Security

The dark side of APM security

APM concerns are forcing network managers to install newer technologies to deal with increasing traffic demands. But these solutions may hide security issues and other attacks.

In a perfect world, network managers would never have to experience application performance problems or deal with security issues. However, today's networking environments are anything but perfect - they are open to attack, traffic surges and a plethora of other problems. Yet, end users (and customers) demand perfect availability, perfect security and perfect performance.

Those demands have led to the rise of the ADC (Application Delivery Controller), a device that optimizes application delivery using load balancing techniques, as well as compression, caching and so forth. Vendors such as F5 Networks, Citrix, Juniper Networks, Coyote Point, Kemp Networks and many others have quickly come to market with robust appliances that not only speed applications, but do so much more as well.

The dark side

However, there is a dark side when it comes to those appliances and what they can offer the enterprise network director, namely in the form of attacks and compromises. Take for example the all too common DDoS (Distributed Denial of Service) attack, where hundreds, if not thousands of zombified systems flood a website (or application server) with illegitimate traffic, causing operations to crawl to a stop.

If the ADC (or APM platform) is not configured properly, DDoS becomes a problem that can escalate exponentially. When an ADC cannot detect and block a DDoS attack, it will actually assist the attacker by scaling up application operations and balance the traffic load across resources - effectively consuming the resources available.

DDoS is not the only security problem that can be magnified by APM solutions; other concerns include SQL Injection attacks, brute force attacks and blended attacks. Simply put, when deploying APM solutions, security should be the first consideration and the deployed ADCs should become part of the security infrastructure and not just be treated as a means to an end - accelerating application traffic.

What this means for APM solutions

So, what exactly does this mean when delving into APM solutions? It simply means that those evaluating the technology should follow some best practices, some of which, James Smith, founder of Colorado-based Lagrange Systems, shared:

  • Choose a Software Only Solution, which allows administrators to deploy an ADC however they may want to.
  • Choose an APM platform that allows externalized control over the ADCs, that way administrators can manage during runtime and deploy multiple ADCs to handle a single application without experiencing downtime. If an ADC fails, the management platform keeps running.
  • Make sure the APM solution has self-healing capabilities. If a component or application becomes unreachable, the control system should detect and mitigate the problem.
  • The solution should have integrated clustering support. That provides multiple options for building resilient systems that can scale with load.
  • Integrated caching and web content optimization. Those features further speed content delivery, without requiring additional scale up.
  • Integrated security in the form of a Web Application Firewall (WAF), where the firewall is aware of normalized traffic and can take steps to block extraneous traffic and application calls.
  • Application layer DDoS protection - allowing the ADC to better understand traffic flow and detect traffic floods or storms at the application level, and use that information to block illegitimate traffic.

Naturally, Smith may have a bias here, Lagrange Systems is in the business of cloud-based APM solutions that eschew the pedestrian onsite hardware model. However, that brings up another question, should APM security be based in an enterprise's internal data center or is the cloud a better way of addressing those issues.

About

Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MC...

Editor's Picks

Free Newsletters, In your Inbox