Security is one of those amorphous areas of computing where slick marketing preys on the fears-ââ,¬"warranted or notââ,¬"-of doing business on the Internet. Sorting out real tools from the hype can be time-consuming and an exercise in headaches.
Enter application or Layer 7 switches, devices that are security-enhanced to defend against an expansive range of denial-of-service (DoS) attacks.
Put simply, a DoS attack is an attempt to overwhelm and interrupt Web servers. That is accomplished in many ways. Perhaps the most infamous is the TCP SYN attack, which creates thousands of sessions by initiating the first of a three-part TCP handshake, but doesn't close out the connections, overloading the server. A Layer 4 switch can handle that with no problemââ,¬"-provided its buffer can handle the load.
There are other types of attacks, however, such as sending malformed or oversized packets. The important thing here is that DoS attacks are so broad in nature that there isn't just one way to defend against them. A multifaceted defence is the only way to minimise damage.
Application switches can handle many of those attacks precisely because they operate at Layer 7ââ,¬"-the application layer of the TCP/IP protocol stack. By being application and "session aware," an application switch can tell if a Notes packet looks like and behaves like a Notes packet should, based on things like size and port usage, and whether other Notes packets have passed through recently from the same IP addressââ,¬"-thus the idea of session awareness. If the packet doesn't fit the bill, it gets dropped.
Top Layer Networks, a switch vendor, says an application switch is only part of a unified security solution. The switch "takes a bullet for the firewall" by acting as a proxy and establishing TCP connections to deal with DoS attacks before they get to the server. In addition, the switch prioritises traffic based on applications, which doesn't really help in a DoS attack, but can help make the most of a small pipe.
One other line of defence is port mirroring, which basically copies the traffic and sends it off to a protocol analyser or an intrusion-detection system for analysis in real-time.
Alteon Web Systemsââ,¬"-now part of Nortel Networks-ââ,¬"also delivers a Layer 7 switch that, in addition to application information, can make decisions based on cookies and URL strings. Those are small features, but they can guarantee bandwidth to returning customers or to mission-critical pages like the payment page. Still, its defence against DoS attacks with global server load balancing (GSLB) is its true selling point.
Despite its name, GSLB can be deployed in one location with the outward appearance of geographic disparate servers. Because DoS attacks target one IP address, one of the switches can take the load, while the other handles the "good" traffic until the attack subsides.
Those switches are not a replacement for an existing defensive system. But they certainly can augment load balancing, bandwidth management and DoS attack defenses in a single package.
