2011.10.12 - Application Load Balancer: a Swiss Army Knife Against Security Flaws
Security flaws are found on a regular basis in the main web application servers. While waiting for patches to be released and installed, certain application load balancer functions can be cleverly used to protect the IS against these flaws.
Vulnerabilities: variable patch timeframes
On average, every single month a (minor or major) security flaw is detected on one of the main web application servers: IIS, Tomcat, Apache, JBoss, WebSphere, WebLogic, etc.
It can take software publishers a few days to a month to release a patch. However, application servers are sometimes included in a larger package, such as an Apache in a RedHat, Ubuntu or similar distribution. In this case, the timeframe to be able to install the patch is even longer. In order to not void the warranty from its supplier, the company must wait for the supplier to test the patch and incorporate it into an update to be able to install it.
While waiting for the patch to be released and installed, publishers sometimes recommend disabling the feature affected by the flaw to protect against its malicious use. But what can you do, in the meantime, if the feature is required in production?
Monitor traffic with an application load balancer while you wait!
When a security flaw is discovered, the behavior of attacks that exploit said flaw is also described. Here’s a concrete example. When Apache Killer was discovered in August 2011, we knew the characteristics of its malicious use: it used the HTTP Range header to cause a memory leak and in the end a denial-of-service.
It is at this stage that the functions of a layer 7 (application) load balancer can protect servers until patches are available. The application load balancer can read HTTP flow content and therefore identify and delete the threat and dangerous content (using its content switching function), or even reject the entire request by simulating a successful attack (using its reverse proxy function).
Secure patch installation
Once a patch is released, the load balancer can also help with its installation. Installing patches can have side effects… Prior tests are necessary to ensure server stability once the patch is installed. This task can be tricky for a large server farm…
With its ability to isolate individual servers, the load balancer allows teams to install the patch, then check its effectiveness and the server’s stability without having to stop production.
To sum up, a load balancer cannot replace a WAF (Web Application Firewall). It can, however, for companies that cannot invest heavily in security, be an effective stopgap measure against malicious use of security flaws. In addition to its main function, load balancing! Nonintrusive, the cost of deploying this real Swiss army knife is not outrageous, especially when you select a load balancer based on open source solutions.