Defensive Virtualization

Virtualization Reality

Defensive Virtualization

By Lori MacVittie, Senior Technical Marketing Manager  |  November 12, 2012

This article originally appeared in the November 2012 issue of INTERNET TELEPHONY.

Well before the rise of server virtualization, the concept of application virtualization was alive and well, leveraged for both scalability and defense against attack. Scalability through load balancing requires the abstraction of an application to a virtual end-point in the network to transparently distribute load across multiple instances of applications – whether they’re virtual or physical.

This network-based virtualization of applications in what today is a more holistic application delivery tier, allows for logical separation of incoming requests from communication with the “real” application instances, and thus affords organizations a strategic point in the network at which security policies can be effectively enforced.

The ability to virtualize applications in the network has become critical to defending against those attacks targeting the application layers. While firewalls and traditional network security solutions are able to detect anomalies and malicious traffic at the network layer, they’re not application aware and are thus essentially blind to attacks focusing on higher layers of the stack – especially those at the application (HTTP) layer. This is especially true for those attacks that increasingly seek to exploit behavior rather than bits and bytes within packets.

Aggressive flooding attacks at the HTTP layer are difficult to detect, as it requires careful monitoring of individual application sessions to not only determine what a normal request rate might be, but to recognize an abnormal rate.

Similarly, slow-based attacks – a resource consumption-focused methodology – can only be detected by comparisons of end user network connections, TCP options, and active behavior. Application-layer DoS attacks are common enough – used when the intent is to immobilize a site or degrade its performance so much as to present the impression of an outage.

The ability to detect and prevent a negative impact from such attacks can only effectively be implemented at the application end-point, as it is where behavior can be monitored. Yet as with network firewall functions – which can be implemented as host-based services – the further into the data center architecture malicious traffic is allowed to travel, the more damage it does. A network-based DDoS attack that is allowed to traverse the network to the application host tier will undoubtedly overwhelm infrastructure along the way, resulting in a successful attack.

Thus, we place such protections at the edge of the network, at the perimeter, in an attempt to detect and prevent the traffic from tunneling deep into the data center where it can do real damage.

We must take a similar approach to application-layer attacks. While the application end-point may be able to detect fraudulent behavior indicating an active attack, to do so means the resources have already been consumed at the application tier, rendering any defense by the application ineffective. Traditional network security topologies address the need to place early detection and prevention solutions as close to perimeter (to the source of the attack) by essentially virtualizing the network. The data center firewall has become, to the end user, the destination.

This type of design topology forces all inbound traffic to traverse a specific set of control points within the network, allowing earlier detection and more successful prevention of network attacks.

A similar approach in the application layers is necessary to duplicate the successful methodologies used in the network layers. Virtualization of the application at a strategic point of control in the network, as close to the perimeter as possible, affords the ability to intercept, inspect and evaluate all inbound application requests for not just malicious bits and bytes, but behavior as well.

The use of virtualization as a defensive measure to detect and prevent attacks across the entire network stack is one that has been proven successful for a wide variety of organizations because it prevents marauders from becoming entrenched in the data center, where they can do the most damage.

Virtualizing applications at strategic points in the network affords organizations the ability to force all inbound requests through specific control points at which the appropriate defensive and offensive security measures can be employed to protect and defend resources, applications and data. 

Lori MacVittie is senior technical marketing manager at F5 Networks (News - Alert) (

Lori MacVittie is senior technical marketing manager at F5 Networks (

Edited by Braden Becker