The Evolution of Security in the ADC
The genealogy of the current application delivery controller (ADC) technology is an interesting one that has its roots based on delivering scalability and availability through server load balancing (SLB). Security was a side effect of this function. The ADC has evolved to become an integral component within network security architectures.
Back in the day
To see how this came about, we need to activate our mental time machine and go back to 1996 when
ADC, oops, I mean load balancing technologies were just emerging in the fast-paced primordial technology soup of the Internet bubble. SLB emerged as a reverse-proxy technology to host the IP address of an application and distribute the connections to a pool of servers. This provided scalability since the ability to add and remove servers could be managed without disrupting the application availability through the other active servers. This also delivered availability because the load balancer can monitor the health and status of the application through the use of active health check queries.
The load balancer is a reverse proxy and it allows connections to the designated IP address through the TCP and UDP ports that have been configured for the application. All traffic to the IP address on other ports were denied. This is not very different from the network firewall policies and network access control lists (ACL) in use at the time. Those technologies mapped a 3-tuple or 5-tuple to allow and deny connections. A 3-tuple typically would be (1) Destination IP address, (2) Destination port, and (3) IP Protocol. A 5-tuple has the same fields, but includes two more for the client, (4) Source IP address and (5) Source port.
Load balancers added more advanced traffic steering capabilities based on content over the next few years. In addition to mapping traffic to the n-tuples, they could direct traffic to different servers or databases based on the specific request. As an example, images using the suffix .jpg, .gif, or .png would be directed to an image server while dynamic content with the suffix .php, .cf, or .asp would be directed to a script server. Because the load balancer is doing content inspection and steering client sessions based on that content, it is an easy step for it to become an application firewall and steer content to /dev/null if the content does not match accepted parameters or is identified as a specific vulnerability.
Soon, the load balancers were adding more and more application specific functionality that made them much more than load balancers. Caching, compression, SSL offload, network address translation (NAT), and web application firewall (WAF) were soon added to the load balancer bag of tricks. By this time, circa 2006, the traditional load balancer evolved to become the ADC.
ADC = Application networking management
Adding these capabilities makes sense because all of these functions need to be application-aware, client-aware, content-aware, and session-aware. Since the ADC is functioning as a proxy and is managing the flow of traffic for the designated applications, there is a consistency and simplicity to have a unified technology deliver these services. The ADC, along with the overall goal of the enterprise network, is becoming application networking by meeting application service level agreements.
When we look at the basis for the technology of legacy and current generation security devices, we find a similar core competency required. The firewalls are looking at the state of the traffic, the content of the traffic, the source of the traffic, and the destination of the traffic. The difference is that the firewall or security device is making a decision on whether the traffic is allowed and to what degree instead of what a traditional ADC would do, which is determine the services to apply to the traffic and where to steer the traffic.
Convergence of the enterprise IT
It makes sense that there is a convergence in the functionality of these technologies and ultimately a unification of the technologies within a common framework. Some security functions, such as DDoS mitigation and known attack denial, are best applied at the perimeter of the network, but it requires the ADC content inspection capabilities to identify some of the threats. A unified communication and management system is essential to marry these technologies together.
A management system that supports both the security elements and traffic engineering ADC elements into a single console is necessary to strategically monitor and operate the unified application-centric network. A communication model allows the different components and services to notify and direct each other based on their local visibility. This creates a fully integrated ecosystem. These capabilities are essential to the evolution of a mature application delivery infrastructure that is resilient and secure.