SlideShare a Scribd company logo

Nicolas destor pres_f5agility2018

Nicolas Destor
Nicolas Destor

Presentation given at the F5 Agility 2018 Conference - Aug 15th, 2018

Technology
1 of 17
Download to read offline
Managing external partners' remote access with APM F5 Agility, 15th August 2018 Nicolas Destor IAM Security Consultant - 3A Protect
Who am I ? Dev, Sys and Net Ops backgrounds: • 2 years as software developer • 4 years as application leader • 4 years as Network Security engineer Nicolas Destor IAM Security Consultant & Founder at 3AProtect Certified F5 LTM & APM ndestor@3aprotect.com
Agenda • Context of the project • Description of the solution based on F5 • Conclusion • Demonstration • Q&A
Context of the Project • Large local government agency • 100 on-premise applications • Lots of heterogeneous partners Flexible, fast and scalable solution for secure external access administration.
Why F5 APM? • BIGIP already in place in the infrastructure • Rich AAA features • High-degree of programmability with VPE • Dynamic access management capabilities • Open and scalable ADC platform
Solution Developed • Unified web access portal for external users • Implementing the 3 fundamental security bricks • User-centered design Authentication Authorization Accounting
AUTHENTICATION AUTHORIZATION ACCOUNTING APM LTM iRule NetOps LDAP Directory PARTNERS BIGIPPLATFORM
F5 Technologies Involved Session variables • TCL code inside VPE • iRules APM & LTM features: • WebSSO and Per-request policy for Sparkview integration • AD, LDAP, DNS, SMTP, Radius (FortiAuthenticator) protocols • HSL protocol for JSON log export to SPLUNK
Session Variables for a Declarative Process • Full Identity Based Access Control (IBAC) Model • Flexible configuration of AAA using attributes • Context-based security for each partner • Human-readable and intuitive policy language Step1 Qualilfy Request Helpdesk Step2 Create user and attributes NetOps
Implemented Solution (1) Dynamic Authentication Multi-factor Authentication 4 technologies available: • Password • One Time Password by mail • Physical or Mobile Token • Device authentication Vertical Brute-Force protection AUTH_<1stFactor>-<2ndFactor> Ex: AUTH_PWD AUTH_PWD-OTPM
Implemented Solution (2) Fine-Grained Authorization • NAC assessment pipeline • Least privilege model with dynamic ACL assignment Time Date AVGeoIPIP OS NAC_<NAME>_<dataToCheck> Ex: NAC_IP_1.2.3.4 NAC_OS_WIN10 HOST/NET_<ressource>_<protocols> Ex: HOST_hostname1_RDP NET_192.168.0.0/24_ICMP-UDP161
Implemented Solution (3) Configurable Network Access 3 network access modes available: • Full Web with HTML5 • Tunnel App • VPN-SSL With self-service mode for one-off access (VNC,RDP and SSH): Step1 Fill form Partner Step2 Validate information Employee Step3 Enter validation code Partner MODE_<name> Ex: MODE_WEB, MODE_TUNNEL, MODE_VPN
Implemented Solution (4) Personalized Accounting • Notification to internal employees • User session management in F5 • Logging and reporting (not yet implemented) in Splunk NOTIF_<email@MXdomain> Ex: NOTIF_employee1@localdomain
Conclusion • Fit to business, at low expense • Scalable and open solution • Accepted by management to replace previous solution • Positive feedbacks from partners and employees
ACCESS MODE Attributes (multivalued) MODE_WEB Browser only access MODE_TUNNEL Application tunnel access MODE_VPN VPN-SSL access AUTHENTICATION Attributes (unique) AUTH_<1stFactor> AUTH_PWD AUTH_<1stFactor>-<2ndFactor> AUTH_PWD-OTPM AUTH_PWD-TOKEN AUTH_PWD-DEVICE AUTHENTICATION Specific Attributes (multivalued) OTPM OTPM_DOMAIN_<MX-Domain> DEVICE TERMINAL_MAC_<MAC-Addr> TERMINAL_BIOS_<SerialNumber> Network Access Control Attributes (multivalued) NAC_DATE NAC_DATE_<endDate> NAC_DATE_<startDate>-<endDate> NAC_TIME NAC_TIME_HOUR_<startTime>-<endTime> NAC_TIME_DAY_<startTime>-<endTime> NAC_GEOIP NAC_GEO_<continent> NAC_GEO_<continent>_<country> NAC_IP NAC_IP_<CIDR> NAC_IP_<FQDN> NAC_OS NAC_OS_<platform> NAC_AV NAC_AV_<name> NOTIFICATION Attributes (multivalued) NOTIF_ NOTIF_<Predefined_MX>_username> Ressources Attributes (multivalued) HOST HOST_<IpAddr>_<Protocols**> HOST_<Hostname>_<Protocols**> NET * NET_<CIDR>_<Protocols**> APP APP_<AppName> Link Attributes (multivalued) LINK_EDGECLIENT LINK_OESISDEBUG * Only VPN Mode ** HTTP/HTTPS(<port>)-RDP-VNC-SSH-TCP(PORT)-UDP(PORT)-ICMP
Thanks ! Get in touch : ndestor@3aprotect.com, @nicolasdestor

