 Application Security Application Challenges to Meeting User Needs

NSE 1: Application Security

Study Guide
NSE 1: Application Security Study Guide
Last Updated: 8 April 2016

Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
© 2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents

APPLICATION SECURITY ...............................................................................1

Application Challenges to Meeting User Needs .....................................................................1

Application Layers: The OSI Model ..............................................................................................................2

Application Vulnerabilities .......................................................................................................3

OWASP ........................................................................................................................................................3

Distributed Denial of Service (DDoS) .....................................................................................5

Application Security Solutions ................................................................................................8

Application Delivery Controllers (ADC).........................................................................................................8
Application Delivery Network (ADN) .............................................................................................................8

ADC: Solutions and Benefits Part I.........................................................................................9

Web Application Firewall (WAF) Characteristics ....................................................................11

Heuristics......................................................................................................................................................12
WAFs and PCI DSS Compliance .................................................................................................................13

ADC: Solutions and Benefits Part II........................................................................................14

KEY ACRONYMS ...........................................................................................16

GLOSSARY...................................................................................................18

REFERENCES ...............................................................................................21
  Application Security Application Challenges to Meeting User Needs

Application Security
Threats are constantly evolving, so network security technologies and methods must evolve too. Threats
to application security—including Bots, Ransomware, Advanced Persistent Threats (APTs), viruses, and
Spam—have a heavy content component, and are not just focused on the physical and data layers. In
this context, content refers to packet payload analysis and how they are transported—in particular, layers
3-7 of the Open Systems Interconnection (OSI) Model. Table 1 [1] shows a comparison of the models for
layers and protocols.
Table 1. Comparative models for layers and protocols.

These threats focus on the application content component and transport, rather than on the link and
physical components. Therefore, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. The Web Application Firewall (WAF) is designed to provide
protection for web applications and related database content [2]. In order to better understand the type of
threats that the WAF faces in protecting networks, we will examine the vulnerable areas that are targeted
by application threats.

Application Challenges to Meeting User Needs

Now that businesses are relying on cloud-based applications more than ever before, it is essential to
system and network security to focus on the vulnerabilities of web-based applications. Web-based
applications reside deep in layer 7 of the OSI Model, but remain vulnerable to targeted attacks. Denial
of Service (DoS) and, more importantly, Distributed Denial of Service (DDoS) attacks, have evolved
and become far more sophisticated than early hacker methods. These types of attacks are designed
to inhibit the use of web-based applications.
The mobility of modern business, combined with distributed enterprise networking, requires VPNs with
secure access to resources. Secure Socket Layer (SSL) VPNs establish connectivity at OSI layer 4
and layer 5. Information is encapsulated in layer 6 and layer 7. So, these VPNs, and other remote
sites used to access network resources, function in the top tiers of the OSI Model. These top tiers are

NSE 1: Application Security Study Guide 1

  Application Security Application Challenges to Meeting User Needs

known as the Application Layers, when translated into the broader TCP/IP Model.

Table 2. Translation of ISO/OSI layers to TCP/IP model.

SSL traffic poses a challenge because legacy servers and load balancers cannot manage the increased
loads caused by increased SSL traffic. In order to detect potential malicious code attempting to sneak into
the network in encrypted data packets, the SSL traffic must be decrypted, scanned, and then re-
encrypted.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner. Scalability may be accomplished by using hardware, software, or a
combination of both, to improve availability and reliability by:
 Managing data flow and workload across multiple servers to increase capacity
 Improving application response times by either hardware upgrades or software solutions
 Reducing costs by optimizing resources through improved allocation
 Allocating data across multiple data centers to facilitate redundancy and recovery

Application Layers: The OSI Model

The OSI model defines computer networks by functional levels. As the level increases, the complexity
and critical nature of the data contained in that level increases. A description of the OSI layers and
their functions are shown in Table 3.
Table 3. Function of network layers in OSI model.

