Application switches have come a long way from the early days of performing simple load balancing of Web traffic. Now, they are capable of intelligently load balancing various types of application traffic (e.g., streaming, voice over IP, database, Web services, wireless, etc.). However, a new need has arisen for application switches that can leverage deep-packet Layer 7 inspection capabilities to perform application-layer security.
Standard firewalls have long been able to enforce security policies based on who or what is allowed to connect to a specific service or machine. But the content of the packets allowed to pass through a firewall has typically been invisible to the firewall. This is because firewalls generally look only at header information. The header information is described as Layer 2 (e.g., MAC addresses), Layer 3 (e.g., IP addresses of the sender and the receivers), and Layer 4 (e.g., TCP and UDP port numbers that indicate requested applications).
Standard firewalls are limited in their ability to block attacks based on the content of a packet. New viruses, worms, malicious code, buggy applications, and cyber-attacks have now started targeting application weaknesses. A good example is the weakness enabled by the standard practice of opening services such as HTTP (TCP port 80) and HTTPS (TCP port 443) through most firewalls.
Many applications and protocols, both legitimate and illegitimate, are tunneling through firewalls by connecting over standard TCP port 80 (such as the Code Red virus) or encapsulating in SSL tunnels (HTTPS). Packets aimed at these services pass through the network without being identified by typical firewalls. Many of these application vulnerability attacks are initiated by deliberately building malformed packets such as those containing illegal fields in the IP header (e.g., nullscan, xmascan, scan SYNFIN, etc.).
As application-layer attacks and viruses become more sophisticated, it is imperative that the Layer 7 deep packet inspection capability of application switches is utilized to assist standard firewalls. The intelligent application-layer security inspection enabled by application switches in conjunction with standard firewall perimeter security, enables a level of layered security that effectively protects networks against application-layer attacks. Application switches need to be very robust if they are to provide the level of security required without adding latency to the network. They should also have the power to look deep inside a packet in real time, and the intelligence to detect complex patterns and signatures at different locations within a packet payload.