Network Computingwww.networkcomputing.com

Integrated Web App Firewalls Make Sense In High-Performance Environments

Posted by Neil Roiter
September 07, 2010

Tags: APM, WAF, application performance management, web application firewall

Channel: Security, WAN Security, End to End APM, Next Gen Network, Data Protection, WAN & App Acceleration

Enterprises deploying high-end application delivery systems need to consider how best to secure their apps without imposing seconds or even fractions of seconds of latency, particularly in heavy-transaction environments where time literally means money. Web application firewalls (WAFs) are becoming an increasingly important component of control and delivery platforms, screening against common attacks such as SQL injection, cross-site scripting and cookie poisoning. Regulatory requirements, particularly PCI DSS, make WAF deployment not only desirable but mandatory.

Application delivery controllers provide load balancing and application acceleration, using techniques such as advanced compression, caching and protocol optimization to deliver multi-gig performance to customers and business partners, as well as employees leveraging apps across distributed WANs and remote connections. The challenge is implementing a WAF (web application firewall) that can handle SSL encryption and decryption and traffic analysis without impeding performance, and, in the worst case, availability.

Brad Trankina, for example, saw a big performance boost when he upgraded from his first WAF to F5 Networks' BIG-IP platform and its integrated Application Security Module (ASM) WAF. "From latency standpoint had issues with international customers," says Trankina, director of network and information systems at Human Kinetics, a provider of physical activity and health information.  "The transition to F5 dramatically improved that." The HTTP compression makes a significant difference, he says.

Enterprises that are already using or planning to buy application delivery systems have the option of deploying WAF as a stand-alone appliance--from the application delivery controller vendor or third party--or as an integrated component of the app delivery platform. If you are using one vendor for both application optimization and security, the choice often depends on your network architecture preferences. The integrated approach simplifies policy management and optimizes traffic flow. An integrated WAF enables admins to set application policy for load balancing and traffic control from the same interface as security policy, saving time and effort each time a new app is introduced or an existing one is modified.

Integrated WAF also maximizes performances because traffic only has to be decrypted and re-encrypted once within a single appliance. Migration to Extended Validation certs, which requires 2048-bit encryption keys rather than 1024-bit, underscore the importance of efficient encryption processing. A single appliance architecture also means that application traffic can be processed efficiently through each function. "Instead of copying data from one process and buffering into memory cell and copying from one process to another to another, you keep it in one spot where you do all the processing," said Ken Salchow, manager of technical marketing for F5. "Having a built-in Web application firewall gives you that efficiency."

Related Reading

More wan-security Insights