NSE 1: Application Security Study Guide 2

  Application Security Application Vulnerabilities

Applications allow users to accomplish tasks using computer systems and networks. Common
applications include word processing, spreadsheets, graphics design programs, email applications,
games, and media. Many applications may apply across platforms, from wired desktop systems to
smartphones and others. Many of these applications are now web-based such as Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

Application Vulnerabilities
Applications are widely used by both business users and private consumers. If application threats infect
the systems of multiple private users who interface with organizational networks, they have the potential
for repeated instances. These threats can come in through innocuous sources such as customers,
clients, or those using a BYOD model who fail to complete regular security screenings on their
equipment. These threats can also come from an outside competitor, malcontent, or hacker.

OWASP
Fortunately, there is a global project that assists application developers and system and network security
administrators in identifying and understanding prevalent and emerging application security threats. This
project is the Open Web Application Security Project (OWASP) and is supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security… Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [3]
One of the primary studies done by OWASP is the cataloging and ranking of the most prevalent
threats in web applications. A comparison of the 2010 and 2013 findings appears in Table 4.
Table 4. OWASP top 10 2010 vs. 2013 comparison.

NSE 1: Application Security Study Guide 3

  Application Security Application Vulnerabilities

The OWASP analysis shows a consistent top four application threats to system and network security:

 SQL Injection  Cross-site Scripting (XSS)

 Broken Authentication & Session  Insecure Direct Object References

Management

The OWASP analysis also indicates which threats have increased and declined, indicating trends that
may assist security administrators in determining the most effective system and network configurations.
SQL Injection. Insertion or injection of an SQL query through data input from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions, enable complete disclosure of the system’s database—or destroy it or make it unavailable,
or even become a new database server administrator. It is common with PHP and ASP applications, less
likely with J2EE and ASP.NET applications. Severity depends on the attacker’s creativity and computer
skills, but has the potential to be devastating. SQL Injection is a high impact threat.

Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into
otherwise benign and trusted web sites, generally in the form of browser side scripts to be transmitted to
end users. Because the end user’s browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
Broken Authentication & Session Management. This area includes all aspects of user
authentication and active session management handling. Even robust authentication protocols may be
undermined by flawed credential management functions, such as password changing, “forgot my
password” and “remember my password” options, account update options, and other functions. The
complexity of this issue comes from the fact that many developers prefer to create their own session
tokens. These tokens may not be properly protected, or steps may not be in place to protect them
throughout the application’s life cycle. If they are not protected with SSL and against other flaws (such
as XSS) an attacker can hijack the user’s session and assume their identity.

NSE 1: Application Security Study Guide 4

  Application Security Distributed Denial of Service (DDoS)

Insecure Direct Object References. When an application provides direct access to objects because of
user-based inputs, attackers can bypass authorization and access resources in the system directly.
These resources may include valuable data such as databases and organizational files. Insecure Direct
Object References allow attackers to bypass authorization and gain access to resources by modifying the
parameter values used to point directly to objects. These resources may be any type of information stored
on the system. This method simply takes the user’s supplied input and uses it to retrieve data as though
the attacker were the authorized user.

Individual, targeted attacks are often manageable and, in many cases, traceable. More and more, these
attacks are aimed at denying use of a network to outside users. These attacks are known as Denial of
Service (DoS) attacks. The prospect for coordinated networks attacks from multiple sources present an
even more critical challenge for continued secure and uninterrupted network operations. These
simultaneous coordinated attacks target a network from a number of outside systems and are referred to
as a Distributed Denial of Service (DDoS) attacks.

Distributed Denial of Service (DDoS)

A malicious act designed to deny access to a system, network, application, or information to a legitimate
user is called Denial-of-Service (DoS). In a Distributed Denial-of-Service (DDoS) attack, the malicious act
originates from a number of systems. DDoS attacks are most often launched from a single system, using
a large remote network to actually conduct the attack [4]. A basic DDoS method is called the Smurf Attack,
where the hacker sends a ping packet to a large network while spoofing the target system’s source
address to overload the target system. A more sophisticated DDoS method is the Low-Orbit Ion Cannon
(LOIC). This method allows hackers to allow others to use their own systems temporarily as a slave in a
DDoS attack.

Attacks that focus on content components of systems and networks focus on ISO/OSI Model layers 3, 4,
and 7 application services. Although layers 3, 4, and 7 are at risk from DDoS attacks, the attacks against
layer 7 are often detected through actions affecting the associated port in layer 4, as a method by which
to sneak undetected into layer 7 to accomplish its malicious task. As an analogy, one may think of it as
the attack on layer 7 riding like a signal on the carrier wave into layer 4. As a result, most recommended
parameter adjustments focus on layers 3 and 4, while events to watch include a broader range of
indicators.

NSE 1: Application Security Study Guide 5

  Application Security Distributed Denial of Service (DDoS)

Figure 1. DDoS architecture.

DDoS attacks range from simple to complex, from a single hacker using a single system to a network of
hackers coordinating multiple systems. Common types of DDoS attacks include the SYN flood, ICMP
flood, and Zombie attack. In each case, the DDoS relies on overloading the network's capability to
process seemingly valid traffic, resulting in denial of service. These attacks are referred to as volumetric
attacks because of their focus on overloading the network in order to deny service.

SYN Flood. This attack consists of an

excessive number of packets directed to a
specific TCP port. In most cases, the
source address is spoofed (Figure 2).

Figure 2. SYN Flood DDoS attack.

NSE 1: Application Security Study Guide 6

  Application Security Distributed Denial of Service (DDoS)

ICMP Flood. This attack results from

an excessive number of ICMP packets
targeting the network (Figure 3).

Figure 3. ICMP Flood DDoS attack.

Zombie Attack. This attack results when

too many legitimate IP sources send
valid TCP packets to the network (Figure
4).

Figure 4. Zombie DDoS attack.

The common thread in each of these DDoS attacks is the flooding of the network with seemingly valid
inputs in a way that slows, stalls, or shuts down the network’s ability to operate. For each of these
attacks, threshold monitoring and adjustments at layer 3 and layer 4 protocols, ports, and SYN may
allow network administrators to detect and counter DDoS efforts against layers 3, 4, and 7, and keep
the network from experiencing extended down times.

Even with the global trend toward increasing IPv6 traffic, DDoS attacks above the 50 Mbps benchmark
are rare. South Korea’s average network speed leads the world at 24.6 Mbps, with Hong Kong a
distant second at 15.7 Mbps. The US ranks 14th at 11.4 Mbps. As the shift from IPv4 to IPv6 traffic
moves forward, the incidences of DDoS attacks appear to be inversely proportional to IPv6 network
growth [5]. This may be an indicator that average network speeds available through IPv6 are making
the cost and coordination of DDoS more difficult—or prohibitively costly, in some cases.

NSE 1: Application Security Study Guide 7

  Application Security Application Security Solutions

Application Security Solutions

The Next Generation Firewall (NGFW) and Unified Threat Management (UTM) solutions brought
enhanced capabilities to network security.

An important tool in protecting the network is Intrusion Prevention System (IPS), which looks beyond port
and protocol to examine the signature—or actual content—of network traffic to identify and stop threats.
FortiGate NGFW and UTM appliances, using enhanced capabilities such as Advanced Threat Protection
(ATP), protect the layer 3 and layer 4 regions of the network against DDoS attacks by combining
hardware and programmable software solutions. In addition to protection against layer 3 and layer 4
threats, the enhanced NGFW and UTM capabilities also include layer 4 routing and load balancing to
increase efficiency and availability of application traffic in the network.

Using NGFW and UTM in concert with other network security capabilities presents additional end-to-end
protection that is both scalable and future ready. The capabilities discussed in the following sections add
critical security solutions to protect against DDoS attacks and protect layer 3, 4, and 7 functions.

Application Delivery Controllers (ADC)

Application Delivery Controllers (ADCs) are network devices that manage client interfaces to complex
Web and enterprise applications, beyond the scope of SMB and home office applications. An ADC
functions primarily as a server load balancer, resulting in optimized end-user system performance and
reliability by increased Gbps of layer 4 throughput, accessibility to data center resources, and enterprise
application security. ADC controllers are deployed in data centers, strategically placed behind the firewall
and in front of application server(s). They act as the point of control for application security and provide
authentication, authorization, and accounting (AAA) [6].

Figure 5. Application Delivery Controller (ADC).

The ADC is part of a larger process that makes applications available, responsive, and secure for
users. This end-to-end model is called the Application Delivery Network (ADN). It consists of an
application delivery controller, firewall, and link load balancer. Figure 6 illustrates a typical ADN
infrastructure.

Application Delivery Network (ADN)

The ADN is divided into three elements: a server side, security, and an outer perimeter. Each of these

NSE 1: Application Security Study Guide 8

  Application Security ADC: Solutions and Benefits Part I

elements performs functions that enable user access to applications (Figure 6).

Figure 6. Typical Application Delivery Network (ADN) infrastructure.

Server Side. When applications outgrow a single server, an ADC manages multiple servers to enable
applications beyond a single server. This essentially creates a single virtual server. Once the ADC selects
the best server for the application, the ADC uses Connection Persistence to maintain a connection back
to the server where the transaction began. The ADC routes traffic to the best available server based on
configurable rules, as well as providing options to offload encrypted traffic and conduct HTTP
compression for bandwidth reduction. SSL offloading does not protect against DDoS attacks; however,
the ADC may reduce the need for additional servers by as much as 25%.
Security Core. The security core is where the tools and services that defend applications from threats
reside. Capabilities include a strong firewall, VPN, antivirus and antimalware scanning, and other security
features. Other security features may include NGFW with IPS and deep packet scanning, application
control, and user access policies to enhance protection.
Outer Perimeter. Basic Link Load Balancing (LLB) manages bandwidth and redundancy using multiple
WAN links. If application use includes multiple data center access for operations such as disaster
recovery, Global Server Load Balancing (GSLB) uses a DNS-based resolution platform to route traffic
between multiple data centers. This allows either automatic or programmable data center routing based
on infrastructure performance needs.

ADC: Solutions and Benefits Part I

An advanced, modern ADC provides enhanced capabilities that bring both security and efficiency to
networks. Let's take a look the capabilities brought by ADCs to the server side of the ADN.

Server Load Balancing. The ADC allows the use of software-based intelligent load balancing to
enhance performance over hardware-based simple load balancing. This not only provides a path-to-
open server capability, but also matches the best server for the incoming traffic based on programmed

NSE 1: Application Security Study Guide 9

  Application Security ADC: Solutions and Benefits Part I

policies and application-layer knowledge that supports business requirements (Figure 7).

Benefits. Because the ADC conducts continuous health checks of network servers, only routes
traffic to online devices, and routes to the best performing devices using intelligent load balancing
capability, server load balancing provides a 25% increase in capacity and reduces server
hardware requirements by 25% over traditional DNS round-robin configurations.

Figure 7. Intelligent Load Balancing.

L7 Content Routing. By designating different servers for different types of data functions, the ADC may
be configured to route traffic to the server(s) that are best configured to process applications based on
their specific needs (Figure 7).
Benefits. By using L7 content routing, the ADC can optimize data center resources while
protecting the network and applications from security threats.

Connection Persistence. This capability is critical to transaction-based applications. For example, if you
begin a transaction, add an item to your virtual shopping cart, and are then load balanced to a different
server for checkout without a persistent connection back to the original server, your cart will be empty at
checkout. The ADC uses session state with HTTP headers and cookies to ensure that users and servers
remain persistent throughout the transaction.

Benefits. By maintaining a persistent connection to the original server that started the
transaction, the transaction may be completed without loss of data or loss of connection.

SSL Offloading/Acceleration. SSL traffic may result in overloading servers, reducing capacity to a
range in the 100’s TPS. By offloading and accelerating SSL encryption, decryption, and certificate
management from servers, the ADC enables web and application servers to focus CPU and memory
resources to deliver application content, responding more quickly to user requests. This offloading
boosts capacity up to 10’s of 1,000’s TPS, pushes HTTPS to servers, and HTTPS to users (Figure 8).

NSE 1: Application Security Study Guide 10

  Application Security Web Application Firewall (WAF) Characteristics

Benefits. SSL offloading and acceleration provides a 100X increase in traffic flow, reducing the
need for additional servers in order to accommodate data volume.

Figure 8. SSL offloading and HTTP compression.

HTTP Compression. One of the challenges, as the number of network users grow, is that application
programming becomes more complex, and data sets become larger, is bandwidth limitations. One way
that an ADC reduces bandwidth constraints is by using HTTP compression to prevent non-essential data
from traversing network links from servers to web browsers (Figure 8).

Benefits. By reducing bandwidth demands, HTTP compression creates increased throughput

capability, which increases data flow efficiency to the user.

