When the Man in the Middle Becomes Your Best Friend
"Man in the middle' usually evokes thoughts of request/response interception by attackers looking to impersonate or otherwise hijack a communication channel between the sender and receiver. This type of attack has recently been moved to the forefront of security professionals' list of things to prevent (or has been if they've been paying attention) with the recent rash of "OMG, Web 2.0 applications are vulnerable" articles popping up in the media.
Fortify recently recommended that in order to secure Web 2.0 applications, developers should "program Web 2.0 applications with a hard-to-guess parameter in each request so malicious requests can be declined."
An interesting approach, and not one I might have considered. But let's take that idea a step further and introduce a man in the middle that works for you, instead of against you. Let's introduce an application delivery controller with some security features and a flexible platform that can adapt to the unique needs of Web 2.0 applications.
Why the heck would you do that? Well, consider for a moment the number of scripts that generally make up a Web 2.0 application. Often there's a one-to-one relationship between a component in the client and a script on the back end. Do you really want to insert an additional parameter every where and then add the code necessary to verify its existence in every script and application?
Yeah, I didn't think so. That's a lot of work, a lot of testing, and a lot of maintenance, which is going to take time, effort, and money; all things which are often at a premium in a typical IT organization.
An application delivery controller can provide this same functionality without ever changing a single script - client or server - and it can do it for existing or new applications with equal alacrity.
Using an application delivery controller like BIG-IP with iRules, not only can you easily manage the addition of such a parameter, but you can go further and use encryption and hashing techniques to further obfuscate that parameter, making it nearly impossible to guess and protecting all the scripts in one, centralized, easy-to-manage location.
But what about performance? Won't the addition of another device into the delivery path negatively impact performance? The introduction of an application delivery controller is actually likely to improve the performance of your Web 2.0 application given the performance impeding characteristics inherent in Web 2.0 based applications.
Sometimes the man in the middle can be your best friend, if you choose the man.
Imbibing: Mountain Dew