Web Application Security at the Edge is More Efficient Than In the Application

DevCentral > Weblogs > Lori MacVittie - Two Different Socks

Web Application Security at the Edge is More Efficient Than In the Application

posted on Monday, September 28, 2009 3:50 AM

If one of the drivers for moving to cloud-based applications is reducing costs, you should think twice about the placement of application security solutions.

There’s almost no way to avoid an argument on this subject so I won’t tiptoe around it: web application security in the cloud is better accomplished at the edge, with a web application firewall or similar solution, than it is inside the cloud in the application. This is true regardless of whether the cloud model is public or private; basically if you’re being charged on a per-usage basis then placement of web application security solutions has an impact on the total cost of running your application. Now before you jump to the comments and start berating me, hear me out. There’s a very good reason for this stance and if you’re considering deployment of applications in the cloud as a cost-savings measure then you really should read on before you take me to task. After you’re finished you’re welcome to get crazy.

Ready? Here comes the logic…

WHERE ATTACKS ARE TURNED BACK IMPACTS COST OF DOING BUSINESS

When you write an application and include in it (as you should) security checks against attacks like SQLi and XSS your application – which are particularly prevalent against Web 2.0 applications where user-generated content is core to the applications - must execute in order to perform those checks for every request, good or bad. If the request is “bad”, i.e. contains an attack, then it should be rejected. But by the time you’ve figured that out in your application you’ve already incurred the cost of (a) executing the application and depending on the cloud model (b) the cost of the bandwidth required to transfer the request and your subsequent rejection of that request and quite probably (c) the cost of storage in terms of log file growth. If a web application firewall capable of detecting the same attacks is placed at the edge of the network, “bad” requests are turned back before they have to traverse the network to your application and before your application must execute in order to detect and reject it.

The counter-argument to this is that the bad requests are mixed in with good requests, and as you’re paying on an hourly basis and not per-request it really doesn’t impact the cost of running the application. Okay, let’s go with that. But now the number of bad requests mixed in with good requests pushes you over the capacity of a single instance and, as it should happen, a second instance is launched to handle the load. Now, because of “bad” requests, you’re paying twice as much as you should have to serve legitimate users. The only good thing about this situation is that now you have real hard dollars to attach to the cost of risk from web attacks.

Depending on the cloud model there’s bandwidth costs to consider, too. If you’re paying for bandwidth to and from your application then every bad request your application processes pushes your bandwidth usage higher and higher and eventually increases your monthly costs of doing business. This completely ignores the fact that bad requests using resources eventually degrades performance due to increased activity on the network (congestion) and the increasing cost of managing higher volumes of resources and connections on the server(s).

And then there’s the cost of storage, which increases as the log file size increases from keeping track of all those bad requests. Yes, disk is cheap, but the cost of maintaining redundancy in storage as well as requirements associated with length of storage of all interactions by this regulation and that will add up over time.

IT’S NOT ABOUT WHO CAN DO IT BETTER IT’S ABOUT A MORE EFFICIENT ARCHITECTURE

Although this entire discussion is framed in the context of cloud computing, it’s really not specific to cloud. The same principles apply to any architecture because the underlying premise is about architecting a more efficient infrastructure. It’s about minimizing the cost of securing and delivering applications by reducing the load on the network, application, and storage infrastructure by stopping “bad” requests from ever getting inside the perimeter. It’s about applying the principle of efficiency to the big picture rather than individual components; about recognizing the impact of a single malicious request on the entire architecture rather than on any single piece of it. Reducing a little resource consumption here and some bandwidth there and recovering some storage there adds up to a lot more operational efficiency in the end, and even in a traditional data center architecture that’s going to translate into real dollars saved. When the scenario is cloud-based, however, the costs associated become more clear because each affected part of the infrastructure is a line-item on your monthly bill.

So whether you’re looking at cloud-based applications or just improving the operational efficiency of your existing data center, take a long hard look at the impact of allowing bad requests to be processed by all the myriad components that make up your entire architecture and consider whether eliminating that burden from your data center would result in a more efficient, less costly infrastructure.

Technorati Tags: MacVittie,F5,cloud,cloud computing,application security,security,web application security,web application firewall,WAF,storage,bandwidth,cost,efficiency,SQLi,XSS,architecture,capex,web,internet,blog

Related blogs & articles:

Feedback

9/28/2009 10:48 AM
		Are those "bad requests" you're worried about app-specific bad requests? Or generic listener-level vulnerability scans? If it's the latter then I am with you. If it's about app-specific bad request (and you mention XSS and SQL so I think that's what you have in mind) then first thing is to make the app immune to them. For one thing because that's the only way to protect yourself. For another because if these bad requests don't exist then people won't be sending them to you in the first place so you don't have a problem with the amount of traffic they generate. I am all for layered defense and stuff but if your app has holes you plug them in the app, you don't just put a wrapper at the edge. Your title makes it sound like it's a "edge OR app" choice. You have to fix the app and then you can decide whether it's worth it to do something at the periphery too.
William

9/28/2009 11:11 AM
		@William, Yes and no. Mass SQLi isn't "app specific" anymore, and hasn't been for some time. And XSS is more protocol specific than it is app-specific. In any case, you should definitely fix them in the app. The argument here isn't about fixing them or not, it's about where it's most efficient to block them. The app should be fixed/not vulnerable, but the attacks are still going to come in. the point is that they should be blocked sooner rather than later to not waste resources on the app infrastructure and network and storage by having the app reject the request. If you reject the request at the edge you don't waste resources. This isn't an argument about fixing or not, it's about where blocking is more efficient in terms of resource consumption. If you can save money/resources by stopping at the edge, why waste app resources? Lori
macvittie

