Application
Security and Application Networks
Physical Network Independent
The Application Network is independent
of the underlying IP configuration and can be deployed over any
physical network, such as wired line, wireless links, LAN,WAN, low
bandwidth dialup link, and high latency satellite link. The Application
Network is highly dependable through its bility to self-heal if
it experiences component failures of its own or of the underlying
physical network.
Network Security Independent
The Application Network is enabled
without compromising the security policies implemented by network
security technologies, such as firewalls. The Application Network
can be deployed over any network, including public networks, private
networks, networks protected by firewalls and NAT devices, networks
linked by VPNs, networks using the existing address scheme (IPv4)
and network using the new address scheme (IPv6).
Application Independent
The Application Network supports
any application that uses the physical networks, including web applications,
non-web applications, legacy applications, emerging applications,
client-server applications, peer-topeer applications, query-reply
applications, interactive and collaborative applications, simple
content applications, content-rich applications, time-insensitive
applications, and real-time applications. In addition to supporting
all of today's applications, the Application Network is flexible
and future-proof to support all of tomorrow's applications irrespective
of protocol or design.
Security Technology Neutral
The Application Network is flexible
to provide security services required by different policies, authentication
schemes, authorization engines, encryption algorithms, and auditing
tools. The Application Network is also capable of seamlessly integrating
new security technologies without disrupting the existing security
services.
Deploying the Application
Network
As described above, the Application
Network is enabled by application security software. The Application
Network, like any network, consists of three basic building blocks:
application gateways, network access agents, and network management
tools. The Application Network's gateways and agents are not unlike
the hardware and software components used to build the physical
network. That is, gateways in the IP network are the components
(e.g., switches and routers) that connect one network to another,
such as connecting an internal network with the public Internet.
Application Network agents enable client access and these agents
also have physical network counterparts, such as modems or PC cards
which are used to connect to the physical network.
Application Gateways
Application gateways are responsible
for providing four key services:
Application connectivity
over any physical or logical network
That is, the gateway should act
as an intermediary to enable any user on any network to connect
to any application on the same or different network
Proxy service for all applications
No packets for any application from
one network should directly touch the other network; every packet
should be regenerated for every application to eliminate IP layer
attacks
AAA and application data
protection services to any application that utilizes the gateway
The gateway ensures that each user
is authenticated, all access is authorized, and all information
is logged; data integrity is provided through data encryption
Application filtering for
applications utilizing the gateway
The gateway should provide administrators
with granular control of not only which applications can be accessed,
but what individual users can do within an application. Application
Network Agents. Application network access agents - either in the
form of desktop agents or downloaded through a browser - perform
the following two key services:
Identify and associate in
real-time users and applications on the network devices
Agents request access to a specific
application on behalf of the user
Discover the application
gateways and route applications through right gateways
Once requested, the agent must route
the request to the gateway that has access to the requested application
Application Network Management Tools. Application network management
tools perform the following three key services:
Centrally manage application gateways,
including application networking and application security policies
Monitor, alert and collect information
about gateway operations and error conditions
Manage policies used by agents and
integration with third party AAA services
Benefiting from the Application
Network
The Application Network provides
enterprises with the ability to deploy the applications they want
to the users who need them. A seemingly straightforward and simple
proposition, the Application Network delivers three key benefits:
Reduce Risk of Attack
The Application Network mitigates
the risk of both internal and external attacks by authenticating
and authorizing all application access by user, logging all activity,
and encrypting all traffic in SSL. The Application Network, by operating
above the IP layer, significantly minimizes the threat of IP-layer
attacks, such as Denial of Service attacks.
Maximize Application ROI
The Application Network allows enterprises
to get the most value and utility from the enterprise applications.
Applications are often not available to certain users or from certain
locations because of security concerns. This significantly limits
the value that can be derived from the applications. Additionally,
firms can use the applications they want, not only those supported
by their network security. For example, why don't users use NetMeeting,
which is bundled on most Microsoft desktops? With the Application
Network, they can.
Minimize
Application Security TCO
The Application Network is application
independent and has extensible security for both today and tomorrow's
applications and protocols, such as SIP, VoIP, and SOAP. The Application
Network provides a single solution enabling secure access to any
application - significantly less expensive over time than a patchwork
of standalone network security products. Most companies don't realize
it, but they struggle with elements of the Application Network every
day. Issues such as securing dynamic ports at the firewall to enabling
users to access applications from a WI-FI wireless zone all indicate
the need for the Application Network. All of the elements of the
Application Network have the common thread of allowing users to
access the applications they need from and across any trusted or
untrusted network. To understand your business's Application Network
needs, think about your secure access requirements along three dimensions:
Users - who are the users that require
access?
Examples include:
- Remote employees
- Remote vendors and managed service providers
- Internal contractors
Access - where are the users and where are the applications
or data sources?
Examples include:
- External users trying to access to internal servers
- Internal users trying to access external servers
- Internal users trying to access internal servers
Applications
- what are the applications the users need access
to?
- FTP and telnet
- Collaborative applications, such as NetMeeting
- Instant Messaging
Examples include:
- CPE technicians need secure remote access for telnet
- Internal employees need secure WLAN access for email and enterprise
applications
- Internal employees need secure access to externally-generated
data feeds
- And many more…
Any combination of users, access,
and applications represent elements of the Application Network that
solve today and tomorrow's business problems. No longer must network
administrators finesse network security to allow access to the applications
they require. They now have the capability to keep their airtight
network security in place while at the same time allowing users
access to the applications they need.