Recommended

GDPR v pojetí F5
GDPR v pojetí F5GDPR v pojetí F5
GDPR v pojetí F5MarketingArrowECS_CZ
 
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...apidays
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
F5 Cloud Story
F5 Cloud StoryF5 Cloud Story
F5 Cloud StoryMarketingArrowECS_CZ
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access Nirmal Thaliyil
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 TorontoF5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Torontopatmisasi
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsAPPSeCONNECT
 

Recommended

GDPR v pojetí F5
GDPR v pojetí F5GDPR v pojetí F5
GDPR v pojetí F5MarketingArrowECS_CZ
 
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...
APIdays Paris 2019 - RASP for APIs and Microservices by Jean-Baptiste Aviat, ...apidays
 
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017
BIG IRON, BIG RISK? SECURING THE MAINFRAME - #MFSummit2017Micro Focus
 
F5 Cloud Story
F5 Cloud StoryF5 Cloud Story
F5 Cloud StoryMarketingArrowECS_CZ
 
Secure remote device access
Secure remote device access Secure remote device access
Secure remote device access Nirmal Thaliyil
 
CSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterCSA Presentation - Software Defined Perimeter
CSA Presentation - Software Defined PerimeterVishwas Manral
 
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 TorontoF5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Toronto
F5 Scale n and BIG-IP v11 3 for Scalar Partner Event June 4 2013 Torontopatmisasi
 
Webinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsWebinar: APPSeCONNECT Product Updates 2019 - Major Highlights
Webinar: APPSeCONNECT Product Updates 2019 - Major HighlightsAPPSeCONNECT
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
On Demand Software Management
On Demand Software ManagementOn Demand Software Management
On Demand Software Managementshoofster
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0 Shamun Mahmud
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
Rundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control PoliciesRundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control PoliciesTraciMyers6
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0Praveen Vackayil
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
The user s identities
The user s identitiesThe user s identities
The user s identitiesGiuliano Latini
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAmazon Web Services
 
Configurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoftConfigurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoftLeandro Baca
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...NETWAYS
 
How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Chapter08
Chapter08Chapter08
Chapter08Muhammad Ahad
 

More Related Content

What's hot

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudCryptzone
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkJuraj Hantak
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
On Demand Software Management
On Demand Software ManagementOn Demand Software Management
On Demand Software Managementshoofster
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Sectricity
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Zoho Corporation
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTMicro Focus
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
Rundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control PoliciesRundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control PoliciesTraciMyers6
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0Praveen Vackayil
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAmazon Web Services
 
Configurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoftConfigurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoftLeandro Baca
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...NETWAYS
 

What's hot (20)

Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 
AppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the CloudAppGate: Achieving Compliance in the Cloud
AppGate: Achieving Compliance in the Cloud
 
Nginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lkNginx app protect-for-meetup-v1.0-202006_lk
Nginx app protect-for-meetup-v1.0-202006_lk
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert Hoitingh
 
On Demand Software Management
On Demand Software ManagementOn Demand Software Management
On Demand Software Management
 
Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)Bright talk mapping the right aut solution for you 2014 final (1)
Bright talk mapping the right aut solution for you 2014 final (1)
 
Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​Decrypting the security mystery with SIEM (Part 1) ​
Decrypting the security mystery with SIEM (Part 1) ​
 
SDP Glossary v2.0
SDP Glossary v2.0 SDP Glossary v2.0
SDP Glossary v2.0
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
 
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANTUNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
UNIFIED MESSAGE ARCHIVING – WHY IT IS IMPORTANT
 
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
 
Rundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control PoliciesRundeck Office Hours: Best Practices for Access Control Policies
Rundeck Office Hours: Best Practices for Access Control Policies
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
 
PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0PCI DSS in Pictures and What to Expect in PCI 3.0
PCI DSS in Pictures and What to Expect in PCI 3.0
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
The user s identities
The user s identitiesThe user s identities
The user s identities
 
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security KeynoteAWS Summit Benelux 2013 - AWS Cloud Security Keynote
AWS Summit Benelux 2013 - AWS Cloud Security Keynote
 
Configurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoftConfigurable Alerts Framework for PeopleSoft
Configurable Alerts Framework for PeopleSoft
 
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
 
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
Nagios Conference 2007 | A Framework for Hardware-based Monitoring by Kevin ...
 

Similar to Nicolas destor pres_f5agility2018

How to write secure code
How to write secure codeHow to write secure code
How to write secure codeFlaskdata.io
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsShikha Srivastava
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Cisco DevNet
 
Bluemix Local – Relay Options and Challenges
Bluemix Local – Relay Options and Challenges Bluemix Local – Relay Options and Challenges
Bluemix Local – Relay Options and Challenges Eduardo Patrocinio
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityPrecisely
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesMarketingArrowECS_CZ
 
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingVTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingSachin Gowda
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshopkanimozhin
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...kanimozhin
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudPaulo Renato
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Techcello
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1Anne Starr
 
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017FRSecure
 
GraphTour - Neo4j Database Overview
GraphTour - Neo4j Database OverviewGraphTour - Neo4j Database Overview
GraphTour - Neo4j Database OverviewNeo4j
 

Similar to Nicolas destor pres_f5agility2018 (20)

How to write secure code
How to write secure codeHow to write secure code
How to write secure code
 
Chapter08
Chapter08Chapter08
Chapter08
 
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor appsKube con china_2019_7 missing factors for your production-quality 12-factor apps
Kube con china_2019_7 missing factors for your production-quality 12-factor apps
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation Implementing Fast IT Deploying Applications at the Pace of Innovation
Implementing Fast IT Deploying Applications at the Pace of Innovation
 
Bluemix Local – Relay Options and Challenges
Bluemix Local – Relay Options and Challenges Bluemix Local – Relay Options and Challenges
Bluemix Local – Relay Options and Challenges
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
The New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and SecurityThe New Assure Security: Complete IBM i Compliance and Security
The New Assure Security: Complete IBM i Compliance and Security
 
Deployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG TechnologiesDeployment of Juniper Contrail in AVG Technologies
Deployment of Juniper Contrail in AVG Technologies
 
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud ComputingVTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
VTU Open Elective 6th Sem CSE - Module 2 - Cloud Computing
 
Top 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for DevelopersTop 10 IaaS Highlights for Developers
Top 10 IaaS Highlights for Developers
 
Techcello hp-arch workshop
Techcello hp-arch workshopTechcello hp-arch workshop
Techcello hp-arch workshop
 
Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...Building multi tenant highly secured applications on .net for any cloud - dem...
Building multi tenant highly secured applications on .net for any cloud - dem...
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
Building Multi-tenant, Configurable, High Quality Applications on .NET for an...
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
 
GraphTour - Neo4j Database Overview
GraphTour - Neo4j Database OverviewGraphTour - Neo4j Database Overview
GraphTour - Neo4j Database Overview
 

Recently uploaded

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Nicolas destor pres_f5agility2018