9/28/2009 11:32 AM
		I have a question/ comment regarding the idea of protecting your Web Applications via a security SaaS. I agree that the vulnerabilities need to be fixed within the app. Now comes my question. If you have a WAF-like SaaS that sits between your apps and the user to mitigate risk, would you consider this enhancing your security or just raising costs? Our product is a Web application security SaaS that utilizes a Behavioral Analysis and Correlation engine. To activate monitoring the customer installs a line of code on their web server. It does not store any data from the customer, it just shields the app from SQL and XSS attacks (along with attacks).Our customer pays a known and consistent monthly fee. I believe that such a service could lower your expense and provide the protection you are addressing in your article. Would you consider such a service to be a an answer to the cost issues and protecting on the "edge"? I don't mean this to sound like a plug, but you can read more on www.XyberShield.com I am interested to find out what you and your readers think of this service as a viable solution.
Jim

9/28/2009 11:56 AM
		Hey Jim, I thought I would chime in for a second to talk about the product you linked. While am unfamaliar with it, I am very famaliar with the ASM Module as we run a number of applications through it for protection. The hardware piece of that is a 4100 series unit. The thing that we like the most about the unit is that not only can it protect against these attacks, but it also protects against a number of other things such as DDOS, DOS and Brute Force attacks. Also, the attack signatures are updated frequently as new attacks emerge. We like how we can customize an attack signature. We can protect an app against a SQL hack, but can also configure it to allow certain parameters. So allow SQL related things, but ONLY the ones we desired based of the parameters of the application. Is the product you mentioned customizable by the customer? From what I can see, the service you linked to would still allow a request to be processed by the application servers, which of course is something that you want to prevent if at all possible. Another thing that I like is the fact that we can customize our own error page. If we block traffic, we send them to a screen that contains a Support ID number that we can utilize to analyze the traffic if someone calls in or emails who feel they reached the page by accident. Defense in depth is the way to go.
The F5 Guy

9/28/2009 2:48 PM
		Hi F5 guy. The customer can create or customize their own rules for each page of their site if they wish. This is done through the online console. We also protect against brute force attacks. We own and use a global network that has 55 "ShieldPoint" centers within 22 countries. This gives the customer the ability to lock down traffic regionally if they need to, while also providing service in case of a natural disaster. Our rules are updated in real time. These rules are created by monitoring the activity of all of our customers, not just the sessions of one site like a WAF would do. We also update rules based upon the reporting of other groups such as OWASP. Our customer will gain protection through the strength of numbers, if you will. You can also customize your user warning banners to what ever suits your needs.
Jim

9/30/2009 5:29 AM
		Hi William, I (unfortunately) agree with Lori on this. I would also add another strand to the argument for... Let's assume you have an online business, for every second this application is down you lose money. You now find a vulnerability, do you; 1. Take your site offline until dev fix the problem (hours? Days?)? or 2. put a temporary defence in place with an ADC until 1. happens? I hope the answer is obvious, and explains the use (as I see it) for these products. Nick
FrintonBoy

Leave Feedback

Title
Name
Email
Url
Comments
Remember Me? Enter the code shown above:
Please add 1 and 6 and type the answer here:

My Links

DevCentral Home
DevCentral Blogs
DevCentral Forums
My Blog
Contact Me
Syndication
Login

Blog Stats

Posts		641		Comments		1204
Stories		0		Trackbacks		343

	Tag Cloud
	acceleration application delivery application security architecture BIG-IP blog cloud cloud computing dynamic infrastructure F5 HTTP infrastructure INfrastructure 2.0 integration internet load balancing MacVittie optimization performance scalability security SOA virtualization web web 2.0 more tags...

Post Categories

		General SOA
		SOA Delivery
		Randomness
		Web 2.0
		Security
		iRules
		iControl
		Development and General
		Monitoring/Management
		XML
		ISV Solutions
		Microsoft Solutions
		Performance
		Cloud Computing
		Virtualization
		WILS
		Infrastructure 2.0

Archives

		March, 2010 (11)
		February, 2010 (20)
		January, 2010 (17)
		December, 2009 (16)
		November, 2009 (20)
		October, 2009 (22)
		September, 2009 (21)
		August, 2009 (25)
		July, 2009 (18)
		June, 2009 (20)
		May, 2009 (20)
		April, 2009 (21)
		March, 2009 (23)
		February, 2009 (17)
		January, 2009 (19)
		December, 2008 (17)
		November, 2008 (18)
		October, 2008 (27)
		September, 2008 (32)
		August, 2008 (31)
		July, 2008 (30)
		June, 2008 (33)
		May, 2008 (30)
		April, 2008 (24)
		March, 2008 (5)
		February, 2008 (4)
		January, 2008 (8)
		December, 2007 (5)
		November, 2007 (6)
		October, 2007 (3)
		September, 2007 (5)
		August, 2007 (7)
		July, 2007 (7)
		June, 2007 (5)
		May, 2007 (11)
		April, 2007 (9)
		March, 2007 (7)
		February, 2007 (10)
		January, 2007 (5)
		December, 2006 (4)
		November, 2006 (8)

Application Delivery

		Infrastructure 2.0
		onizo#
		The Virtual ADC

Cloud Computing

Google Group: Cloud Computing

Random

Security

Rational Survivability

SOA

		Loosely Coupled
		Miko Matsumura's SOA Center
		SOA Enterprise Patterns

Copyright 1996 - 2007 F5 Networks, Inc. | Privacy Statement | Terms Of Use