WAN Application and Data Security and Compliance

By | March 14, 2006

The centralization of branch office servers and storage enables enterprises to more effectively manage and secure critical business information. By moving servers out of branch offices and consolidating IT infrastructure to fewer, purpose-built data centers, enterprises can protect vital business resources through tight physical security and well-defined access procedures. In addition, server centralization limits the amount of places where sensitive user credentials are stored, helping to ensure that this information remains protected from unauthorized access.

Server centralization also facilitates adherence to corporate and regulatory compliance policies, which mitigates a company´s overall risk of exposure. It enables IT staff to easily, and more cost effectively, identify deviations from established guidelines, such as Sarbanes Oxley, Basel II, and the Health Insurance Portability and Accountability Act (HIPAA), and take appropriate remediation steps when necessary.

However, limitations in existing WAN technology can make it difficult to deliver applications across a distributed enterprise with adequate performance. Recent surveys, for example, indicate that as many as 90% of respondents are expecting to invest in new application acceleration solutions to address this challenge in the coming years.

One way to centralize servers without succumbing to the performance limitations of WAN technology is to deliver information locally when possible. There are several ways that this can be achieved, most of which involve replacing local application servers with network appliances that are placed in branch offices and data centers to accelerate application performance across the WAN.

The last thing that enterprises want to do, however, is to sacrifice security for the sake of application performance when they replace branch office servers with new acceleration appliances. As a result, several basic measures should be followed to ensure that new acceleration products are secure enough to protect vital business resources.

Methods of Application Acceleration

Given the compelling arguments for server centralization, various solutions have emerged to try and improve application performance over enterprise WANs. Each has unique impacts on enterprise data security.

Application proxies, for example, are used to locally simulate an application server. They are placed in a remote office where they intercept remote clients´ requests for data. If the exact same content has been seen before, it will be served by a local cache located within the remote device. Otherwise, the request is forwarded to the application server, which is responsible for serving up the requested content. One example of a “proxy” type device is a Wide Area File Server (WAFS). This technology emerged as a way of implementing proxy file servers in distributed offices. By configuring clients to point to a WAFS share, the proxy file server can make remote content appear local. These devices terminate CIFS sessions, and then examine requests to see if the requested filename can be delivered locally.

Although WAFS offers a number of specialized features, like the ability to authenticate users and read and write files even when the data center is unreachable (e.g., due to a network event), it can create unique security challenges. The branch office, in effect, is supporting a full blown file server. This requires user and password updates, and the WAFS appliance is responsible for file locking semantics. As a result, rather than simplifying the branch office, these approaches can actually make things more complicated, and often-times less secure.

Local Instance Networking is another approach to application delivery. In this type of environment, appliances inspect all WAN traffic and store a local instance of information in an application independent data store at the appropriate enterprise location. All outbound packets are examined prior to traversing the WAN to see if a match exists in the local instance at the destination location. If a match exists, then the repetitive information is not sent across the WAN and instructions are sent to deliver the data locally. If the data has been modified, only the delta is transmitted across the WAN, maximizing bandwidth utilization and application performance.

In a LIN implementation, all authentication, authorization, file and record locking is performed centrally by the native applications, thus preserving client/server semantics. This ensures application coherency and ensures that all user credentials and security mechanisms remain centralized. However, Local Instance Networking requires large amounts of data to be stored in local hard drives on each acceleration appliance. While the bulk of information is stored and indexed in a fashion that is only meaningful to the appliance itself, it is possible that small strings of recognizable data might be stored together, enabling some information to be viewed if someone gained access to the local drive. As a result, enterprise-class LIN appliances will use encryption to protect the local data store from unauthorized access.

Security Precautions

Regardless of the technology used, when new appliances are inserted into a network infrastructure to accelerate application performance, some basic security guidelines can be observed to ensure that they do not compromise data security. These include:

Secure access: TACACS+ and/or RADIUS can be used to prevent unauthorized users from accessing network acceleration appliances. In addition, secure interfaces can be provided on all management consoles, including SNMPv3 and HTTPs. User credentials should be stored in as few places as possible, preferably in a secure environment, such as a purpose built data center.

Local data encryption: 128 Bit Encryption can be used to protect data stored in local hard drives. Even if proprietary methods are used to store bytes of information on a local hard drive, encryption eliminates the risk that some data might be recognizable to unauthorized users.

VPN across the WAN: IPsec is often used between appliances to secure data transfer over the WAN. Doing encryption in hardware can help to ensure that security does not come at the expense of performance. IPsec can be performed outside of the acceleration appliance, but it typically must occur downstream of this device. Otherwise, the appliance will not have visibility into traffic traversing the WAN, limiting its ability to provide significant performance gains.

As more and more enterprises undergo server centralization projects, new products will be introduced to improve network and application performance. By following basic security precautions, enterprises can ensure that these performance improvements do not come at the expense of data security. In fact, by enabling the centralization of key resources, enterprises are actually increasing their ability to secure business information, which ultimately ensures better compliance with the key regulatory measures that are having an increasingly complicated effect on the way that everyone does business.

Leave a Reply