Archive for November 2009

Navigating the ‘crossroads’ with open source firewalls.

November 21, 2009

Firewalls have been around in some form or another, from the early days of networks.  A typical firewall protects the ‘trusted’ internal network from those who are on the ‘untrusted’ outside.  Things have changed since the early days.  The exploits make it all the way to applications through open ports on the firewall.  Requirements to give access to partners, contractors, guests, and customers accessing self service portals, deem the notions of ‘trusted’ and ‘untrusted’  portions of the network useless.   Today we stand at a crossroad between installed legacy infrastructure, that does not satisfy even present day security needs, and emerging technologies.  Emerging technologies don’t focus on networks and hosts, but on protecting the ‘data’ and the ‘content’. Wisdom of the day is to let the traditional firewalls keep the riff-raff out by only allowing traffic to appropriate ip addresses and ports in, and let the more application specific techniques protect the ‘data’ and defend against application level denial of service attacks.

The cost of the switch from legacy to emerging technology will be large, but the balance is tipping such that the cost of not making the switch will be even larger. Open source can help with the costs by offering the emerging techniques developed by a community of cooperative experts.  OpenADC will allow network security experts to write cost effective traditional firewalls that face the internet, and application developers to write the application specific firewalls that sit just in front of the application, such that the two work in unison to provide best protection for the application.

In rest of the posts in this category, I will survey existing open source firewalls — both the traditional network level firewalls, and application specific ones. 

What has your experience been with open source firewalls?  Let me know in your comments.

Services anticipated on the Open Source Application Delivery Controller

November 13, 2009

Traditionally when we think of application delivery controllers, and what goes on them, traditional services such as  those listed below come to mind.

1. Loadbalancers

2. SSL offload

3. XML offload

4. Asymmetric application acceleration

5. Traffic tracing

The openADC platform will allow developers from the user and consultant community to write services as they see fit, and whenever they need them.  With this in mind we look into the crystal ball and come up with this list of services we anticipate.  This is just a start, and we will keep adding to the list.  Here it is:

1) End to end transaction monitoring, which includes database and other back end transaction monitoring.

2) Data Leakage monitoring and enforcement.

3) Compliance related monitoring and enforcement.

4) Auto-encryption of sensitive information while it is being transmitted.

5) Application usage pattern discovery.

6)Application performance monitoring, proactive degradation sensors and alerts.

7) Web Application Firewalling.

8) Flexible programmable Deep Packet Inspection engine.