ADCs , or Who Needs Threat Management Gateway Anyway?
With Microsoft discontinuing Forefront Threat Management Gateway some time ago, there hasn't been a solution in the cloud world that has stepped up to the plate. Here's why I believe ADCs have done the job adequately.
- By Bhargav Shukla
Step back to September 12, 2012, when Microsoft announced that along with other Forefront products, development on Forefront Threat Management Gateway (TMG) would be discontinued and no longer available for sale after December of that year. This announcement pretty much created a shock wave sending IT professionals scrambling to find answers to many of their questions.
One of the most immediate and demanding was the question of what to use in place of the product about to be retired. Even a year later, the migration task remains.
Before we look at possible answers, let's take a look at what TMG offered. TMG was a juggernaut, an all-singing and all-dancing suite offering many features. Consider the following:
- Firewall: As TMG evolved from Proxy 2.0 through iterations of ISA server versions, it also grew from being a simple proxy server to a fully integrated firewall, promising to offer unified perimeter security with intrusion prevention, malware inspection and URL filtering. This provided a great deal of value for small businesses that were trying to minimize investment in technology while getting the most out of it. For larger organizations, most TMG installations were implemented alongside existing perimeter solutions and contributed to the overall security to the environment. Even with this deployment model, TMG was well received for the fact that hardened security allowed it to be placed in an organization's DMZ without much resistance from InfoSec.
- Forward Proxy: As organizations provided users with access to internet, TMG provided the powerful ability to filter content to minimize attack vectors, while also providing a way to prevent abusive personal use of Internet access from work locations.
- Reverse Proxy: Publishing applications for external access for users and partners in a secure manner is always front and center for responsible organizations. Only publishing relevant ports from the firewall seldom provides the level of security needed to mitigate attacks on an application infrastructure. TMG provided multiple protection mechanisms such as URL filtering,
- HTTP/HTTPS filtering, flood mitigation: With that, customers got an elegant, secure application publishing solution.
So, TMG fit the bill nicely when it was available. Now that it's gone, application delivery controllers have become have been well known for their roots as simple hardware-based load balancing appliances with a primary focus of evenly distributing traffic across set of servers running the same application. Within the past decade, this technology has evolved to live up to the ADC moniker by providing true application delivery and optimization. Additionally, modern ADCs from leading vendors are now delivered not only as dedicated hardware but in virtual, cloud and software (a.k.a. Bare Metal) packages.
In today's world of complex applications, delivering applications securely means understanding application protocols, communication flow, expected server responses, and failure modes. Detecting each of these allows ADCs to provide a rich application-centric platform that enables applications to scale, operate with fault tolerance and provide secure client access.
Key Considerations for Application Publishing with Application Delivery Controllers
When looking at the void left by TMG, customers needing a method to publish their applications securely find that ADC vendors are providing the capabilities required to meet their needs. Here are some components of ADCs that fill the void nicely:
Content Inspection and filtering – Traditionally, ADCs operate at Layer 4 (Transport) and Layer 7 (Application) of a network. There are various differences between the two with regards to how connections are handled and what is possible. In general, more intelligent functions are available when a service on an ADC that is responsible for an application is configured to operate at Layer 7. For example, at Layer 7, the ADC is able to apply deeper application logic, inspect actual content requests, ensure that only legitimate requests are allowed to pass through to server instances, and filter malicious requests.. This is far more powerful and contributes much more to the overall security of an application infrastructure than could ever be accomplished through basic filtering techniques such as hostname or url path filtering.
Content switching – One of most liked features of TMG was the ability to use a single listener, which in turn, uses a single public IP address, to publish multiple applications or websites. Content switching engines in ADCs offer similar functionality by inspecting content as it arrives and switching it to the optimal resource, whether it be the most appropriate server for a given type of request or an entirely different application or application tier hosted on the same IP address. Quickly dwindling IPv4 addresses combined with continued mainstream reliance on IPv4 by customers makes it highly important to allocate as few IP addresses as possible to publish applications.
Secure application access using pre-authentication – As incoming requests to access published applications traverse perimeters of a given network and eventually more secure internal networks, security teams are rightfully requiring assurances that only authenticated requests ever reach internal resources and no unauthenticated access actually takes place. Given the sensitivity of data internal networks tend to store, and the levels of trust that the requests from outside are provided access to, it's important to prevent any unauthorized access and reduce the potential of costly breaches, data loss or theft of critical company information. ADCs have been known to provide secure, authenticated access to applications using well known authentication mechanisms such as Active Directory, LDAP, ADFS as well as multi factor authentication technologies such as RSA SecureID and client certificate based authentication.
Single Sign-on – As multitudes of line-of-business applications are published, users are faced with challenges of repeated authentication to resources as they move between applications. Uses desire the ability to authenticate once to access all resources they are authorized to access as it provides a better overall application usage experience, which typically leads to higher adoption rates for deployed applications. ADCs have historically done very well in this area based on their prime position in the flow of traffic between clients and application resources. While providing secure access with pre-authentication, ADCs, being the keepers of the gate to published applications, also have the unique advantage of tracking which users have already authenticated and providing authentication for the same user against the same authentication source as they work among multiple applications. ADCs, in turn, allow applications to benefit from this intelligence without compromising security.
While ADCs may not always be compared to or looked to as replacement of TMG, they do fill in many of the gaps left by combining the key features that complement other application delivery services. This enables IT to deliver secure access to applications while improving the availability and fault tolerance of critical line of business applications.
Bhargav Shukla is director of product research and innovation at KEMP Technologies, and he's one the few people worldwide to hold the prestigious Microsoft Certified Master for Exchange and Lync.