e-Xpert Gate / Reverse Proxy - WAF 1ere génération


Published on

Reverse Proxy SSL and PKI

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

e-Xpert Gate / Reverse Proxy - WAF 1ere génération

  1. 1. e-Xpert Gate e-Xpert Solutions SA [email_address] 2 mars 2001
  2. 2. e-Xpert Gate ? Access your applications from everywhere with strong confidentiality and authentication
  3. 3. About your need <ul><li>Access internal information from everywhere </li></ul><ul><li>Access information with high security </li></ul><ul><li>No specific client software </li></ul><ul><li>Simple to use </li></ul><ul><li>No dedicated station </li></ul><ul><li>Cost effective solution </li></ul>
  4. 4. Solution ? Use your favorite browser
  5. 5. Why my browser ? <ul><li>Very good « footprint » </li></ul><ul><li>Standard sofware client </li></ul><ul><li>Free </li></ul><ul><li>Very good level of security (with SSL) </li></ul><ul><li>PKI enabled application </li></ul>
  6. 6. But how to solve security issue ? Web-based Internal Resources What should I do ? Firewall Dmz Browser
  7. 7. Direct access with http or https ? Firewall Dmz Browser Web-based Internal Resources Why not ?
  8. 8. Direct access drawback <ul><li>Direct access using HTTP </li></ul><ul><ul><li>Clear traffic (password and content snifing) </li></ul></ul><ul><ul><li>No authentication </li></ul></ul><ul><ul><li>No data integrity </li></ul></ul><ul><li>Direct access to internal content servers </li></ul><ul><ul><li>Permit attacks </li></ul></ul><ul><ul><li>DoS </li></ul></ul><ul><li>Direct access to internal networks </li></ul><ul><ul><li>Permit to access other resources if server compromised </li></ul></ul>
  9. 9. Secure access with e-Xpert Gate Firewall Dmz Browser Web-based Internal Resources E-Xpert Gate SSL
  10. 10. Secure access thrue e-Xpert Gate <ul><li>Use SSL technology (PKI) </li></ul><ul><ul><li>Provide authentication (server and client) </li></ul></ul><ul><ul><li>Provide confidentiality </li></ul></ul><ul><ul><li>Provide data integrity </li></ul></ul><ul><li>No direct access to internal ressources </li></ul><ul><li>URL content checking and blocking </li></ul><ul><li>Permit content analysis with IDS system </li></ul>
  11. 11. Reverse Proxy Technology Server within a firewall The proxy server appears to be the content server A client computer on the Internet sends a request to the proxy server Firewall CACHE The proxy server uses a regular mapping to forward the client request to the internal content server You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machine in or out. https (SSL) http or https
  12. 12. SSL/TLS Technology <ul><li>S ecure S ockets L ayer TCP/IP socket encryption </li></ul><ul><li>Provides end-to-end protection of communications sections </li></ul><ul><li>Confidentiality protection via encryption </li></ul><ul><li>Integrity protection with MAC’s </li></ul><ul><li>Can authenticate client (option) </li></ul>
  13. 13. SSL/TLS Technology <ul><li>The SSL protocol runs above TCP/IP </li></ul><ul><li>The SSL protocol runs below higher-level protocols such as HTTP or IMAP </li></ul>
  14. 14. Applications that use SSL or TLS <ul><li>e- C ommerce – orders – e-Banking </li></ul><ul><ul><li>protects contents of forms sent to server </li></ul></ul><ul><ul><li>protects sensitive personal data </li></ul></ul><ul><ul><li>provides authentication </li></ul></ul><ul><li>Secure web-based intranet access </li></ul><ul><ul><li>ensures secure transmission of confidential content </li></ul></ul><ul><ul><li>provides authentication </li></ul></ul><ul><li>Etc. </li></ul>
  15. 15. SSL/TLS history <ul><li>SSL v1 designed by Netscape in 1994 </li></ul><ul><li>SSL v2 shipped with Navigator 1.0 and 2.0 </li></ul><ul><li>SSL v3 latest version </li></ul><ul><li>TLS v1 developed by IETF aka SSL v3.1 </li></ul>
