Thought to express my view on Multi-layer Security, as I have recently
read an article by a Firewall vendor offering a comprehensive security solution
through an application layer device.
Multi-Layer Security - the facts and a balanced approach.
Multi-Layer Security - the facts and a balanced approach.
The Open Systems Interconnection (OSI) model
(ISO/IEC 7498-1) is a conceptual model that characterizes and standardizes the
internal functions of a communication system by partitioning it into
abstraction layers. The model is a product of the Open Systems Interconnection
project at the International Standards Organization (ISO), developed as a guideline for
developing standards to enable the interconnection of dissimilar computing
devices.
Different security products are available in
the market claiming end-to-end security. In reality, say for example, an
Application Firewall might address one specific application protocol (or
closely related protocols) within the application layer. Any Web Application
Firewalls only recognize and secure the layer 7 of the OSI model “Application
Layer”. Those firewalls effectively ignore the other six layers.
How secure will be your web
application??? Could you deliver a Secure Web Application without a team effort of
all the 6 layers of OSI framework together with the Application Layer???
Securing the lower layers,
Data Link Layer, Network Layer and Transport Layer is not a new technology. Basic
network switches that support VLAN tags are able to secure the Data Link Layer
(L2) allowing segmented traffic to flow within the same upstream connection
from one switch to another. Network firewalls provide security for the Network
(L3) and Transport Layer (L4). Any attacks against IP & TCP, broadcasts
floods (ICMP, SYN/ACK, etc ) would be protected by Network Firewalls. Gateway
firewalls are near-perfect socket management devices, controlling what traffic
can access which services on specific IPs within the network. SSL VPN
appliances protect the secure transport user session and data (layers 4, 5, and
7). In order to provide complete delivery security for a web application with
each of these single devices, theoretically an organization would need at least
four independent devices, such as
- Network Firewall to allow HTTP traffic to enter the network
- Switch to manage the virtual LANs
- ADC to merge and manage VLAN segmented traffic from the firewall and provide access to the application server
- Web Application Firewall to protect the HTTP session data.
Though these devices are
neighbors, they don’t have a visibility on the functionality or controls
defined at other layers. There is no point in securing the application layer
with doors open to attacks through other layers. Latest developments in technology, integrates many
of these functionalities in some devices. Organizations need to evaluate the
features and capabilities based on the business requirements and security
classification of the data/information to be protected.
No comments:
Post a Comment