WAN Acceleration: Best Practices for Preserving Security
by Craig Stouffer - Monday, 6 November 2006.
The centralization of branch office servers and storage enables enterprises to more effectively manage and secure critical business information. By moving servers out of branch offices and consolidating IT infrastructure to fewer, purpose-built data centers, enterprises can protect vital business resources through tight physical security and well-defined access procedures. In addition, server centralization reduces sensitive user credential stores, helping to ensure that this information remains protected from unauthorized access.

Server centralization also facilitates adherence to corporate and regulatory compliance policies, which mitigates a company’s overall risk of exposure. It enables IT staff to easily, and more cost effectively, identify deviations from established guidelines, such as Sarbanes Oxley, Basel II, and the Health Insurance Portability and Accountability Act (HIPAA), and take appropriate remediation steps when necessary.

However, because of limitations in existing WAN technology, server centralization can compromise application performance across a distributed enterprise. As a result, WAN acceleration becomes a necessary component to any centralization project as a way to maintain adequate performance. In fact, recent surveys indicate that as many as 90% of respondents are expecting to invest in new application acceleration solutions to address this challenge in the coming years.

While WAN acceleration is a great way to improve application performance, many of these types of solutions can have an adverse impact on security if not implemented properly. For example, many approaches are based on a concept called data reduction, which means they employ local hard drives to store information in real-time and deliver duplicate data locally whenever possible. While data reduction dramatically improves performance, it can make a company more vulnerable to security threats and risks because of lack of encryption on the local appliance.

Below are several basic measures that can ensure that new acceleration products are secure enough to protect vital business resources.

Security precautions

Regardless of the technology used, when new appliances are inserted into a network infrastructure to accelerate application performance, some basic security guidelines can be observed to ensure that they do not compromise data security. These include:

Local data encryption: Whenever business critical information is stored on a local hard drive, as is the case with WAN acceleration devices that employ data reduction techniques, encryption should be implemented to protect this information from unauthorized access. Even if proprietary methods are used to store this information, and the data has a tendency to be “scrambled” over time as new information is stored, it’s still quite possible that large pieces of information will be stored on the appliance as contiguous blocks. These blocks can contain sensitive information, such as social security numbers, which can be extracted by someone who has access to the appliance’s partition. By encrypting the local data store, this risk is avoided. Typically, encryption should take place in hardware so as not to adversely impact the performance and scalability of the appliance.

VPN across the WAN: IPsec is often used between appliances to secure data transfer over the WAN. Once again, performing encryption in hardware can ensure that security does not come at the expense of performance. Industry best practices recommend that a 128-bit encoding scheme, such as AES, be used when performing encryption. Older methods, such as 56-bit DES, are easily broken, which is why industry leaders such as Microsoft have moved away from that technology.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th