Network firewalls and intrusion prevention systems by themselves do not offer sufficient protection for Web applications. However, a comprehensive application delivery infrastructure can help governments and public sector organisations address these application vulnerabilities. More than 180,000 organisations worldwide rely on Citrix to deliver any application to users anywhere with the best performance, highest security and lowest cost.
In today’s electronic era, where speed and reliability are imperative, public sector organisations, and e-Governments in particular, have turned to providing convenient and easy-to-use web applications for their citizens, partners and government employees to execute day-to-day online transactions and interactions. Using Web pages as the user interface, these programs extend the reach of public sector organisations and provide a tunnel between the Internet and organisations’ backend databases, allowing them to be accessed from any computer connected to the Internet.
However, as more applications become available over the Internet, hackers also gain greater opportunities to compromise entry points and seize control of sensitive national data sitting in backend systems. In fact, Gartner estimates that 75 percent of total attacks now occur on web applications. Due to the sensitive and confidential nature of information and data transmitted over public sector networks, securing access to web applications is becoming a high priority for government organisations today, and it is crucial that governments secure their web applications with a holistic application delivery infrastructure.
The Growing Threat Landscape in a Dynamic World
International Data Corporation (IDC) predicts that government spending on Information Communication Technology (ICT) in the Asia Pacific region (excluding Japan) is expected to grow at a five-year compound annual growth rate (CAGR) of 8.7 percent to reach US$31.7 billion by 2010, up from US$22.7 billion this year (IDC, Asia/Pacific, Excluding Japan, Public Sector IT Spending 2006-2010 Forecast, May 2006). As web vulnerabilities become easier to exploit and attacks become increasingly difficult to detect with traditional security products, we can expect a significant portion of this spending to be channelled towards security, specifically around implementing a more in-depth and sophisticated security system within public sector organisations.
The stakes are becoming higher as public sector organisations migrate to an unbounded model where sensitive data can be delivered securely over even insecure networks and to un-trusted systems, and the security threats that are pervasive in a dynamic world cannot go ignored.
Protection in Depth
The key to keeping Web applications safe from attack is close examination of their numerous moving parts. This is exactly where network firewalls and Intrusion Prevention Systems (IPSs) come up short. Network firewalls, for example, are designed and deployed to provide basic access control by inspecting IP packets. They do not understand application languages like HTML and XML—and they do not understand HTTP sessions. Consequently, they cannot validate user inputs to a HTML application, or detect maliciously modified parameters in a URL request. This leaves the application vulnerable to a range of serious exploits.
An IPS, meanwhile, can detect and block attacks within the network. However, like network firewalls, IPSs have little or no understanding of application languages—they cannot stop session-based application-layer attacks or detect the injection of malicious code. On top of that, an IPS is known for generating false positives, so aside from leaving Web applications unprotected, it can also risk wasting valuable IT resources and frustrate application users. As application firewalls understand the language Web applications speak, they generate fewer false positives.
Therein lies another important issue to keep in mind: a lot of today’s Web application traffic is encrypted for security using the Secure Sockets Layer (SSL) standard. Neither network firewalls nor most intrusion prevention systems can decrypt SSL traffic for inspection. Consequently, they are powerless to stop or even detect encrypted exploits from entering the network and striking directly at Web applications.
In short, network firewalls and intrusion prevention systems by themselves do not offer sufficient protection for Web applications. However, a comprehensive application delivery infrastructure can help governments and public sector organiations address these application vulnerabilities.
A Strategic Starting Point for Secure Application Delivery Holds the Key
In order to effectively defend the network against external attacks and insider threats, CIOs and IT managers within public sector organisations need a solution that makes it possible to take advantage of a range of options for delivering integrated data security. This will ensure new e-Government applications and services can be launched successfully, guaranteeing information system security without delaying projects, and that the integration of security tools into the legacy infrastructure does not cause any drop in security or productivity.
With a vision of a world where anyone can work from anywhere, Citrix is committed to delivering the best access experience to public and private sector organisations, and to developing application security solutions that maximise the performance and security of web-enabled applications. This means matching any web application and user scenario by:
Keeping sensitive data confidential when serving millions of citizens online. Web applications provide direct access to some of the most sensitive and valuable data in any public sector organisation. Having an architected system to forward valid inter-governmental or citizen requests to servers and to block illegitimate requests via a single, unified device is crucial. This includes built-in defences against Disk Operating System (DoS) attacks and preventing the theft of sensitive information that might be exchanged via a Web portal.
Recognising that users are the weakest link. As people become more tech savvy and the adoption and role of e-Government services in Asian countries continue to increase, the role of e-Governments will change from governments pushing services to citizens pulling services. As a result, strong authentication is essential. A centralised Enterprise Single Sign-On (ESSO) for multiple resources, such as that built into Citrix Presentation Server 4.5, reduces user exposure to multiple passwords and logins. This enhances security while reducing support costs, and also enforces password policy requirements.
This has been achieved by Zhejiang Communications Bureau. Responsible for all aspects of transportation policy and implementation throughout the Chinese province, the organisation in China implemented Citrix® Presentation Server so that its hundreds of officials who travel often can access and view documents from remote locations without the need to download them onto their notebook PCs. As all information is transmitted between server and user over the wireless network is encrypted using SSL technology, this holistic application delivery infrastructure has enabled the Bureau to address network access issues and safeguard network and data security.
The nature of attacks has migrated beyond the “spray & pray” approach of general viruses and worms to highly targeted attacks against specific organisations, applications and sensitive data. By deploying a holistic application delivery infrastructure, public sector organisations can deploy technology that specifically secures critical resources and the sensitive information behind them from attack. This enables web applications to deliver the benefits envisioned by e-Governments across the Pacific.