  16. 16. About authentication ? Your business is on the line. But do you really know who’s on the other end?
  17. 17. Two-factor User Authentication
  18. 18. One-Factor User Authentication Drawback <ul><li>Users choose weak password </li></ul><ul><li>Easy to guess (Brute force, dictionary) </li></ul><ul><li>Easy to use a key logger or sniffer </li></ul><ul><li>Learn password by « Social Engineering » </li></ul>
  19. 19. e-Xpert Gate’s Authentication method <ul><li>Native RSA SecurID authentication </li></ul><ul><li>SSL Client authentication (PKI) </li></ul><ul><ul><li>Certificate store on SmartCard or iKey </li></ul></ul><ul><ul><li>Certificate store on a file </li></ul></ul><ul><li>External authentication with firewall </li></ul><ul><ul><li>Radius, Tacacs, Ldap </li></ul></ul><ul><li>Basic HTTP authentication* </li></ul>* Method not recommended
  20. 20. RSA SecurID implementation Dmz Web-based Internal Resources E-Xpert Gate
  21. 21. RSA tokens
  22. 22. How it works ? Seed Time 482392 ACE/Server Token Algorithm Seed Time 482392 Algorithm Same Seed Same Time
  23. 23. SecurID exemple
  24. 24. SSL client authentication implementation Dmz Web-based Internal Resources PKI architecture Client X509 Certificate E-Xpert Gate
  25. 25. What is a certificate
  26. 26. X509 Authentication <ul><li>Uses SSL client X.509 certificate </li></ul><ul><li>Provides strong authentication (“something you have, something you know”) </li></ul><ul><li>Requires a Certificate authority (Public or Private) </li></ul><ul><li>Certificate can be stored on local host or on smart card or IKey </li></ul>
  27. 27. Client side authentication Web Client Web Server Challenge Client Certificate Request Challenge answer Client Certificate
  28. 28. How secure is the private key ? How does the user get access? Where is it stored? Smart Card PIN Password Local Browser store Private key
  29. 29. SmartCard and iKey <ul><li>Provides strong authentication (protect the private key) </li></ul><ul><li>Serial, PCMCIA, USB </li></ul><ul><li>Requires smart card reader... </li></ul>
  30. 30. e-Xpert Gate Applications <ul><li>Consults Email system like Microsoft Exchange, Lotus, Netscape, etc… </li></ul><ul><li>Accesses Intranet applications </li></ul><ul><li>E-Banking solution (front-end) </li></ul><ul><li>Extranet applications with partners </li></ul><ul><li>Etc. </li></ul>
  31. 31. Lotus access with e-Xpert Gate
  32. 32. Outlook Web Access
  33. 33. e-Xpert Gate ’s key features <ul><li>Authentication method </li></ul><ul><ul><li>RSA SecurID </li></ul></ul><ul><ul><li>SSL client authentication </li></ul></ul><ul><ul><li>Basic HTTP </li></ul></ul><ul><ul><li>External authentication with firewall </li></ul></ul><ul><li>PKI enabled application </li></ul><ul><ul><li>Support Revocation CRL </li></ul></ul><ul><ul><li>Ldap </li></ul></ul>
  34. 34. e-Xpert Gate ’s key features <ul><li>Security protocols </li></ul><ul><ul><li>SSL version 2.0, 3.0 </li></ul></ul><ul><ul><li>TLS version 1.0 </li></ul></ul><ul><li>Ciphers and Algorithms </li></ul><ul><ul><li>Key exchange: RSA </li></ul></ul><ul><ul><li>Symmetric ciphers: DES 56, 3DES 168, RC4, RC2, IDEA 128 </li></ul></ul><ul><li>Hashes: MD5, SHA-1 </li></ul>
  35. 35. e-Xpert Gate ’s key features <ul><li>Fully supports Verisign Global Server IDs (128 bits for every browser) </li></ul><ul><li>Supports hardware cryptographic accelerators </li></ul><ul><ul><li>Rainbow </li></ul></ul>
  36. 36. e-Xpert Gate ’s key features <ul><li>Secure OS (Linux or Solaris) </li></ul><ul><ul><li>FIA with Tripwire </li></ul></ul><ul><ul><li>Management with SSH server </li></ul></ul><ul><ul><li>Secure file transfer with SSH </li></ul></ul><ul><ul><li>Syslog messages </li></ul></ul><ul><li>Appliance solution </li></ul><ul><ul><li>IBM </li></ul></ul><ul><ul><li>Sun Microsystems </li></ul></ul>
  37. 37. Questions ?