Application delivery controllers tighten the security perimeter
Protect your assets
The application and data landscape today is in something of a state of flux. Of course, information technology is always in a state of flux but this is a new kind of dynamism.
The current network IT stack is a heady concoction of old apps on new infrastructures and data-delivery mechanisms. Serve that up on new devices in a BYOD (bring your own device) world with ever more unstructured data streams – and the inevitable result is the emergence of new threats.
Danger all around
What kind of threats? They surface in the shape of malicious content, security vulnerabilities, malware and destructive code in all shapes and forms.
But they also manifest themselves as network-level forces that hover ominously over operational processes such as continuous application delivery and update cycles, mobile device management schedules, operational reporting and so on.
As fast as security, cloud and other infrastructure technology layers have progressed, nastier threat agents capable of targeting entire companies and their data have evolved with them.
One of the major pain points here is the nature of the applications a typical small to medium-sized company is running. They may often be a decade old or more because rip-and-replace actions are just not an option.
So how can the average IT manager take advantage of all the state-of-the-art developments in the IT ecosphere while continuing to maintain a ship that stays afloat?
The answer comes down not just to IT infrastructure but to the application-access infrastructures.
This arena is witnessing rapid development in security monitoring, analytics and forensics. These are all important but today’s targeted attacks and advanced persistent threats may demand a more dramatic shift in both our architectural methodologies and our mindsets.
Pile on the layers
This metaphysical leap is expressed as follows: the time-honoured perimeter view of network security is still imperative, but it needs to be matched by a layered approach to application and data access throughout the network.
Network-embedded dataset-level protection of this kind logically brings us to the use of application delivery controllers (ADCs).
According to a whitepaper entitled Controlling Application Access, written by analyst house Freeform Dynamics and sponsored by Barracuda Networks, the current relatively low level of use of ADCs reflects a general lack of awareness of the potential value in protecting the network offered by multi-function appliances of this kind.
“This is not surprising, given that this type of solution is a comparatively new entrant in the market and is often associated with complex and demanding environments. However, as ADCs become more mainstream, those with experience confirm the associated benefits they deliver in terms of infrastructure simplification and lowering of overheads. They also reduce the risk of things falling through the cracks,” writes Freeform Dynamics.
What is an ADC?
An ADC is a hardware-based device shipped with dedicated software, designed to sit inside a data-centre network between the firewall and the application server (or servers).
More than just a load balancer or application acceleration engine, a modern ADC works to manage client connections across the network, the installed base of devices and the web.
Once in place, an ADC is quite an accommodating character that customers can use to its full potential and set to function as an integrated multi-function appliance, or use only certain components of it as specified.
ADCs operate so that if one application within a network were to become compromised, then that application can be segregated and the users can continue to use the rest of the IT stack.
This control is, in theory, not possible if a data centre has simply put up perimeter protection defences: once these are breached, then all applications are immediately under an equal level of threat.
Although we previously said the ADC market is relatively new, these technologies have in fact been around for most of the last decade. Before ADCs we saw vendors such as F5 Networks and Juniper Networks offer application accelerators of a more dedicated sort, with less security intelligence on board.
Today’s expanding ADC market still includes names such as F5 and Juniper, as well as the previously mentioned Barracuda Networks.
Looking wider we can see Brocade, Fortinet, Radware, Riverbed, Citrix, A10 and Array Networks. Info-Tech Research Group clusters F5, Citrix and Riverbed as market champions and puts Brocade and Barracuda in its emerging player quadrant.
In short, it is a shifting market with both old and news players vying for headroom.
Coming back to shifting mindsets, this is not just a discussion about deeper network-level security. It is a question of how we consider our applications and data and how we consider architecting the access channels to those streams.
Freeform Dynamics highlights the need to establish perimeters not around the data centre as a whole, but around applications and datasets. Today we know that most companies have so far failed to grasp the need to move their networks in this direction.
In terms of who is getting the message that the network perimeter needs to shift to application perimeter, the signs are not great. Freeform Dynamics’ survey suggests that 23 per cent of firms have it on their agenda, a further woolly 25 per cent say they are moving in that general direction, and an equally painful 22 per cent of firms say it is not on their agenda but it should be.
