1 / 22

Multi-Layered Approach to Web & Application Security

Discover the benefits of a multi-layered approach to network security, including increased protection, early warning capabilities, and scalable security. Learn how Array Networks' solutions can help meet your enterprise-class security requirements.

wares
Download Presentation

Multi-Layered Approach to Web & Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Connectors - Presentation! A Layered Approach to Web & Application Security

  2. Todays Presenter Rich Harrison, CISSP Regional Sales Manager rharrison@arraynetworks.net 201-750-9459

  3. Array Networks at-a-glance • Market • Application Delivery & Security • Products • Application Delivery Controllers (ADC) • Secure Access Gateways (SSL VPN) • WAN Optimization Controllers (WOC) • Web Application Firewalls (WAF) • Segments • Enterprise, Service Provider, Public Sector • Technology • 30+ Patents • Customers • 5000+ Worldwide • Founded • 2000 • Headquarters • Milpitas, CA, USA • Employees • 400+ Meeting Enterprise-Class Requirements For Over 10 Years

  4. Today’s agenda • Why take a multi-layered approach? • Example multi-layer security architecture • Multi-layer application delivery controller security • Multi-layer SSL VPN security • About Array Networks Solutions • iSECURE & Array Networks Customer Reference • Q&A

  5. Why a multi-layer approach?

  6. Why a multi-layer approach? • A proven model for keepings things out and keeping things in • Banks, maximum security, fortifications, etc. • Delivers multiple advantages as a network security strategy… • Exponential increase in security– One attack vector or vulnerability may be intentionally or unintentionally compromised without exposing the network or compromising data • Early warning– In the event applications, networks or devices are attacked, multi-layer security stalls malicious activity and provides time for shoring up defenses • Scalable security – A first line of defense significantly reduces the burden on deeper-level inspection functions, enabling security that doesn’t compromise performance

  7. Why a multi-layer approach? (cont.) • Encryption creates the need for at least two levels of security • SSL (HTTPS) traffic passes directly through traditional firewalls, bypassing rules, policies and inspection • SSL traffic on the rise, used for both remote and mobile access and for an ever increasing number of Web sites and applications SSL

  8. Why a multi-layer approach? • Heartbleed • HTTPS sessions connect to servers, load balancers or ADCs • Understanding how products and vendors use OpenSSL is key to reducing exposure to Heartbleed and future vulnerabilities

  9. Why a multi-layer approach? • Security Challenges Changing the way we view Network Access • Employees using personal devices present new challenges • Layer 3 is Not practical and presents network security challenges • Most users do not need full access to the network • Newer Access Gateways provides Multiple Access Methods • Limit Direct Network Access and Direct Access to Applications…

  10. Multi-layer security architecture (cont.) • Firewall perimeter security • The first line of defense, rules-based network level packet filtering; no visibility to SSL • SSL termination and traffic inspection • Traffic from secure applications are terminated on ADCs, decrypted and inspected traffic may be sent to servers or to advanced security appliances for further inspection • Traffic from remote access users are terminated on SSL VPNs, decrypted and inspected traffic may be sent to servers or to advanced security appliances • Advanced security appliances • Further inspection of smaller volume of pre-screened traffic

  11. Multi-layer security architecture SSL VPNHTTPS RemoteAccess Traffic ADCHTTP/S WebApp Traffic FirewallPerimeter Security External & RemoteUsers NetworksAppsData IPS/IDSATPMalware

  12. Multi-layer security architecture (cont.) • Layer-3 stateful packet filtering • Per-customer interface (VLAN/MNET), ingress packet filtering (source/destination IP, port, protocol), 1000 ACLs, packet deny/drop log, dynamic access list, permit-only network access • Layer-4 TCP stateful inspection • TCP stateful inspection, L4 packet sanitization, reverse proxy (client packet does not touch server), syn-cookie protection against TCP syn floods and DOS attacks • Layer-7 content filtering, WAF & DDoS • URL filtering, configurable access control (limit connections per port to prevent DDoS attack), application session control, HTTP protocol validation and policy filtering, attack signature filtering, input validation, XSS prevention, virtual patching

