​How firewall load-balancing optimises security functions in the DMZ

Author: Greg Barnes, ANZ Managing Director, A10 Networks

In protecting critical applications, IT professionals need to tread a fine line between enforcing application security against increasingly sophisticated cyber attacks while providing sufficient access for legitimate end users.

If security is too tight, the application may become unusable for the end user; if security is too light, then an organisation can be compromised, bringing revenue loss and brand damage. So as networks grow, security infrastructure needs to scale with it. As network capacity increases, organisations must consider transitioning to higher performance security devices, which can be costly and complex.

But securing content with encrypted communications, such as HTTPS, SSH, creates a heavy load on firewalls and other DMZ security devices, since they must implement resource-intensive encryption and decryption functions in order to inspect encrypted traffic. Organisations that do not decrypt and inspect traffic to unknown public sites create a blind spot that is open for exploitation by data extrusion and malware, including advanced persistent threats (APTs).

Emerging volumetric DDoS attacks

The rise in distributed denial of service (DDoS) attacks that hit websites and key network infrastructure gives cause for concern. These attacks flood publicly available infrastructure with high volume network attacks and harder to detect application attacks, leaving application servers unavailable for legitimate use.

This problem is compounded when these attacks cripple network infrastructure and applications that serve both external and internal users. While unavailable resources primarily threaten customer satisfaction, impact brand image and create revenue loss, DDoS attacks are also used to distract IT staff while other malicious activity occurs, for example theft from bank accounts.

When conventional network security services configurations are used, expensive equipment must be overprovisioned to handle all loads at all times, regardless of what type of service each individual flow actually requires. As budget and resources are not infinite, an optimised and more flexible approach to applying service chaining dynamically, only when needed, would be optimal.

Optimising DMZ security infrastructure

Advanced application delivery controllers (ADCs) can improve the security posture, the uptime and the capacity of DMZ security infrastructure. As networks grow in complexity and size, ADCs can help scale security devices and unburden firewalls from decrypting SSL and TLS traffic

Read more: How responsible are employees for data breaches and how do you stop them?

Firewall load-balancing (FWLB) in an ADC will enable simplified high availability (HA) and maximise the performance of existing network firewalls. The firewalls support HA typically in an active/passive configuration, which can be costly to upgrade if additional performance is needed.

FWLB scales DMZ security equipment by adding additional firewalls as needed, avoiding the need to rip-and-replace existing devices, while offloading resource-intensive functions from performance constrained security devices, such as SSL offload, DDoS mitigation, and IP address white and blacklists. FWLB enables easy firewall maintenance, minimising network interruption by load-balancing the traffic among the available firewalls, ensuring resilient, adaptable firewall operations.

TLS/SSL encryption, used for HTTPS, is the most common secure network communication method for sensitive Internet data from internal servers to users outside an organisation’s firewalls. The SSL handshake and bulk encryption operations are CPU-intensive tasks, affecting the performance of firewalls, intrusion prevention systems (IPS) and other DMZ security devices that must process application content in clear text.

Acting as a reverse proxy, the SSL offload feature enables advanced ADCs to offload SSL transactions from these security appliances, freeing compute resources to focus on their more value-added analytics and security functions. SSL offload optimises DMZ security infrastructure and ensures that it can scale with increased encrypted traffic loads.

Select ADCs can also operate as a forward proxy or an explicit proxy toeliminate blind spots in corporate defences by decrypting internally generated user traffic headed to the Internet through the DMZ. In this type of deployment, the ADC decrypts and inspects traffic before forwarding it to DMZ security devices, such as firewalls, intrusion prevention systems (IPS) and data loss prevention (DLP) platforms, to enforce security policies on outbound traffic.

The data is then encrypted again and sent to its final external destination. The ADC platform’s dedicated SSL security processors offload CPU-intensive SSL encryption functions to allow security devices to be utilised for core inspection and mitigation functionality.

Emerging DDoS attacks

As DDoS attacks escalate in size, frequency and bandwidth volume, they leverage large distributed networks of botnets that use legitimate protocols to overwhelm network and server resources, circumventing conventional signature-based security devices.

Since DDoS attacks often leverage volumes measured at many gigabits per second, they can overwhelm the relatively low performance of most security devices. As a result, newer and higher performing DDoS detection and mitigation solutions are needed in the DMZ.

Advanced ADC platforms include DDoS mitigation to further protect and offload DMZ security appliances from the load of these volumetric attacks. ADCs provide DDoS security features that protect against multi-vector attacks, including both network-layer and application-layer attacks such as slow HT TP attacks (like Slowloris), high volume TCP SYN floods and anomalous protocol usage.

IT professionals should apply dynamic security service chains selectively to ensure that each application or user group receives appropriate security policies, while offloading DMZ security infrastructure from processing all packets inline.

Traffic steering and service chaining technology enables redirection of flows based on specific attributes, which may be protocol or content-based. Select ADC appliances can redirect traffic types based on their “fingerprints” to the appropriate service for optimisation or security processing.

Read more: Realtime firewall-endpoint links focus, accelerate IT-security response: Sophos exec

This improves network efficiency as service chaining policies ensure that only traffic that requires processing by each specific security device is sent to that device, which scales and optimises investment in those resource constrained security devices. By integrating with DLP and traffic management solutions using Internet Content Adaption Protocol (ICAP), ADCs can extend visibility to every element of organisations’ security infrastructure while improving application performance.

Security professionals need to evaluate their options carefully if they wish to scale the efficiency and improve the security posture of their DMZ security infrastructure. During their evaluation, they may discover that their load balancers and ADCs provide the features they need to counter security threats such as high-volume DDoS attacks and SSL blind spots.

Read more: Let’s Encrypt certificates are free under public beta

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksSSHapplication delivery controllers (ADCs)malwaresecurity infrastructureDDoS attacksdecryptDMZIT professionalssecurity functionsHTTPSdata loss prevention (DLP)firewall

More about ADCAdvancedDLPIPSSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Greg Barnes

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts