Protecting SMBs from attack in real time
Protecting SMBs from attack in real time

Small-to-medium sized businesses (SMBs) increasingly rely on web-based applications and web-enabled services for running their businesses. These applications range from customer relationship management (CRM) to e-commerce transactions and other web-enabled applications, which are accessed both locally and remotely from outside the business facilities -- whether by branch offices, remoter workers or suppliers. Often, however, web-based applications are vulnerable to attacks from viruses, intrusions, and denial of service (DoS) attacks, as traffic comes into the network through various ports and firewalls without being inspected first. 

According to a study by Verizon Business earlier this year, 79 percent of attacks are from sources external to an organization. Moreover, most data breaches result from a series of distinct, yet related, events. In the same survey, attacks on applications, software, and services were by far the most common, representing 39 percent of all hacking activity leading to data compromise.

The need for application-based security protection
SMBs are particularly vulnerable to security threats. Many risk major losses associated with intellectual property and user productivity, and from potential loss of revenue, which can quickly cripple a company's staffing and monetary resources.

SMBs need to be consistently vigilant about the threat of attacks for three primary reasons:

  • Web-based applications are vulnerable to attacks. Viruses and intrusions may hit a company as traffic comes into the network through various ports and firewalls without being inspected. 
  • Explosive growth of attacks. The number and seriousness of application vulnerabilities are growing at a dramatic rate, while the cost of these attacks is soaring. 
  • Current security tools cannot block all attacks. Firewalls, IDS and anti-virus gateways may not have the processing capacity, performance and the application-level security intelligence to guard against application-level attacks, leaving organizations vulnerable.

One solution is the addition of an application delivery controller (ADC) alongside servers in order to add a layer of protection. An ADC provides security protection for internet, intranet, and extranet environments and blocks the most common attacks before they reach servers. It protects servers and applications that have no controlled access -- including protection from hackers and denial of service attacks. Controlled access is a means of restricting access based on factors other than identity, such as location. For web servers with controlled access, the ADC limits access specifically to authorized users.

An ADC is able to perform the following functions:

  • Blacklisting. Access is allowed to all operations but those designated on a “black list” (Access Control List).
  • IP address filtering. Prevents the processing of IP packets originating from addresses to which the receiving interface has no route.
  • Firewall filtering. Determines which packets may pass through the firewall based on source and destination and other information contained in the packet header.
  • SYN flood protection. A SYN-flood attack is a DoS attack in which the initiator sends a huge number of “please-start-a-connection” packets and then nothing else.
  • Ping of Death protection. This is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer.
  • ICMP flood protection. Also known as a ping flood, this is the overloading of an internet connection with an amount of data exceeding the connection's capacity.
  • UDP flood protection. The sending of UDP packets with the intention of slowing down the system until it can no longer handle valid connections.
  • SSH/SSL brute force attack protection. This involves Secure Socket Layer (SSL) attacks based on continuous attempts.

SSL offload/acceleration, IPS and DoS
Originally, ADCs provided content switching and load balancing, but newer versions add increased functionality such as SSL acceleration, which offloads the SSL compute-intensive processing from the servers and lowers the management and costs associated with server's SSL certificates. 

The SSL protocol for public key cryptography is the de facto standard for securing transmission control protocol/internet protocol (TCP/IP) traffic regardless of the network topology. SSL is a negotiated protocol which begins with a handshake. A series of certificates are shared and inspected until verified. Only those end-points that receive the decryption key are able to read the message accurately, thereby assuring authenticity. SSL can protect the confidentiality of the data being transferred through site authentication, data confidentiality and message integrity to ensure the identity of the site accessed. SSL can also eliminate eavesdropping and ensure that the message has not been altered. The use of SSL translates an http:// site into an https:// site that can support secure transactions. SSL also authenticates the server and client's identities. Port 443 is associated with SSL and HTTPS.

Unfortunately, SSL tunnels also represent a security risk because virus scanning and content filtering cannot be applied to encrypted content and because SSL certificates may have expired. Some companies choose to limit SSL to a certain set of websites, and others use URL filtering to restrict access to HTTPS pages. Again, an ADC can help with these problems. 

Intrusion Prevention Systems
It is not enough to detect attacks, it is also necessary to prevent them. An IPS acts to prohibit access before a suspicious item has time to do damage. An IPS is installed in-line, inspecting all traffic before forwarding it onto the network. If it detects malicious activity it terminates the session. By default, intrusion prevention is enabled, and protects all application delivery services. Intrusion prevention systems protect applications from the following common threats:

  • Virus propagation—complete protection of the server.
  • Buffer overflows— when data transferred to one buffer exceeds the storage capacity of the buffer and some of the data overflows into another buffer, which can corrupt data that is already contained in the second buffer.
  • Protocol-specific attacks—a protocol anomaly that does not adhere to the protocol's standards.  There are attacks that target SMTP, DNS, and LDAP protocols - for example, against which the ADC can protect.
  • Application-specific attacks—certain applications are particularly vulnerable to external attacks. These applications include IIS, Websphere, Cold Fusion, Exchange, and many others.
  • Operating system-specific attacks—attacks against Microsoft and UNIX.  An ADC offers specific detection capabilities that identify malicious activity against these operating systems.

DoS
The third type of attack is the DoS/DDoS.  In a denial of service (DoS) attack, e-mail might become unavailable, there may be a temporary loss of all network connectivity and services, or the datacenter may be forced to temporarily shut down operations. DoS attacks can also wipe out a computer system's software programs and files.  DDoS—a distributed DoS attack— is a coordinated effort from multiple sources that spoof legitimate traffic and prevent acceptable use of sites and applications.

There are several types of attacks, each with the intention of keeping users from accessing needed applications.  These attacks include a Layer-4 SYN attack. In a SYN attack a flood of SYN packets are sent and the SYN ACKs (acknowledgements) returned by the server are ignored. This causes the server to remain on standby waiting for the ACKs. Because web and application servers are limited in the number of open concurrent TCP connections, if an attacker sends a flood of SYN packets to a server it can prevent legitimate requests from being answered by the server. A Layer-7 attack is more difficult to detect than a SYN attack and consists of a series of multiple clients requests all seeking a large numbers of objects at the same time.   

An ADC or intelligent load balancer is able to protect against Layer-4 and Layer-7 DoS attacks, including ping of death protection, ICMP flood protection and UDP flood protection by isolating security events to ensure continuous uptime even while under attack, while unaffected traffic is allowed through without degrading performance.

Summary
Small-to-medium sized businesses face unprecedented amounts of network security attacks from internal personnel and external hackers. Security tools such as firewalls, IDS, VPNs, anti-spam and anti-virus gateways may not be capable of providing the processing capacity, performance and the application-level security intelligence necessary to protect against the increasing amount of application-level attacks. SMBs are continuously exposed to security hazards that pose a threat to their intellectual property, potential revenue loss and lost productivity.

Intelligent network devices such as ADCs and Server Load Balancers can be positioned strategically within the network to provide application-level security, enhance performance, ensure site reliability and provide flexible scalability.