In addition to the ADC, the ADN includes a firewall component that provides security for traffic flowing
between the server side and outer perimeter. To accomplish this function in a content-focused,
application-level environment, the WAF is used.

Web Application Firewall (WAF) Characteristics

Essential for businesses that host web-based applications, WAFs deployed in the data center provide
protection, load balancing, and content acceleration to and from web servers. The primary use of
WAFs is to protect web-based applications from attacks. They protect web applications and
associated database content by WAF Vulnerability Scanning, mitigating prevalent threats such as
cross-site scripting (XSS), buffer overflows, DoS, SQL injection, and cookie poisoning. WAFs also

NSE 1: Application Security Study Guide 11

  Application Security Web Application Firewall (WAF) Characteristics

focus on the OWASP top 10 web application vulnerabilities [2].

Figure 9. Web Application Firewall (WAF).

The question may be asked why the NGFW or IPS cannot mitigate these threats. This is because IPS
signatures only detect known problems, may produce false positives, do not protect against threats
embedded in SSL traffic, and have no application or user awareness. Basic firewalls look for network-
based attacks, not at application-based attacks. For these reasons, the WAF provides critical protection
capabilities to the network security arsenal (Table 5).
Table 5. Web Application Firewall (WAF) application-level security measures.

Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristic—or behavior-based—
analysis. Behavior-based DDoS protection measures require different mitigating parameters than

NSE 1: Application Security Study Guide 12

  Application Security Web Application Firewall (WAF) Characteristics

content-based protections. Some of these protection measures include configuring systems to identify
potential threats based on source volume (intent vs. content), ping rates (hardcoded vs. custom), packet
dimensions (coarse vs. granular), and trend-matching (fixed vs. adaptive). When using these behavior-
based DDoS protection measures—focusing on traffic characteristics rather than content—policies do not
require threat signature updates like content-based measures do.

WAFs and PCI DSS Compliance

The ability to provide secure data transactions is not limited to considerations of data and program
corruption, throughput limitations, or network operational parameters in the strict sense of providing digital
pathways and storage. Additional considerations regarding personally identifiable information (PII), credit
security, and other personal account and data safety are regulated from outside the technology sector.
Payment Card Industry Data Security Standards (PCI DSS) set requirements for security practices that
apply to any vendors or organizations that process, store, or transmit cardholder data. Regulated also by
government agencies and addressable by fines of up to $10,000 per breach, the PCI DSS program is a
necessary consideration for most of the technology industry.
PCI DSS consists of 12 requirements covering six common sense goals that reflect security best
practices. Table 6 depicts the current standards for PCI DSS compliance [7]. Of the six goals listed, goal
number three most closely influences the ability of the network to maintain secure operations and
effective monitoring against DDoS and other threats to network security. Of course, all appliances,
software, policies, and processes within control of the network administrator should be regularly
monitored and updated against modern, advanced, and emerging complex threats.

Table 6: Payment Card Industry Data Security Standards (PCI DSS).

NSE 1: Application Security Study Guide 13

  Application Security ADC: Solutions and Benefits Part II

ADC: Solutions and Benefits Part II

While the modern ADC provides enhanced capabilities to the server side of the ADN, an ADC also
provides capabilities to the outer perimeter function of the ADN, which include:
Disaster Recovery. This capability of the ADC provides redundancy while scaling applications across
multiple data centers. This DNS-based function uses Global Server Load Balancing (GSLB) smart routing
between data centers using configurable business rules, with automatic response that switches between
data centers for disaster recovery contingency when a data center or connectivity link becomes
unavailable (Figure 10).
Benefits. The disaster recovery and GSLB features provide important network security
capabilities. The automatic switching feature provides the ability to survive data center or
transmission link outages while ensuring data is automatically recovered. Because of intelligent
switching, users are rerouted to the next best data center for their needs, making the process
seamless to the end user.

Figure 10. Global Server Load Balancing (GSLB).

Mask Server IPs. A challenge to keeping individual servers secure from threats is to segregate them
from access by unauthorized users. One way of accomplishing this is to mask the individual server ID by
rewriting content—such as headers and other identifying information—to a single IP address when data is
transmitted outside the internal network (Figure 11).
Benefits. By masking individual server IDs behind the ID of the ADC routing data to individual
servers, all data flows through the ADC, reducing chances for external threats to gain access
to individual servers without passing through network security inspections.

