers to users outside an organisation’s firewalls. The SSL handshake and bulk encryption operations are CPU-intensive tasks, affecting the performance of firewalls, intrusion prevention systems (IPS) and other DMZ security devices that must process application content in clear text.

Acting as a reverse proxy, the SSL offload feature enables advanced ADCs to offload SSL transactions from these security appliances, freeing compute resources to focus on their more value-added analytics and security functions. SSL offload optimises DMZ security infrastructure and ensures that it can scale with increased encrypted traffic loads.

Select ADCs can also operate as a forward proxy or an explicit proxy toeliminate blind spots in corporate defences by decrypting internally generated user traffic headed to the Internet through the DMZ. In this type of deployment, the ADC decrypts and inspects traffic before forwarding it to DMZ security devices, such as firewalls, intrusion prevention systems (IPS) and data loss prevention (DLP) platforms, to enforce security policies on outbound traffic.

The data is then encrypted again and sent to its final external destination. The ADC platform’s dedicated SSL security processors offload CPU-intensive SSL encryption functions to allow security devices to be utilised for core inspection and mitigation functionality.

Emerging DDoS attacks

As DDoS attacks escalate in size, frequency and bandwidth volume, they leverage large distributed networks of botnets that use legitimate protocols to overwhelm network and server resources, circumventing conventional signature-based security devices.

Read more: Let’s Encrypt certificates are free under public beta

Since DDoS attacks often leverage volumes measured at many gigabits per second, they can overwhelm the relatively low performance of most security devices. As a result, newer and higher performing DDoS detection and mitigation solutions are needed in the DMZ.

Advanced ADC platforms include DDoS mitigation to further protect and offload DMZ security appliances from the load of these volumetric attacks. ADCs provide DDoS security features that protect against multi-vector attacks, including both network-layer and application-layer attacks such as slow HT TP attacks (like Slowloris), high volume TCP SYN floods and anomalous protocol usage.

IT professionals should apply dynamic security service chains selectively to ensure that each application or user group receives appropriate security policies, while offloading DMZ security infrastructure from processing all packets inline.

Traffic steering and service chaining technology enables redirection of flows based on specific attributes, which may be protocol or content-based. Select ADC appliances can redirect traffic types based on their “fingerprints” to the appropriate service for optimisation or security processing.

This improves network efficiency as service chaining policies ensure that only traffic that requires processing by each specific security device is sent to that device, which scales and optimises investment in those resource constrained security devices. By integrating with DLP and traffic management solutions using Internet Content Adaption Protocol (ICAP), ADCs can extend visibility to every element of organisations’ security infrastructure while improving application performance.

Security professionals need to evaluate their options carefully if they wish to scale the efficiency and improve the security posture of their DMZ security infrastructure. During their evaluation, they may discover that their load balancers and ADCs provide the features they need to counter security threats such as high-volume DDoS attacks and SSL blind spots.



Read more: How responsible are employees for data breaches and how do you stop them?

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Tags IT professionalsmalwarecyber attackssecurity infrastructureDDoS attacksHTTPSdata loss prevention (DLP)SSHdecryptapplication delivery controllers (ADCs)security functionsDMZ

Show Comments