Scaling Application Security with ITD.
Ready to scale your enterprise beyond limits? How about slashing a whole layer of datacenter
infrastructure, saving piles of cash in the process? Or perhaps you’re interested in simplifying your
enterprise while adding features, or trying to speed things up without spending money. Sound too good
to be true? Well, thanks to a new technology from Cisco, you can have your cake and eat it, too.
Cisco Intelligent Traffic Director (ITD) is poised to disrupt data center load balancing. Combined with
best-in-class products, such as Imperva SecureSphere, organizations can deploy and manage massively
scalable applications securely with unprecedented ease and cost effectiveness.
What is ITD?
Cisco recently released a new feature, Intelligent Traffic Director (ITD) for the Nexus 7k switches that
promises to be a disrupting force in the world of load balancing. There has been an exponential growth
in data traffic in the recent years leading to a growth in the deployment of network service appliances in
enterprise, datacenter and cloud environments. To address the corresponding business needs, network
switch and router architecture has evolved to support multi-terabit capacity. However, service appliance
capacity remained limited to few gigabits, an order of magnitude far below switch capacity.
Cisco Intelligent Traffic Director (ITD) is an innovative solution that tries to bridge performance gap
between the switch and service appliance(s). It allows customers to deploy service appliance(s) from any
vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus
7000 / 7700 series switch, customers can create a service appliance cluster and deploy multiple
appliance(s) to scale service capacity with ease. The servers or appliance(s) do not have to be directly
connected to the Nexus switch.
Application Security
Gartner published a paper called Web Application Firewalls are Worth the Investment for Enterprises in
Feb, 2014 that makes the case that “Firewalls and intrusion prevention systems don't provide sufficient
protections for most public-facing websites or internal business-critical and custom Web applications.”
Gartner advises enterprises to use a Web Application Firewall (WAF) to protect critical external and
internal applications from attacks and threats.
Like other service appliances, a WAF appliance benefits from ITD’s ability to manage large scale traffic
loads. Imperva SecureSphere WAF works with ITD, and the combination provides highly scalable
application security.
I mention SecureSphere because Imperva was positioned as the only Leader in the Gartner 2014 Magic
Quadrant for Web Application Firewalls. Some key capabilities of the SecureSphere WAF are:







Block attacks with laser precision
Accuracy is critical with application security. If you have false positives, you block customers; if
you have false negatives, you let the bad guys in.
World-renowned application security research
Security is constantly evolving. To get ahead and stay ahead in the continuous fight against
threats, Imperva has a dedicated security research team, the Application Defense Center (ADC),
which provides regular signature and policy updates, and up-to-date threat intelligence for
Imperva SecureSphere.
Shut down malicious sources and bots
Imperva’s ThreatRadar Reputation Services help detect bad actors using IP reputation feeds of
known malicious sources, anonymizing services, phishing URLs, TOR (“The Onion Router”), as
well as IP geolocation data.
Stop application DDOS and business logic attacks
Business logic attacks include things like posting comment spam in forums and message boards,
scraping web content, and disabling access to your website. All of this can reduce competitive
edge, frustrate customers, and damage reputation.
Instantly patch website vulnerabilities
It takes organizations an average of 6 months to patch an application vulnerability once it’s
discovered. SecureSphere integrates with vulnerability scanners to virtually patch applications.
This allows businesses to stay protected, and fix the vulnerability on their own timeline, thus
reducing the window of exposure and the associated costs.
Gain forensics insights with customizable reports
Graphical reports enable organizations to quickly analyze security threats and meet compliance
requirements.
Speed up deployment without risk
SecureSphere protects applications without impacting performance and without requiring
extensive network changes. It offers flexible inline, non-inline, and proxy deployment options
that meet organizations’ diverse requirements. SecureSphere’s Fail-Open capabilities combined
with unique, transparent bridge mode saves time and labor with drop-in deployment that
requires no changes to existing applications or network devices, and delivers multi-Gigabit
throughput while maintaining sub-millisecond latency.
Scaling Application Security
Using ITD in VIP Mode to load balance provides a fast and economical way for organizations to provide
highly scalable and available infrastructure. By leveraging ITD, an enterprise can deploy a single IP
address (the VIP), which is then load balanced across many SecureSphere WAFs, with each one
protecting the back-end webservers. This is done right from the 7K – There’s no need for an external
load balancer in the middle.
Why is this better than other Load Balancers?
By combining Cisco ITD and SecureSphere’s advanced capabilities to monitor and secure HTTP traffic,
several key advantages are apparent:




Eliminates the need for external load balancers, freeing up large amounts of budget and
resources
You get the advantages of a proxy-type load balancer (1 single VIP represents many
webservers), but still get ‘fail-open’ bridges on WAFs
ITD proxies traffic without interfering with the TCP Source IP Address , allowing SecureSphere to
leverage the source IP, User and Session details for blocking and alerting.
To work with SecureSphere, ITD requires no modification to HTTP Headers (e.g., X-ForwardedFor), which can break applications and slow down traffic
What does this mean for the future of high performance WAF deployments?
By teaming up the Cisco Nexus 7K with SecureSphere WAFs, organizations can cost effectively deploy
scalable, high-availability WAF farms to handle large amounts of traffic to webservers. As the web
traffic increases, WAFs can be seamlessly added to the pool to scale up with the enterprise. Since every
port on the 7K can be used as a load balancer this provides the potential to scale up to multi-terabits of
throughput to a SecureSphere WAF cluster.
In conclusion, ITD and SecureSphere provides simple, cheap, fast, scalable, and reliable security
infrastructure. Sort of like having you cake, with icing, and cherries on top – and eating it, too.