2. Who am I ?
Dev, Sys and Net Ops backgrounds:
• 2 years as software developer
• 4 years as application leader
• 4 years as Network Security engineer
Nicolas Destor
IAM Security Consultant & Founder at 3AProtect
Certified F5 LTM & APM
ndestor@3aprotect.com
3. Agenda
• Context of the project
• Description of the solution based on F5
• Conclusion
• Demonstration
• Q&A
4. Context of the Project
• Large local government agency
• 100 on-premise applications
• Lots of heterogeneous partners
Flexible, fast and scalable solution for secure
external access administration.
5. Why F5 APM?
• BIGIP already in place in the infrastructure
• Rich AAA features
• High-degree of programmability with VPE
• Dynamic access management capabilities
• Open and scalable ADC platform
6. Solution Developed
• Unified web access portal for external users
• Implementing the 3 fundamental security bricks
• User-centered design
Authentication Authorization Accounting
10. Session Variables for a Declarative Process
• Full Identity Based Access Control (IBAC) Model
• Flexible configuration of AAA using attributes
• Context-based security for each partner
• Human-readable and intuitive policy language
Step1
Qualilfy Request
Helpdesk
Step2
Create user and
attributes
NetOps
11. Implemented Solution (1)
Dynamic Authentication
Multi-factor Authentication
4 technologies available:
• Password
• One Time Password by mail
• Physical or Mobile Token
• Device authentication
Vertical Brute-Force protection
AUTH_<1stFactor>-<2ndFactor>
Ex:
AUTH_PWD
AUTH_PWD-OTPM
12. Implemented Solution (2)
Fine-Grained Authorization
• NAC assessment pipeline
• Least privilege model with dynamic ACL assignment
Time Date AVGeoIPIP OS
NAC_<NAME>_<dataToCheck>
Ex:
NAC_IP_1.2.3.4
NAC_OS_WIN10
HOST/NET_<ressource>_<protocols>
Ex:
HOST_hostname1_RDP
NET_192.168.0.0/24_ICMP-UDP161
13. Implemented Solution (3)
Configurable Network Access
3 network access modes available:
• Full Web with HTML5
• Tunnel App
• VPN-SSL
With self-service mode for one-off access (VNC,RDP and SSH):
Step1
Fill form
Partner
Step2
Validate information
Employee
Step3
Enter validation code
Partner
MODE_<name>
Ex:
MODE_WEB, MODE_TUNNEL,
MODE_VPN
14. Implemented Solution (4)
Personalized Accounting
• Notification to internal employees
• User session management in F5
• Logging and reporting (not yet implemented) in Splunk
NOTIF_<email@MXdomain>
Ex:
NOTIF_employee1@localdomain
15. Conclusion
• Fit to business, at low expense
• Scalable and open solution
• Accepted by management to replace previous solution
• Positive feedbacks from partners and employees