Application routing and security
LBL ADC is the solution created to solve the needs of Application Visibility and Security.
Thanks to the high performance and advanced features of balancing and security, it is able to optimize the reliability of applications by improving the user experience.
LBL ADC is the Application Delivery Control platform created to work in modern virtualized environments both on premise and in Cloud exploiting the enormous computing power available today and allowing them to be used natively in these environments.
LBL ADC offers a traffic balancing and routing system at the application level 4 TCP UDP, 7 (HTTP / S, DNS) with session affinity features, able to ensure high scalability on modern multiprocessor / multithread systems with encryption on chip (AES-NI or on-board / on-chip encryption functionality).
In a modern information system with high reliability, the ADC component thus becomes the fulcrum from which the service requests of the operators to the delivery points start.
From the architectural point of view the positioning is a Full Reverse Proxy going to insert a layer of Application Delivery Control to manage the many applications that make up a service and offer a data analysis engine to L4 / L7.
With LBL ADC, various types of both static and dynamic L4-L7 balancing can be used. LBL ADC is designed for environments with high reliability and keeps session routing data even if one of the two nodes falls.
The balancing functions are ensured by Adaptative (adaptive-active) algorithms able to route requests in weighed mode to backend services. The algorithm, detecting the application stress, dynamically assigns new requests for the most discharged services ensuring maximum efficiency of supply. The possibility of associating routing rules verifying real-time the geographic origin of the request are an integral part of the solution.
The LBL ADC solution, acting as Full Reverse Proxy, allows to inspect, analyze and react in case of abnormal use of resources. All the connections that cross the ADC layer are terminated and constantly analyzed and cataloged identifying anomalous events and implementing actions to guarantee the continuity of supply.
Within the LBL S.A.A.I. product suite, in addition to the ADC component, additional functionalities are available that can be enabled through an appropriate licensing model.
LBL ADC can terminate SSL / TLS connections. The LBL ADC solution, through its advanced end-to-end tunneling and encryption capabilities, is able to guarantee a secure access to services natively, guaranteeing a single point of control and security.
LBL ADC offloading acceleration uses the latest encryption on chip technologies (AES-NI or on-chip encryption functionality) even in virtual and Cloud environments.
The use of these parallel encryption technologies allows to drastically accelerate the activities that were once delegated to external ASICs chips that in multi-core environments formed bottlenecks and introduced latencies due to the dislocation external to the processor as well as presenting problems of use in heterogeneous virtualized environments or Cloud.
The ability to use digital certificates is guaranteed by the powerful offloading system that allows terminating SSL connections, requiring strong authentication clients, forwarding client certificates to services, performing re-encryption operations at different security levels in the backend.
With LBL ADC it is possible to differentiate the SSL / TLS features of the front-end (client connections) from those of the back-end (connections to the end-points / services) and to the SSL / TLS protocol and to the cipher- suite.
The SSL / TLS encryption system guarantees the dynamism of the SSL / TLS session to increase the security of the protocol in line with the latest specifications (Perfect Forward Secrecy). The SSL Re-encryption technology allows to obtain an encrypted transmission both in the front-end from the clients that require the services to LBL ADC, and in the back-end allowing to use different SSL / TLS protocol and cipher-suites while maintaining a routing efficient based on the information transiting within the LBL ADC.
This allows you to centrally maintain a very high level of protection and always updated significantly reducing the interventions on the multiple application-server platforms used for the delivery of applications that can then be updated at different times.
The encryption and processing of digital certificates can use the TLS-SNI (Server Name Indication) technology to concentrate the use of multiple digital certificates in a single port-address, drastically reducing the number of IP addresses exposed. This feature allows a drastic simplification at the level of networking and firewall rules.
This technology is very useful and if you are dealing with high volumes of confidential or sensitive information allowing you to have in the provision of the service the maximum available security and simultaneously with the functionality of application routing that a modern ADC must make available.
Centralized digital certificate management
The extended use of digital certificates must be supported by appropriate tools that allow easy management.
Through the web interface it is possible to create, update, import, export and destroy digital certificates covering the whole life cycle.
The ACME protocol (Automatic Certificate Management Environment) is a protocol to automate the interactions between the Certification Authorities and the user web servers, allowing the generation and the deployment of digital certificates in a simple and economic way.
The ACME protocol is a protocol maintained by IETF and promoted by the Internet Security Research Group which provides a free Certification Authority service for the generation of digital certificates of the Domain Validation type. This service called Let’s Encrypt is generally associated with the ACME protocol.
With LBL ADC, with a simple click it is easy to create and renew Let’s Encrypt certificates directly from a browser or a smartphone.
The balancing and routing system of data traffic, integrates an Application Firewall system with advanced security features for the prevention of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks able to control and catalog real-time dynamics service requests and their evolution.
The system also incorporates signature-based Web Application Firewall (WAF) functionality that protects web applications and mitigates OWASP threats. The WAF features are integrated into the Learning Machine Attack Prophecy system (Powered by PluribusONE) that can detect and remedy application vulnerabilities that would otherwise be impossible to detect.
The distribution in Virtual Appliance allows the product to retain all the features of the Enterprise Datacenter appliances, preserving all the features and minimizing the costs of first acquisition.
The functional characteristics allow to climb towards higher configurations without changing the platform and acquired know-how.
DoS / DDoS VIP iRedCarpet
LBL DDoS Attack Mitigation leverages the advanced features of the forwarding engine to mitigate and resolve DoS / DDoS attacks or click-day events. The DDoS Attack Mitigation solution is based on application stress (with reaction capacity within 50 milliseconds) and is able to control traffic flows discriminating them at the application level, by type of user, service, IP, subnet, geographical region.
LBL DDoS Attack Mitigation detects the application stress without the use of agents (agentless) by checking the connections from Layer 4 to Layer 7 and can intervene by deleting / limiting the requests that are causing the suffering.
LBL DDoS Attack Mitigation also allows you to temporarily confine attacks from individual IP addresses / subnets.
The algorithm has been designed to identify dynamic IPs and place them temporarily in the condition of not harming without any human intervention.
The innovative algorithm (VIP iRedCarpet ©) allows, in particular moments of “application stress”, to filter to “Layer 7” the “useful” traffic from “less useful” traffic, reacting differently depending on the stress conditions and the single function or application transaction. The system, through simple rules, has been designed to privilege the access of connections based on the type of application required service, for example by giving preference to the connections / users who are making payments or those who have already authenticated to the portal or , in the transactional field, those who have already started the transaction and have a session associated with those who are only browsing in consultation only.
The technology makes it possible to set up application “privileges” in the event of an attack or overload of the entire infrastructure, ensuring unprecedented operational continuity.
DDoS Address in Quarantine is a function able to identify sophisticated attempts at exclusive use of resources by a few subjects. The latter are automatically recognized and excluded by placing the addresses, source of the disservice, in “quarantine” for a fixed period of time. Normally these attacks come from dynamic addresses and therefore can not be inserted on public directories of “black lists”. Once the “quarantine” time has expired, access to the services is made available again.
All features described are included in the single DDoS Mitigation license.