The breakdown in network security design
The critical flaw in today's typical network design is simple: most networks aren't designed with security in mind beyond the initial implementation of point products — an approach that does not adequately address the effects of security on application performance and availability. The primary contributing factors to this situation are:
• The lack of extensibility and flexibility of information security solutions;
• The complexity of modern business systems and their interaction;
• The tendency for security decisions to be developed in a vacuum of “pure security,” without the complete system being considered
Unfortunately, when it comes to security, few solution providers address the problem in a holistic fashion.
A comprehensive approach to network security
A unified access and application delivery methodology (UAADM) focuses not only on the network, but how the network connects users and applications, the context with which that access is requested and granted, and the security profiles that accompany the context and resources being accessed.
The UAADM breaks the process into three distinct parts:
Access Contexts are the access devices and the users themselves, as well as context-based information that accompanies access requests between the device and the resource. Access contexts result from a combination of three characteristics that create a clear picture of the access request:
Users — When it comes to access control, it is mandatory to be able to classify and restrict certain access attempts based on user authentication. It is true that not all resources require specific credentials, but many will.
Origination — In many situations, it is also important to restrict the device that has access to the network based on information such as the locality and the type. It may be necessary to prevent certain systems within the network from accessing certain information due to physical location, access media, or operating system. Knowing whether the system is attached to the local LAN versus the WLAN or even the WAN is a critical component of the context.
Integrity state — It is becoming increasingly necessary to classify access attempts based on the ability to verify the integrity of the machine itself at the time of access. This involves being able to ascertain whether the system has anti-virus software running (and whether it is up-to-date), whether the system has personal firewalls, anti-spyware, and anti-malware, and whether the operating system is up-to-date.
The context of an application request gives you the intelligence to apply appropriate security measures and to account for application delivery. Security and application delivery are inseparable—but you need the intelligence to gather the information and the control to act on it.
Access contexts, by themselves, are not “valid” or “invalid”; they are simply an ephemeral state that the controller uses to arbitrate access requests. Whether the context is valid or not relies entirely upon whether any resources are available given the context of the request.
Resources and Resource Networks include collections of individual resources that are defined for access, and the requirements necessary to access them. Resources are obviously a critical component of an access control and application delivery solution — in fact, they are the only static, completely definable quantity in the equation. Without application services to be accessed, there isn't any need for access control or application delivery. Once resources are defined, the attributes that define them determine the potentially valid access contexts that may access them. This is the domain of the Unified Controller.
Unified Access and Application Delivery Controller (UAADC), also called the Unified Controller (UC), is the central device that examines the access context, compares it to the available resources, and defines how these may be accessed.
To understand the benefits of a UAADM, it is helpful to take a deeper look at the UAADC, which represents the brains behind the overall system.
The power of intelligence in action
The UAADC is a single boundary between the consumers of application services and the devices that provide those services. While this concept is consistent with legacy ideals such as the network firewall, the difference is the intelligence used to determine which services are accessible to which users. The controller knows both the context of the request and the specific set of application services to be delivered, showing intelligence about the transactions being performed and their validity.
The controller's access control mechanism applies application delivery and service-specific security services through three basic processes: Policy Management Point, Policy Enforcement Point, and Mediation Services. The UAADC monitors the traffic content and changes in the context of the access request.
By using “pluggable” mitigation services, the controller can easily adapt to new threats and new mitigation technology without having to redesign the entire network or put another appliance in the path of traffic. Organizations can: quickly react to unforeseen risks without hindering user experience; integrate new functionality into the existing process, drastically reducing the complexity of the environment and creating a single, enterprise-wide policy; and gain unprecedented capability to analyze, define, manage, and audit their security posture.
While changing the methodology used to secure the enterprise won't necessarily fix the problem identified earlier with traditional security approaches — exhaustive risk identification — UAADM does mitigate the impact of this problem by addressing the remaining issues: lack of extensibility, design complexity, and disparate network and security designs.
The current shortcomings in information security need to be addressed, and a unified access methodology provides the solution. Network and security design will eventually evolve into a unified design, and the vendor who can provide the most services in the most unified manner—and address the most issues—will be the winner.
- KJ (Ken) Salchow, Jr. is Technical Marketing Manager for Application Delivery at F5 Networks.