The techniques for intrusions are becoming more complex and harder to detect, ranging from those that leverage known vulnerabilities to those that directly attack directories. As a result, solution providers need more advanced layered security systems to protect their customers.
F5 Networks, Seattle, is taking a different approach to protecting applications with its BIG-IP Application Security Module (ASM). The product focuses on protecting applications from compromise and offers a uniqueness not commonly found in other application protection systems: It does not rely on a signature database for protection. Instead, it focuses on keeping out unacceptable traffic.
Traditional application security schemes block known attacks by using signature databases. In practice, those systems are installed with all-access capabilities enabled and then an administrator closes ports or defines policies to mitigate attacks. As new vulnerabilities are announced, the system’s signature database must be updated, and in many cases, policies will have to be modified.
ASM’s approach eliminates time-consuming methodology. Upon installation, an administrator sets up ASM’s policies to reflect what is allowed, and all other traffic is blocked. This style of implementation offers protection from zero day attacks (when there is no time between the discovery of the vulnerability and the exploit of it) and prevents common attacks from being mistakenly overlooked.
Solution providers will find deploying the product straightforward. ASM uses the typical browser-based management console, which offers a concise view of the products’ settings and management options.
ASM uses a policy assembly approach to implementing controls. First, an administrator defines “virtual servers,” the path to a given Web server and the standard options in place. Under each virtual server, administrators create “HTTP Classprofiles.” Those elements define what hosts, URL paths, headers and cookies are associated with a profile. Administrators then can drill down into the application security element and define what access and processes are allowed to occur with a particular application. Classprofiles can be shared, imported or exported to create security capabilities that can span several virtual servers. In other words, a single policy can control multiple assets.
ASM offers incredible flexibility; the product looks at traffic at the packet level, so each packet can be examined for acceptable or unacceptable content. Also, the origin of those packets are readily exposed, allowing policies to be created that treat internal traffic differently from outside traffic. That is a capability that could prove important for legislative requirements. For example, an administrator could block credit card or social security numbers from leaving the network but still allow internal users access to that information.
Luckily, administrators are not forced to assimilate all of this information on their own; ASM offers a learning and logging capability that can quickly identify traffic on the network and allow custom policies to be created with only a few mouse clicks.
While ASM proves to be an excellent method for protecting applications, solution providers will still want to use a layered approach to security: A firewall and a secure router need to be in place at the edge of the network. The typical deployment will put ASM behind the firewall but in front of the application servers.
ASM creates a range of opportunities for VARs. The module’s capabilities can lead to sales of the complete BIG-IP platform and can create security service opportunities.
F5’s channel program increases its appeal: Three tiers are available to meet the needs of most any security reseller. The lowest level, Authorized Advantage partners, are not required to be certified or sign any contracts. The margins are lowest for this level, but F5 leaves margin determination up to its distribution partners.
The Premier Advantage level offers higher margins. To qualify, partners must have at least one certified engineer on staff.
The top tier is the Gold Advantage level, which raises the partner’s contribution requirements to at least two certified engineers and demonstrated installation capability competence. Partners at this level have access to demo equipment.
Benefits vary between the levels. Authorized Advantage partners receive access to the complete F5 product line via an Authorized F5 Distributor and access to F5’s Partner Resource Center extranet. Premier Advantage partners also receive increased margins, listings on the vendor’s Web site, and use of the appropriate F5 Certified logos for certified individuals. Gold Advantage partners are permitted more access to sales leads, access to marketing funds and a presence in F5’s major trade show booth.
Solution providers will find F5’s combination of channel support and impressive technology a major opportunity for supporting customers’ application security needs, leading to both profits and ongoing sales and service support.