  13. Multi-layer security architecture (cont.) • Security • SSL encryption, WAF, Web proxy • Application-level data protection • Acceleration • SSL offloading, compression, caching, traffic shaping, etc. • 10x better server efficiency and application performance • High availability • Server load balancing, GSLB, link load balancing • 24/7 application uptime External Users Storage InternalUsers ApplicationServers

  14. SSL VPN secure remote and mobile access • Any resource, any access method, any device, anywhere Mobile Workers onSmart Phones & Tablets Remote Workers &Road Warriors on Laptops Home & Small Office Workers on PCs Client Server & Mobile Apps Limits network exposure andguards against data leakage Improves productivity Physical & VirtualDesktops Remote Networks& Infrastructure Web Applications File Sharing

  15. SSL VPN multi-layer security • End-point security • Scan for personal firewalls, anti-virus software, browsers, operating systems, service packs, patches – apply adaptable remediation options for non-compliant clients • Advanced authentication, authorization and auditing • LDAP, Microsoft Active Directory, RADIUS, RSA SecurID, LocalDB, SSL client certificates, multi-factor authentication including RSA, Duo, Swivel, Syferlock and others • Deep packet inspection and WRM • Buffer overflow protection, syn-flood protection, URL filtering, configurable access control (limit connections per port to prevent DDoS attack), Web resource mapping with payload inspection and HTTP NATing

  16. Multi-layer security for SSL traffic (Array)

  17. Security-hardened OS and platform • Only exposes service ports – no backdoors • Secured network management – SSL and HTTPS • Explicit disallows Telnet due to security risk of account/password sniffing • Tested and hardened against a range of network attacks • Hacking tools from eEye (ncx.exe, iishack.exe) • Nessus scan • NMAP • Filters malformed packets such as Smurf attach and local broadcast attacks • High-availability and cluster capability

  18. Proprietary secured SSL stack • Used for all production traffic, proven immune to Heartbleed, Bash, Shellshock and other recent vulnerabilities • Customers did not need to patch or remediate any Array products • Bought time for remediation and patching of backend servers asnecessary • Delivers both better security and higher levels of performance • Pared-back, buttoned-down design runs faster and presents fewer attack vectors • Cannot guarantee 100% immune for all potential vulnerabilities, but has proven provide a higher level of security and immunity vs. OpenSSL

  19. Array multi-layer security protects against… Tear Drop Attack • DoS (Deny Of Service) • Security Exploitation (Port scan) High Bit Shellcode Protection • Cross Site Scripting Buffer Overflow Attack Unreachable Host Attack Land Attack • Back Doors • Web Exploitation& Defacing Ping Attack • Code Red • Flash Events Directory Traversal Attack • SQL Injection • Heartbleed Parser Evasion Attacks SynFlood Attack • Impersonation & Breach of Privacy

  20. Hardware and software portfolio APV SeriesApplication DeliveryControllers aCeleraWAN OptimizationControllers AG SeriesSecure AccessGateways Availability, scalability, performance, control and security for applications, Web sites, online transactions and cloud services Load balancing, SSL offloading, caching, compression, application security, L7 scripting and other network functions Achieves ROI by improving applicationperformance and server efficiency Mitigates network congestion and low-bandwidth connections to improve data transfer and application performance De-duplication, compression, caching, application blueprints, traffic shaping, SSL and performance monitoring Achieves ROI by reducing application latency and improving bandwidth utilization Secure access to business applications from any remote or mobile device for any user anywhere SSL VPN virtual portals, L3 – L7 access, AAA, end-point security, single sign-on,Web firewall and dual-factor authentication Achieves ROI by increasing productivity and mitigating business disruptions

  21. Flexible appliance options • Dedicated, multi-tenant and virtual ADC appliances • Enables IaaS providers to offer customers a full range of load balancing service options optimized either for flexibility or performance AVX10650 Multi-Tenant ADC vAPVVirtual ADC APV SeriesDedicated ADCs • Scalable from 2Gbps to 120Mbps • Proven cloud trackrecord • Up to 8 vAPV ADC instances • Dedicated SSL, I/O, compute resources • VMware, XenServer,OpenXen and KVM • Scalable from 10Mbps to 4Gbps • Performance • Flexibility

  22. Q&A A Layered Approach to Web & Application Security

More Related