Application Security and Application Networks

Limitations of Network Security for Enabling Application Access

As described above, network security was developed to protect the physical network and - as with network-layer Virtual Private Network (VPN) solutions - to extend the network. Protecting the network means identifying which packets have access to the protected network and which do not. Extending the network means identifying which remote devices or networks have access to the protected network and which do not. Applications, which use the network for a communications infrastructure, require far more granular control than network security can provide. For example, while literally thousands of applications utilize the UDP protocol, most network security simply prevents the UDP protocol - not individual applications - from traversing the network border. By operating at the network layer, network security has four major limitations when used as the sole enabler of secure application access:

Limited Application Connectivity

The use of network security severely limits connectivity for trusted applications as it prevents unwanted access. This connectivity is limited primarily by firewalls, which are further complicated by their use of NAT and non-routable private IP addresses. Firewalls are also often configured to block DNS traffic, which creates additional problems as application traffic is routed. These techniques, while critical for protecting the network, undermine an enterprise's ability to utilize the applications its business requires.

Limited Application Support

By limiting the ability of applications to connect, the number and types of applications that are securely enabled by network security is limited, too. Each application that the network administrator chooses to support requires new policies to define and manage,which further exposes the network. Consequently, supported applications are kept to a minimum. Network security addresses this with application proxies and VPNs. Application proxies, however, support individual applications; many of these solutions, while functional, are unacceptably slow. VPNs represent an alternative for fully trusted users,but the number of users that qualify to be a network node is small in relation to the total number of users requiring access. Even with a patchwork of point solutions and voluminous firewall access rules,enterprise network security has very limited application support.

Limited Application Security

Network security,by definition, provides network-layer security, which is often insufficient for deploying mission critical applications. Network security protects network devices. It authenticates and authorizes the device, which implies that once authorized to attach to the network any user or application can use this connection to access the network - a huge security risk. Additionally, network security can provide network layer encryption, which is often not flexible enough to adapt to the varying application- specific encryption requirements. Network security also can provide very little security within an application through protocol filtering, as only standard applications such as telnet and FTP are supported.

Limited Application Traffic Management

Enabling and managing reliable application traffic is challenging for network security. Network security products divide physically connected networks into many logically disconnected networks. They force all the network traffic to pass through a single access point (i.e.,the network perimeter or DMZ). When the perimeter is compromised or experiencing a physical failure, no applications, including those that are allowed to cross the perimeter, will be accessible. In most network architectures, redirecting applications to a different perimeter is a labor intensive task. Additionally, managing reliable access proves challenging when routing rules are broken. Since network security is based on the isolation principle, routing rules must be set manually.Any changes or updates that are required can be time consuming and prone to error.

The Challenge

hen network security is used to deploy applications, the network security itself presents the biggest obstacle to unfettered access to applications. Network security is critical. Firewalls are critical. NAT is critical. Private IP addresses are critical. How, then, can applications be securely extended without compromising the network security? How can applications be securely extended to users independent of the network layer infrastructure and security? How can applications be securely extended to users who are on another private network behind third party network security and infrastructure? In short, can organizations separate protecting and securely extending the physical network from protecting and securely extending applications?

Introducing Application Security

As described above, network security is designed to protect and extend the network. It operates at layers two and three of the OSI network layer stack and is therefore not ideal for protecting and extending applications that operate at higher layers.

Application security represents the solution for securing applications and extending applications. As in any layered security model, application security complements and operates independent of the underlying security layers. Application security is an enabling technology that allows applications to be securely extended - akin to network security allowing networks to be securely extended to remote users or branch offices. Since applications are required everywhere, application security should not be constrained by physical network security, but at the same time it should not compromise it. Application security offers a more logical, virtual network - called the Application Network - that allows applications to be securely extended to any user anywhere in the world.

Defining the Application Network

The Application Network delivers the capabilities that allow organizations to now benefit both from unfettered access to the applications their businesses need and from enhanced application and network security. No longer required to make trade-offs between the productivity benefits of, for example, deploying real-time business applications and the consequential security risks of implementing and managing complex policies or point solutions.

Enterprises can now simply deploy the applications their businesses and the marketplace demands. The Application Network is not a physical network, but a conceptual one that is implemented to overcome the limitations of deploying applications using network security. Complementary to the physical IP network, the Application Network utilizes the underlying IP network to enable connectivity between trusted users and applications irrespective of their location and network security infrastructure. Working with network security, the Application Network enhances overall protection by securing the physical and logical network devices. It also provides security services to the individual users who use these network devices, such as laptops and application servers. Finally, it provides security services to the individual applications that run on the network devices.

When deployed, the Application Network represents a logical network that is layered over the physical networks while also serving as a logical network layered under the applications that require the physical network for communications and connectivity. The Application Network has the following four characteristics: