Cisco Cisco ACE Application Control Engine Module White Paper
© 2006 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 4 of 8
Whereas intrusion prevention and intrusion detection systems protect Web servers, the Cisco ACE and AVS solution protects against vulnerabilities
in Web-based applications. What firewalls accomplish at the network level—denying all activities unless explicitly allowed—Cisco ACE and AVS
accomplishes at the application level. A rules-based, policy-directed approach ensures that those automated requests to and from the application
comply with policy and do not, for example, include a request to turn off the application.
In a typical threat scenario, an attacker uses a Web proxy that resides on a legitimate user’s desktop. The attacker can tamper with message headers,
protocols, or payloads—for example, by inserting malicious code into different parts of the application. Developers often do not protect their code
from these types of attacks.
A Cisco AVS solution filters out malicious inputs using a variety of methods:
•
Normalization—The Cisco AVS 3120 first normalizes HTTP and HTTPS traffic by decoding encrypted traffic so that the payload can be
examined, not just the TCP header.
•
Bidirectional, deep-packet inspection—The Cisco AVS 3120 examines messages in both directions, at the protocol and message payload levels.
It identifies malicious traffic by applying policy, such as whitelists and blacklists.
•
Blocking—The Cisco AVS 3120 blocks protocol and message payloads that do not comply with policy, using a combination of whitelists
(permitted) and blacklists (prohibited). Application behavior is analyzed to ensure that policies appropriately match major application protocol
behavior and payload characteristics.
behavior and payload characteristics.
These features combine such that a Cisco AVS solution provides protection against entire classes of attacks. Unlike signature-based protection,
which handles only specific known threats, or learned-rules-based protection, which requires an extensive training phase, the Cisco AVS security
solution protects applications from both known and unknown threats. The AppScope graphical tool on the Cisco AVS 3180 also provides a view
of activity between the data center and any remote location, facilitating the isolation and resolution of any problems.
Optimization
Cisco ACE and AVS improves application response times and increases business transaction throughput using a combination of:
•
Bandwidth reduction features and minimized application latencies
•
Offloading server processing cycles for optimizing applications
•
Content switching techniques, which optimize resource usage and help ensure application availability
With this comprehensive solution, applications deployed across the WAN can now have response times previously experienced only in LAN
environments. Cisco AVS also provides the ability to graphically view application performance metrics, including end-user response times,
helping users quickly identify and troubleshoot application bottlenecks.
Often the challenge of application delivery is not just about overcoming network latency. Organizations also want to minimize their use of
bandwidth for cost, availability, or performance reasons. A Cisco AVS solution can achieve a 70- to 90-percent reduction in bandwidth usage, while
maintaining high performance, by applying the following techniques:
•
Delta encoding—Webpage caching is successful because many pages are static; subsequent requests can be satisfied from the cache instead of the
server. However, dynamic resources and content force subsequent server requests for the original page. But when one can encode and deliver to
the client just the differences between the cached original page and the updated new page, many cases can be handled by sending just a few bytes.
This approach, called delta encoding, is a core technology of the Cisco AVS 3120. It helps the client system dynamically construct new pages
from cached pages by applying small deltas. This process is both automatic and transparent—no changes to browser clients, application servers,
or content are required.
the client just the differences between the cached original page and the updated new page, many cases can be handled by sending just a few bytes.
This approach, called delta encoding, is a core technology of the Cisco AVS 3120. It helps the client system dynamically construct new pages
from cached pages by applying small deltas. This process is both automatic and transparent—no changes to browser clients, application servers,
or content are required.
•
Dynamic browser caching—Many enterprise applications for customer relationship management (CRM) and for portals often mark some
objects, such as images, JavaScript files, ActiveX control files, or binary files, as noncacheable. This practice can result in slow download
performance, especially for remote users with limited bandwidth. Cisco Just-in-Time Object Evaluation technology on the Cisco AVS 3120
performance, especially for remote users with limited bandwidth. Cisco Just-in-Time Object Evaluation technology on the Cisco AVS 3120