F5: Building an architecture with full data path protection to protect enterprise applications

As global digital transformation continues to accelerate, more and more corporate businesses are adopting the characteristics of Internet and mobility, which has led to an explosive growth in the number of "applications". IDC research data shows that the number of global applications will increase from 1 billion in 2019 to 4.8 billion in 2025. "API" has expanded to cloud services, microservices and mobile applications, which has brought huge challenges to enterprise IT architecture and increasingly severe security issues.

At the same time, a large number of businesses rely on external applications for release, and enterprises are exposed to more and more attack surfaces on the Internet. Security risks such as supply chain attacks, password leaks, and zero-day vulnerabilities have brought fatal losses to enterprises.

Borderless application security challenges

Enterprise development must be based on security. As a leader in multi-cloud application security and application delivery service technology, F5 has its own unique perspective in the field of security. Chen Liang, general manager of F5 China Security Division, said in an exclusive interview after the 2022 F5 Multi-Cloud Application Service Technology Summit that the current application security challenges mainly include the following six.

Chen Liang, General Manager of F5 China Security Division

First, applications are iterating quickly, but security protection strategies are lagging behind. Application deployment time has been shortened from months and weeks to days, minutes, and seconds, while security strategies are lagging behind due to the lack of automated deployment methods, affecting the speed of application release.

Second, the ubiquity of applications makes it difficult to reach a consensus on security policies. The security of traditional data centers, public clouds, and container clouds all have different deployment strategies, methods, and protection measures, making it difficult to achieve consistent security protection requirements.

Third, robot attacks and fraud are becoming increasingly difficult to prevent. Many hackers use robot attacks and artificial intelligence attacks to attack, which are difficult to prevent.

Fourth, the coexistence of traditional applications and modern applications increases the difficulty of protection.

Fifth, managing and protecting API risks has become a new challenge. Modern applications are released and called upon each other through APIs. Managing and protecting API risks is a huge challenge for enterprises.

Sixth, open source innovation is fraught with dangers. How to eliminate these dangers while enterprises are using open source software to innovate and improve agility is an urgent problem to be solved.

"Security is the lifeline of the enterprise. Whether it is the CIO or the security team, including the operation and maintenance team and the development team, they must reach a unified consensus and put security first." Chen Liang said.

Six capabilities to protect any application anytime, anywhere

IDC's report shows that from 2020 to 2025, the increase in corporate security investment has exceeded the increase in IT investment.

As a global leading manufacturer in the field of application delivery networks, F5 has been providing comprehensive security protection solutions for enterprise applications for more than 20 years. In recent years, through the acquisition of NGINX and Shape Security, F5 has continuously enriched its product line and helped customers build a system and architecture that can achieve full data path protection. Chen Liang gave a detailed introduction to this in the interview.

First, the ability to access trusted applications. Today, customer applications have changed a lot, and the environments in which applications are deployed are also diverse. It is necessary to have the ability to access trusted applications to perform human-machine identification and anti-fraud identification, as well as trusted access to achieve trusted and secure access to backend applications.

Second, enhance the ability of infrastructure security. Because the explosion of applications has brought a large number of online requests from users, higher requirements have been placed on the security processing capabilities of enterprise infrastructure. In terms of infrastructure security, F5 has DDOS cleaning and north-south/east-west traffic boundary security services. It no longer uses the data center as the boundary, but redefines new boundaries from the application perspective. It is worth noting that attacks against DNS are the second most common attack method in application layer attacks, second only to HTTP, but are often overlooked. There are few products in the industry that protect DNS. F5 has proposed a new concept for the in-depth DNS protection security architecture to help customers cope with the corresponding challenges.

Third, the ability to visualize and precisely segment traffic. Security is a complex project. In addition to application layer security, it also involves data security, application security, code security, etc. At this time, it is necessary to process the encrypted traffic through the security gateway device, link all security technologies together, and give full play to the capabilities of the security gateway through corresponding algorithms and mobilization strategies. At this time, how to solve the difficulties in deployment and expansion, as well as the problem of traffic interruption after the gateway fails, becomes a challenge faced by enterprises.

F5 has the ability to flexibly schedule SSL traffic segmentation and visual traffic, deploy all security gateways in bypass mode in the form of resource pools or security domains, and orchestrate, decrypt and visualize traffic. In this way, what kind of traffic request is assigned to which security gateway device for hierarchical processing can be allocated and diverted, greatly improving the mutual coordination and scalability of security.

Fourth, the ability to secure web applications and APIs. A large number of API requests have caused the boundaries of applications to disappear, and the security boundaries of APIs have also disappeared. Traditional WAFs are dying out. Gartner has proposed a new concept - the WAAP protection architecture, which includes the four-in-one capabilities of web applications, API protection, DDoS and Bots. Gartner pointed out that WAAP will become a key technology that will be deployed and used by a large number of subsequent customers. By 2024, 70% of organizations will tend to use WAAP technology in a multi-cloud environment.

F5 fully possesses these four capabilities, and through the unified application security of multi-cloud environments, it has achieved unified security policy deployment in different environments, thereby playing a greater role. At the same time, it can also better integrate the existing security capabilities of enterprises, coexist traditional WAF services and WAAP architectures, and enhance security capabilities. WAAP can also be made on-demand, which not only improves security but also improves access efficiency; or the capabilities of WAP can be transplanted to edge environments and cloud environments for use.

In short, no matter where users deploy applications, F5's WAAP capabilities can follow them and deliver F5's security capabilities to the location where the application is deployed.

Fifth, the ability to trust open source. F5 recently officially released NGINX Enterprise Edition (NGINX OSSub), which can help companies prevent five types of open source risks when using open source capabilities: technical route risk, intellectual property risk, information security risk, technical capability risk, and supply chain risk.

Sixth, security insight and AI intelligence capabilities. In end-to-end access requests, a large amount of usable and analyzable data will be generated. All information can be transmitted to F5's brain through telemetry, or to the big data analysis platform built by enterprise customers to implement automated policy issuance, intelligent identification of fraud prevention, and improve user access experience. End-to-end data processing, the combination of big data, artificial intelligence, machine learning and other technologies can greatly maximize the value of data.

"After all the capabilities are aggregated together, F5 can use its own capabilities to protect, deliver, and optimize any application and API anytime and anywhere," said Chen Liang.

Conclusion

The rapid development of enterprises and security protection are often contradictory. F5 continues to integrate NGINX and Shape product lines to further enhance F5's full data path protection capabilities. The concept of security left shift, API priority, visualization, and traffic precision segmentation provide enterprises with unified threat analysis services, helping enterprises cope with application risks in multi-cloud environments and providing enterprises with strong application security protection.