NSE 1: Application Security Study Guide 14

  Application Security ADC: Solutions and Benefits Part II

Figure 11. Server ID masking with ADC.

Quality of Service (QoS). One of the challenges posed by the seemingly constant increase in data traffic
is identifying and prioritizing important traffic over routine or less important traffic. QoS is managed by
configuring rules and policies for traffic policing, traffic shaping, and queuing that ensure the most
important traffic for the organization is prioritized above other data.
Benefits. QoS results in higher quality data flow for the most critical traffic based on organization
priorities, whether it be VoIP for sales and customer support, eCommerce transactions, or
corporate file transfers. By setting the appropriate rules and policies in the ADC, organization and
user quality of service—and efficiency and satisfaction—may be enhanced.
Link Load Balancing (LLB). LLB addresses the issues of bandwidth and redundancy by using multiple
WAN links. A link load balancer connects many WAN links to the network, and routes inbound and
outbound traffic based on criteria like availability, performance, or business rules to use lowest-cost links.
If a link should fail, traffic is routed to others to ensure your application remains available to users.
Benefits. LLB provides redundancy to maintain application availability by rerouting traffic to users
through another available link. By selectively routing traffic over the most available and
appropriate links based on programmed rules and policies, LLB optimizes bandwidth use,
reducing bandwidth needs. These two features both improve application response times to users.

NSE 1: Application Security Study Guide 15

  Key Acronyms

Key Acronyms
AAA Authentication, Authorization, and ICMP Internet Control Message Protocol
Accounting ICSA International Computer Security
AD Active Directory Association
ADC Application Delivery Controller ID Identification
ADN Application Delivery Network IDC International Data Corporation
ADOM Administrative Domain IDS Intrusion Detection System
AM Antimalware IM Instant Messaging
API Application Programming Interface IMAP Internet Message Access Protocol
APT Advanced Persistent Threat IMAPS Internet Message Access Protocol
ASIC Application-Specific Integrated Circuit Secure
ASP Analog Signal Processing IoT Internet of Things
ATP Advanced Threat Protection IP Internet Protocol
AV Antivirus IPS Intrusion Prevention System
AV/AM Antivirus/Antimalware IPSec Internet Protocol Security
BYOD Bring Your Own Device IPTV Internet Protocol Television
CPU Central Processing Unit IT Information Technology
DDoS Distributed Denial of Service J2EE Java Platform Enterprise Edition
DLP Data Leak Prevention LAN Local Area Network
DNS Domain Name System LDAP Lightweight Directory Access Protocol
DoS Denial of Service LLB Link Load Balancing
DPI Deep Packet Inspection LOIC Low Orbit Ion Cannon
DSL Digital Subscriber Line MSP Managed Service Provider
FTP File Transfer Protocol MSSP Managed Security Service Provider
FW Firewall NGFW Next Generation Firewall
Gb Gigabyte NSS NSS Labs
GbE Gigabit Ethernet OSI Open Systems Infrastructure
Gbps Gigabits per second OTS Off the Shelf
GSLB Global Server Load Balancing PaaS Platform as a Service
GUI Graphical User Interface PC Personal Computer
HTML Hypertext Markup Language PCI DSS Payment Card Industry Data
Security
HTTP Hypertext Transfer Protocol
Standard
HTTPS Hypertext Transfer Protocol Secure
PHP PHP Hypertext Protocol
IaaS Infrastructure as a Service

