Advertisment

Taking web infrastructure security to next level

author-image
CIOL Bureau
Updated On
New Update

BANGALORE, INDIA: Recent cyber attacks on big commercial, gaming and government sites show that even the most resource-rich systems are under a constant threat from determined hackers. The latest security breach surely serves as a reminder that if your business requires a network to secure and manage mission-critical data and services, you would need to be constantly updated on the latest tools and application-level security solutions to ward off malicious entities plotting multi-angled covert attacks.

Advertisment

So, how do you secure your web-based applications? Once your applications are available to users over the web, you still need to make sure only authenticated users gain access, and that they only access the resources they are authorized to see.

New Protection against Universal Attacks

Advertisment

Denial-of-Service (or DoS) attacks are one of the most common hacker tactics but may not be premeditated (such as when a high traffic website links to a smaller site). Previously, most of such attacks were carried out at layer 3 and 4 of the network at the available bandwidth or port level. These are relatively simple to block. But these days, hackers use layer 7 DoS attacks designed to overwhelm business-logic applications and to target coding or browser flaws with seemingly valid requests.

Traditional systems, such as intrusion prevention or intrusion detection systems cannot block effective requests as these are not easily detected. To mitigate this, you need to have application firewalls or advanced application delivery solutions to weed out bad traffic. These provide intelligent triggers that can detect layer 7 DoS attacks by monitoring server response times or abnormal request frequency rates (transactions-per-second).

Typically, the application firewall responds by sending a cookie or response to ensure the user is real and is sending a valid request, before allowing access into its system. In many instances of DoS attacks used recently against PayPal, MasterCard and Visa, requests were sent out by botnets, or zombie machines, and these computers are not able to respond to requests. Also, there are several other remedial options, from preventive script injection to a process of reducing requests per second to a specific object or IP address, with your security management software preferably intelligent enough to allow smooth traffic to other non-malicious objects.

Advertisment

Brute force attacks against log-in and authentication pages are also a frequently seen tactic. While most log-in attempts are disabled once a certain number of attempts have been crossed, hackers are now able to guess passwords for different user accounts sequentially. The solution is to limit the log-in attempts per browser session or IP source, and trigger inspection for abnormal log-in attempt volumes, through vigilant security management software.

DNSSEC and Your Future Online Security

There may be situations in which one needs to provide authentication and client validation prior to giving access to unsecured applications. Secure authentication can be added for this purpose. This authenticating method is used first to create a secure session and then to give access to the services behind it. For instance, you may not want to lock down your public-facing website but certain requests could require authentication (for example, if a user were requesting access to a restricted folder). With secure authentication, anyone can navigate the main page but as soon as the user clicks a “member” area, access control provides the gate and fence.

Advertisment

With more online services made available every day, more information is potentially at risk of compromise during these transactions. One of the most vulnerable areas is the Internet’s domain name system (DNS). Built for efficiency rather than security, DNS has multiple security weaknesses against cache poisoning and ‘man-in-the-middle’ attacks. This has led to an increase in the adoption of DNS Security Extensions (DNSSEC) by businesses.

DNSSEC provides authentication of the origin of DNS records through digital signatures and asymmetric cryptography of two key pairs. Each zone in the DNS hierarchy provides assurance for all the domains beneath it. This way, users have more confidence that the website they provide personal and financial information or passwords to is genuine and not a spoof or ‘phishing’ site.

To deploy DNSSEC, look out for technology vendors that streamline encryption key generation and distribution by dynamically signing DNS responses in real-time. This significantly eliminates routine DNSSEC management tasks and reduces management costs.

Advertisment

Remote Users Require Security without Compromising on Speed

The growing global footprint of users, the increasing number of access devices and authentication requirements seen by most enterprises add complexity to an already overloaded IT infrastructure and make deployment and scalability difficult and expensive for companies. Organizations need to enable flexible access deployments, control sensitive user web access, and gain visibility into all of the data and applications being accessed.

A unified and integrated approach to enterprise security can help overcome these IT security challenges. This can be implemented through application-fluent security and remote access solutions that provide a flexible, efficient, and cost-effective solution that helps minimize the risks associated with serving customers and sustaining a mobile workforce. Unified security can not only provide enterprise and access security but also network and application protection, thereby protecting complex IT environments from constantly evolving threats.

The solution is a web access management solution that can drive identity into the network to provide secure, context-aware user access to web applications. It should also have the capacity to add servers easily, eliminate downtime and improve performance.

(The author is Managing Director, F5 Networks, India and SAARC)

tech-news