Visibility is an essential ingredient in security. Whether it's examining "forensic" evidence and audit trails after the fact or limiting access in real-time, any security system needs visibility to understand what is going on within the applications and networks that it is trying to defend. Defending without visibility is like shooting in the dark. As we will see in this post, a few recent developments have made it possible to increase visibility, improving the system's ability to defend against unauthorized access.
The old days – protocol chaos and network level inspection
In the days of the original Firewall, enterprise software was based on a multitude of communication protocols between clients and servers. Standards were very limited, requiring each software vendor to develop its own protocol. With no standard protocol, the only way to ensure security was to inspect the traffic at OSI Layer 3 or 4. And this is exactly what the Network Firewall did. Network security at that time was focused on ports and protocols, and it relied on the ability to inspect network traffic typically at the perimeter of the enterprise network. Firewalls provided visibility into the connections (hosts, ports, IP addresses, etc.) and were used to manage (grant or revoke) access to network resources. Without protocol standardization this was the best visibility that could be attained by a security system. However, this was obviously very limited.
To illustrate the visibility limitation, let's compare the traditional Firewall with a physical security system. In this case we have an indication that a "black van" is at the gate asking for permission to enter. The security system grants access and that’s it, the next time the system is invoked is when the "black van" exits the facility. The system has no knowledge of what the van and its passengers did within the facility, just that it entered and exited.
This limitation has given rise to the NGFW (Next Generation Firewalls). These firewalls try to create visibility (and access control) beyond the connections, ports and IP address. They inspect the network communications and try to understand which application/action is taking place inside the network using deep packet inspection and, where applicable, SSL Interception. Although more effective than the traditional Firewall, this method is still very much focused on networking properties of the communications, and not on the content itself.
Today – few protocols and application level inspection
Things have changed. In modern applications almost all communications between components of the enterprise software are based on a single protocol - HTTP/HTTPS. Most of the IT operations are also based on the same standard – SSH. In addition, cloud computing and mobile applications have contributed to the crumbling walls of the network perimeter. Essentially, there is no point in just knowing that the "black van" has entered or exited the gate, we want to know exactly who was inside the van and what they did inside the facility. In our case, we want "application level visibility".
By assuming use of standard protocols, application proxy solution can monitor and manage activities at the application level. So instead of "User John Doe has accessed Application X from his Macbook". You get – "User John Doe has access Application X, looked at Folders Y, Z, W inside the application, read the file labeled “Project S – Description” in folder W, then updated the file labeled “Project S – Deliveries and Milestones”. The same principle is not limited only to users accessing application servers, but also to machine-to-machine communication via standard APIs.
This visibility, at the application level, offers the ability to defend against both external and internal threats. In the future, with the wider adoption of HTTP/2 and gRPC protocols, application visibility will become a real possibility for more and more communication scenarios. Flexible application proxy solutions that supports both protocols widely used today and the ones that will serve as a foundation for applications in the upcoming years, provide a very solid foundation for a next generation of enterprise security platforms. These platforms will have the ability to know exactly what the users are doing on the application level, what data they are accessing, which actions they are performing etc. Without such visibility it is impossible to build meaningful security check points, and there is no ability to identify normal and abnormal behaviors.