Switch Your Defense

Is security weighing on your mind? Application switches can double as another line of defense against denial-of-service attacks.

Security is one of those amorphous areas of computing where slick marketing preys on the fears—warranted or not—of doing business on the Internet. Sorting out real tools from the hype can be time-consuming and an exercise in headaches.

Enter application or Layer 7 switches, devices that are security-enhanced to defend against an expansive range of denial-of-service (DoS) attacks.

Put simply, a DoS attack is an attempt to overwhelm and interrupt Web servers. That is accomplished in many ways. Perhaps the most infamous is the TCP SYN attack, which creates thousands of sessions by initiating the first of a three-part TCP handshake, but doesnt close out the connections, overloading the server. A Layer 4 switch can handle that with no problem—provided its buffer can handle the load.

There are other types of attacks, however, such as sending malformed or oversized packets. The important thing here is that DoS attacks are so broad in nature that there isnt just one way to defend against them. A multifaceted defense is the only way to minimize damage.

Application switches can handle many of those attacks precisely because they operate at Layer 7—the application layer of the TCP/IP protocol stack. By being application and "session aware," an application switch can tell if a Notes packet looks like and behaves like a Notes packet should, based on things like size and port usage, and whether other Notes packets have passed through recently from the same IP address—thus the idea of session awareness. If the packet doesnt fit the bill, it gets dropped.

Top Layer Networks, a switch vendor, says an application switch is only part of a unified security solution. The switch "takes a bullet for the firewall" by acting as a proxy and establishing TCP connections to deal with DoS attacks before they get to the server. In addition, the switch prioritizes traffic based on applications, which doesnt really help in a DoS attack, but can help make the most of a small pipe.

One other line of defense is port mirroring, which basically copies the traffic and sends it off to a protocol analyzer or an intrusion-detection system for analysis in real-time.

Alteon Web Systems—now part of Nortel Networks—also delivers a Layer 7 switch that, in addition to application information, can make decisions based on cookies and URL strings. Those are small features, but they can guarantee bandwidth to returning customers or to mission-critical pages like the payment page. Still, its defense against DoS attacks with global server load balancing (GSLB) is its true selling point.

Despite its name, GSLB can be deployed in one location with the outward appearance of geographic disparate servers. Because DoS attacks target one IP address, one of the switches can take the load, while the other handles the "good" traffic until the attack subsides.

Those switches are not a replacement for an existing defensive system. But they certainly can augment load balancing, bandwidth management and DoS attack defenses in a single package.