• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
e-Xpert Gate / Reverse Proxy - WAF 1ere génération

e-Xpert Gate / Reverse Proxy - WAF 1ere génération



Reverse Proxy SSL and PKI

Reverse Proxy SSL and PKI



Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://sylvain-maret.blogspot.com 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    e-Xpert Gate / Reverse Proxy - WAF 1ere génération e-Xpert Gate / Reverse Proxy - WAF 1ere génération Presentation Transcript

    • e-Xpert Gate e-Xpert Solutions SA [email_address] 2 mars 2001
    • e-Xpert Gate ? Access your applications from everywhere with strong confidentiality and authentication
    • About your need
      • Access internal information from everywhere
      • Access information with high security
      • No specific client software
      • Simple to use
      • No dedicated station
      • Cost effective solution
    • Solution ? Use your favorite browser
    • Why my browser ?
      • Very good « footprint »
      • Standard sofware client
      • Free
      • Very good level of security (with SSL)
      • PKI enabled application
    • But how to solve security issue ? Web-based Internal Resources What should I do ? Firewall Dmz Browser
    • Direct access with http or https ? Firewall Dmz Browser Web-based Internal Resources Why not ?
    • Direct access drawback
      • Direct access using HTTP
        • Clear traffic (password and content snifing)
        • No authentication
        • No data integrity
      • Direct access to internal content servers
        • Permit attacks
        • DoS
      • Direct access to internal networks
        • Permit to access other resources if server compromised
    • Secure access with e-Xpert Gate Firewall Dmz Browser Web-based Internal Resources E-Xpert Gate SSL
    • Secure access thrue e-Xpert Gate
      • Use SSL technology (PKI)
        • Provide authentication (server and client)
        • Provide confidentiality
        • Provide data integrity
      • No direct access to internal ressources
      • URL content checking and blocking
      • Permit content analysis with IDS system
    • Reverse Proxy Technology Server within a firewall The proxy server appears to be the content server A client computer on the Internet sends a request to the proxy server Firewall CACHE The proxy server uses a regular mapping to forward the client request to the internal content server You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machine in or out. https (SSL) http or https
    • SSL/TLS Technology
      • S ecure S ockets L ayer TCP/IP socket encryption
      • Provides end-to-end protection of communications sections
      • Confidentiality protection via encryption
      • Integrity protection with MAC’s
      • Can authenticate client (option)
    • SSL/TLS Technology
      • The SSL protocol runs above TCP/IP
      • The SSL protocol runs below higher-level protocols such as HTTP or IMAP
    • Applications that use SSL or TLS
      • e- C ommerce – orders – e-Banking
        • protects contents of forms sent to server
        • protects sensitive personal data
        • provides authentication
      • Secure web-based intranet access
        • ensures secure transmission of confidential content
        • provides authentication
      • Etc.
    • SSL/TLS history
      • SSL v1 designed by Netscape in 1994
      • SSL v2 shipped with Navigator 1.0 and 2.0
      • SSL v3 latest version
      • TLS v1 developed by IETF aka SSL v3.1
    • About authentication ? Your business is on the line. But do you really know who’s on the other end?
    • Two-factor User Authentication
    • One-Factor User Authentication Drawback
      • Users choose weak password
      • Easy to guess (Brute force, dictionary)
      • Easy to use a key logger or sniffer
      • Learn password by « Social Engineering »
    • e-Xpert Gate’s Authentication method
      • Native RSA SecurID authentication
      • SSL Client authentication (PKI)
        • Certificate store on SmartCard or iKey
        • Certificate store on a file
      • External authentication with firewall
        • Radius, Tacacs, Ldap
      • Basic HTTP authentication*
      * Method not recommended
    • RSA SecurID implementation Dmz Web-based Internal Resources E-Xpert Gate
    • RSA tokens
    • How it works ? Seed Time 482392 ACE/Server Token Algorithm Seed Time 482392 Algorithm Same Seed Same Time
    • SecurID exemple
    • SSL client authentication implementation Dmz Web-based Internal Resources PKI architecture Client X509 Certificate E-Xpert Gate
    • What is a certificate
    • X509 Authentication
      • Uses SSL client X.509 certificate
      • Provides strong authentication (“something you have, something you know”)
      • Requires a Certificate authority (Public or Private)
      • Certificate can be stored on local host or on smart card or IKey
    • Client side authentication Web Client Web Server Challenge Client Certificate Request Challenge answer Client Certificate
    • How secure is the private key ? How does the user get access? Where is it stored? Smart Card PIN Password Local Browser store Private key
    • SmartCard and iKey
      • Provides strong authentication (protect the private key)
      • Serial, PCMCIA, USB
      • Requires smart card reader...
    • e-Xpert Gate Applications
      • Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…
      • Accesses Intranet applications
      • E-Banking solution (front-end)
      • Extranet applications with partners
      • Etc.
    • Lotus access with e-Xpert Gate
    • Outlook Web Access
    • e-Xpert Gate ’s key features
      • Authentication method
        • RSA SecurID
        • SSL client authentication
        • Basic HTTP
        • External authentication with firewall
      • PKI enabled application
        • Support Revocation CRL
        • Ldap
    • e-Xpert Gate ’s key features
      • Security protocols
        • SSL version 2.0, 3.0
        • TLS version 1.0
      • Ciphers and Algorithms
        • Key exchange: RSA
        • Symmetric ciphers: DES 56, 3DES 168, RC4, RC2, IDEA 128
      • Hashes: MD5, SHA-1
    • e-Xpert Gate ’s key features
      • Fully supports Verisign Global Server IDs (128 bits for every browser)
      • Supports hardware cryptographic accelerators
        • Rainbow
    • e-Xpert Gate ’s key features
      • Secure OS (Linux or Solaris)
        • FIA with Tripwire
        • Management with SSH server
        • Secure file transfer with SSH
        • Syslog messages
      • Appliance solution
        • IBM
        • Sun Microsystems
    • Questions ?