NSE 1: Application Security Study Guide 16

  Key Acronyms

POE Power over Ethernet SWG Secure Web Gateway

POP3 Post Office Protocol (v3) SYN Synchronization packet in TCP
POP3S Post Office Protocol (v3) Secure Syslog Standard acronym for Computer
QoS Quality of Service Message Logging
Radius Protocol server for UNIX systems TCP Transmission Control Protocol
RDP Remote Desktop Protocol TCP/IP Transmission Control Protocol/Internet
SaaS Software as a Service Protocol (Basic Internet Protocol)
SDN Software-Defined Network TLS Transport Layer Security
SEG Secure Email Gateway TLS/SSL Transport Layer Security/Secure
Socket
SFP Small Form-Factor Pluggable
Layer Authentication
SFTP Secure File Transfer Protocol
UDP User Datagram Protocol
SIEM Security Information and Event
URL Uniform Resource Locator
Management
USB Universal Serial Bus
SLA Service Level Agreement
UTM Unified Threat Management
SM Security Management
VDOM Virtual Domain
SMB Small & Medium Business
VM Virtual Machine
SMS Simple Messaging System
VoIP Voice over Internet Protocol
SMTP Simple Mail Transfer Protocol
VPN Virtual Private Network
SMTPS Simple Mail Transfer Protocol Secure
WAF Web Application Firewall
SNMP Simple Network Management Protocol
WANOpt Wide Area Network Optimization
SPoF Single Point of Failure
WLAN Wireless Local Area Network
SQL Structured Query Language
WAN Wide Area Network
SSL Secure Socket Layer
XSS Cross-site Scripting

NSE 1: Application Security Study Guide 17

  Glossary

Glossary
ADC. An Application Delivery Controller (ADC) is a network device that manages client connections to
complex Web and enterprise applications. An ADC essentially functions as a load balancer, optimizing
end-user performance, reliability, data center resource use and security for enterprise applications. An
ADC can be physical (hardware appliance) or virtual (software program).
ADN. An Application Delivery Network (ADN) is a suite of technologies that together provide application
availability, security, visibility, and acceleration. Gartner defines Application Delivery Networking as the
combination of WAN Optimization Controllers (WOCs) and Application Delivery Controllers (ADCs) [8]. At
the data center end of an ADN is the Application Delivery Controller (ADC). In the branch office portion of
an ADN is the WAN optimization controller (WOC), which shapes TCP traffic using prioritization and other
optimization techniques.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is
in web spidering, in which an automated script fetches, analyses, and files information from web servers
at many times the speed of a human.
DoS. Denial of Service (DoS) attacks aim increasingly at denying use of a network to outside users by
flooding it with useless traffic, often exploiting limitations in the TCP/IP protocols. For all known DoS
attacks, there are software fixes that system administrators can install to limit the damage caused by the
attacks; however, like viruses new DoS attacks are constantly being developed.
DDoS. Distributed Denial of Serivce (DDoS) attacks are a type of DoS attack where multiple
compromised systems, which are often infected with a Trojan, are used to target a single system causing
a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed attack.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:

 Intrusion Prevention (IPS)  Deep Packet Inspection  Network App ID & Control
(DPI)

 Access Enforcement  Distributed Enterprise  “Extra Firewall” Intelligence

Capability

NSE 1: Application Security Study Guide 18

  Glossary

 Third Party Management  VPN  Application Awareness

Compatibility

OWASP. The Open Web Application Security Project (OWASP) is an open community dedicated to
enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be
trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone
interested in improving application security.
Ransomware. Ransomware is a form of malware in which rogue software code effectively holds a user's
computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or
Trojan that takes advantage of open security vulnerabilities. Upon compromising a computer,
ransomware will typically either lock a user's system or encrypt files on the computer and then demand
payment before the system or files will be restored.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
Virus. A computer virus is a program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are
man-made. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory and
bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires — usually the
Internet — to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Application Firewall (WAF). A WAF is designed to provide protection for web applications and
related database content.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as either
cloud services or network appliances, integrating:

 Intrusion Prevention (IPS)  Content Filtering  Quality of Service (QoS)

 Anti-Malware  VPN Capabilities  SSL/SSH Inspection

 Anti-Spam  Load Balancing  Application Awareness

NSE 1: Application Security Study Guide 19

  Glossary

 Identity-based Application
Control

NSE 1: Application Security Study Guide 20

  References

References
1. Rischbeck, T. XML Appliances for Service-Oriented Architectures. SOA Magazine, 2010.

2. Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.

3. OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.

4. Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.

5. Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.

6. Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-delivery-controller.

7. Council, P.S.S., PCI Quick Reference Guide. 2008.

8. Gartner, Gartner Says Worldwide Application Acceleration Market Will Reach $3.7 Billion in 2008.
2006, Gartner: Stamford, CT.

NSE 1: Application Security Study Guide 21