The Evolving Security Paradigm, Part 2

This post is part 2 of a two-part series that addresses the rapid changes in security paradigms. The change to security not only affects operation, it increases the level of complexity in security designs. The following post discusses the history of security paradigms and the challenges that arise from their change.

Firewall Designs & the Evolving Security Paradigm

The firewall has weathered through a number of design changes. Initially, we started with a single chunky physical firewall and prayed that it wouldn’t fail. We then moved to a variety of firewall design models such as active-active and active-backup mode.

The design of active-active really isn’t a true active-active due to certain limitations. However, the active-backup leaves one device, which is possibly quite expensive, left idle sitting there, waiting to take over in the event of primary firewall failover. We now have the ability to put firewalls in containers. At the same time, some vendors claim that they can cluster up to eight firewalls creating one big active firewall.

While these introductions are technically remarkable, nevertheless, they are complex as well. Anything complexity involved in security is certainly a volatile place to dock a critical business application.

History of Security Paradigm

The traditional security paradigm consisted of an individual component approach (Web, Application, Database ) placed in different security zones separated by a virtual LAN (VLAN), IP and in some cases Virtual Extensible LAN (VXLAN).

Usually, the administrator would place all the Application servers in one segment, Web servers in another and so on. From an administrative point of view this is a neat approach, however, from the security perspective, it’s not so secure. You are only ever as strong as your weakest link, therefore, a single poorly patched Application or Web server leaves open all other servers on that segment for potential compromisation.

An alternative to this approach is the VM-NIC firewalls that can come in many different constructs. Each component, be it a Web application or Database, has its own personal firewall. As a result, if a poorly configured neighbor on the same segment gets compromised, you have the peace of mind that you are protected with your own personal firewall. This is like a personal bodyguard shielding you through busy streets.

However, this changes the security paradigm. Earlier, anything untrusted was actually untrusted and outside of the Local Area Network (LAN). Now, everything untrusted is simply outside of that particular segment.

Problems with the New Security Paradigms

Additional filtering is carried out which can hit application performance problems and increases latency. Traffic between two web applications on the same segment now needs to be inspected by their respective firewall.

There is so much to consider with this type of approach. Here, the question to be considered is, are you ready to change your security paradigms? And how does this affect your security posture?

We all agree to the fact that we need to make changes and evolve to support new applications and technologies. Changing security paradigms can be risky and risk is never a good term to use in the world of web application security supporting critical services.

How can Acunetix help?

As the last man standing approach, equipping the applications with appropriate web vulnerability scanning tools gives you the peace of mind that if you jump into the new world of scattered security paradigms or even stay with the existing models, you have taken appropriate measures to barricade your company’s valuable assets; the websites and web applications.

Acunetix enables two phases to approach security including an initial lightning fast crawling stage building the sites infrastructure identifying all the pages, forms and elements that make up the web application. Upon crawl completion to eventually perform the intelligent scanning.

Acunetix AcuSensor technology offers the most advanced scanning providing the highest detection rate while lowering false positives. The high level of accuracy is achieved by combining traditional black-box scanning techniques along with interactive code analysis whilst the source code is being executed. This gives administrators the next generation of website security all within a single graphical user interface (GUI) interface.

WordPress vulnerabilities are not going away and are on the increase. Acunetix check for over 4,000 vulnerabilities in WordPress’ core, themes and plugins in existence. While 24% of Internets websites run WordPress, Acunetix web scanner scans for all these WordPress vulnerabilities within WordPress plugins & misconfigurations.

It’s a fact that a bad actor is going to attack your infrastructure through a web application. The web application is the front door to the network be it in the cloud or on-premise. There is no getting away from this and it will eventually happen since the attack is inevitable. So, it’s not just about choosing the correct security paradigm. It’s all about how you detect and deal with this attack at a web application and web server level.

Summary

Simplicity is the mother of success when it comes to security. If you are forced down to the road of scattered security perimeters, you need to structure a hard security bubble around your web application and web server.

The best approach is to hammer the application with a solid security framework around and make a mental note that this is the last line of defense, regardless of the network design and security perimeter. The security perimeters will continue to change, we now have firewalls in containers. Containers and microservices are revolutionary and truly technically remarkable. However, security questions linger above them. Therefore, it’s essential to choose the appropriate security tools that fine-tooth-combs the vulnerabilities and accords you with an unharmed web application.


Share this post

Leave a Reply

Your email address will not be published.