After that we are down in “”don’t know”, “unsure” and “I’m sorry I don’t understand the concept” territory. A meagre 11 per cent of firms said “fully, yes sir, this is indeed how we work”.
So how should we consider ADC implementation in our networks today? Vice president and general manager of EMEA at Barracuda Networks Wieland Alge says that most of the load on systems is typically from employees working in fixed office locations, but future growth is anticipated across all forms of internal and external access.
This new mobility has a downward force upon the safety of the network if ADCs are not deployed to cater for a more geographically widespread user base.
“Of course it is easier said than done. But for IT departments to regain control, they will require a fundamental shift in both their approach to enterprise technology strategies and the attitude of users,” Alge says.
“The first change that needs to be made is in terms of how the infrastructure is viewed. Switching from being service led to focused instead on performance and availability management is one of the most important first steps.”
Alge adds that in addition, there needs to be a movement away from the network-perimeter approach to security and towards multi-layered protection accompanied by effective analytics.
“To achieve these changes a concerted effort must be made to break the reactive investment habit. The fact is, most technology investment revolves around tactical requirements such as the replacement of obsolete equipment or the implementation of new applications,” he says.
“A conscious effort must be made to think of the bigger picture and move progressively and proactively towards a more coherent access infrastructure capable of dealing with future needs.”
“Large enterprises support thousands of apps in mobile and cloud form"
Technical director at F5 Networks Gary Newe says that the rise of the ADC has gone hand in hand with the rise of the app, which has emerged as the most important aspect to doing business today.
“Large enterprises support thousands of apps and they are pressurised into supporting more in mobile and cloud form. These all have to be connected, then secured and then optimised, which is why the network-centric thinking of a few years ago has been gradually superseded by an app-centric way of approaching things,” he says.
“Ensuring apps are connected, secured and optimised is key. Applying the right services to each app is most easily achieved by a platform that can do all of these and manage the process too. So point products are being cast aside in favour of multi-service platforms (namely ADCs) that consolidate application-focused tasks and take up less space and management time.”
All in it together
What are the pitfalls? Newe explains that the very breadth of scope offered by ADCs means that successful deployment should be a process involving senior architectural professionals working in sync with those tasked with looking after daily operations and software development – the much loved DevOps function if you like.
“As you are designing and applying policies that affect your applications, you are – or should be – involving a lot more of the business,” he says.
“Consolidating application-focused services onto one platform means security teams need to be in step with operations teams who need to be in step with application architects.
“It is quite common to have ADC platforms entrusted to a single group, like the network team. This can result in the platform’s capabilities being seriously under used, for instance using an ADC solely as a load-balancer. It is akin to buying a Swiss army knife and using it only to open bottles of wine.”
So successful ADC usage is about breadth of responsibility in the implementation, breadth of scope in the product’s total impact across the network and also breadth of functionality in terms of how much of the ADC’s total capabilities are used.
ADC technology has been present throughout the ascendancy of the cloud computing model. To say that it has been overshadowed by cloud’s greater impact within the data centre is not wholly unreasonable.
That it now needs to be a consideration within the core toolset of the cloud DevOps architect (if only that job title actually existed) is also not a wholly unreasonable suggestion.
Who moved the fence?
Things are not about to get any easier either, according to Freeform Dynamics, when IT professionals are asked to compare activity today with what is likely to unfold over the next three years.
So who moved the application and data perimeter? Nobody did. It is a question of understanding that today we must operate strategically and not just tactically in an IT world where our base compute layer is still developing through some sort of renaissance-cum-adolescence (definitely not an accepted IT industry term).
Cloud computing is hardly a done deal, is it? Mobile device controls continue to evolve rapidly as major vendors start printing more “I Do Mobile First” T-shirts for their conferences and conventions.
The network security mindset still thinks perimeter means the four walls of the company HQ and the glass-fronted panels on the blade server rack.
Controlling Application Access is just the title of an ADC-themed whitepaper today. Tomorrow, though, application access controller may well be a job title. ®
Sponsored: The threats from within