  • 1. Managing external partners' remote access with APM F5 Agility, 15th August 2018 Nicolas Destor IAM Security Consultant - 3A Protect
  • 2. Who am I ? Dev, Sys and Net Ops backgrounds: • 2 years as software developer • 4 years as application leader • 4 years as Network Security engineer Nicolas Destor IAM Security Consultant & Founder at 3AProtect Certified F5 LTM & APM ndestor@3aprotect.com
  • 3. Agenda • Context of the project • Description of the solution based on F5 • Conclusion • Demonstration • Q&A
  • 4. Context of the Project • Large local government agency • 100 on-premise applications • Lots of heterogeneous partners Flexible, fast and scalable solution for secure external access administration.
  • 5. Why F5 APM? • BIGIP already in place in the infrastructure • Rich AAA features • High-degree of programmability with VPE • Dynamic access management capabilities • Open and scalable ADC platform
  • 6. Solution Developed • Unified web access portal for external users • Implementing the 3 fundamental security bricks • User-centered design Authentication Authorization Accounting
  • 8.
  • 9. F5 Technologies Involved Session variables • TCL code inside VPE • iRules APM & LTM features: • WebSSO and Per-request policy for Sparkview integration • AD, LDAP, DNS, SMTP, Radius (FortiAuthenticator) protocols • HSL protocol for JSON log export to SPLUNK
  • 10. Session Variables for a Declarative Process • Full Identity Based Access Control (IBAC) Model • Flexible configuration of AAA using attributes • Context-based security for each partner • Human-readable and intuitive policy language Step1 Qualilfy Request Helpdesk Step2 Create user and attributes NetOps
  • 11. Implemented Solution (1) Dynamic Authentication Multi-factor Authentication 4 technologies available: • Password • One Time Password by mail • Physical or Mobile Token • Device authentication Vertical Brute-Force protection AUTH_<1stFactor>-<2ndFactor> Ex: AUTH_PWD AUTH_PWD-OTPM
  • 12. Implemented Solution (2) Fine-Grained Authorization • NAC assessment pipeline • Least privilege model with dynamic ACL assignment Time Date AVGeoIPIP OS NAC_<NAME>_<dataToCheck> Ex: NAC_IP_1.2.3.4 NAC_OS_WIN10 HOST/NET_<ressource>_<protocols> Ex: HOST_hostname1_RDP NET_192.168.0.0/24_ICMP-UDP161
  • 13. Implemented Solution (3) Configurable Network Access 3 network access modes available: • Full Web with HTML5 • Tunnel App • VPN-SSL With self-service mode for one-off access (VNC,RDP and SSH): Step1 Fill form Partner Step2 Validate information Employee Step3 Enter validation code Partner MODE_<name> Ex: MODE_WEB, MODE_TUNNEL, MODE_VPN
  • 14. Implemented Solution (4) Personalized Accounting • Notification to internal employees • User session management in F5 • Logging and reporting (not yet implemented) in Splunk NOTIF_<email@MXdomain> Ex: NOTIF_employee1@localdomain
  • 15. Conclusion • Fit to business, at low expense • Scalable and open solution • Accepted by management to replace previous solution • Positive feedbacks from partners and employees
  • 16. ACCESS MODE Attributes (multivalued) MODE_WEB Browser only access MODE_TUNNEL Application tunnel access MODE_VPN VPN-SSL access AUTHENTICATION Attributes (unique) AUTH_<1stFactor> AUTH_PWD AUTH_<1stFactor>-<2ndFactor> AUTH_PWD-OTPM AUTH_PWD-TOKEN AUTH_PWD-DEVICE AUTHENTICATION Specific Attributes (multivalued) OTPM OTPM_DOMAIN_<MX-Domain> DEVICE TERMINAL_MAC_<MAC-Addr> TERMINAL_BIOS_<SerialNumber> Network Access Control Attributes (multivalued) NAC_DATE NAC_DATE_<endDate> NAC_DATE_<startDate>-<endDate> NAC_TIME NAC_TIME_HOUR_<startTime>-<endTime> NAC_TIME_DAY_<startTime>-<endTime> NAC_GEOIP NAC_GEO_<continent> NAC_GEO_<continent>_<country> NAC_IP NAC_IP_<CIDR> NAC_IP_<FQDN> NAC_OS NAC_OS_<platform> NAC_AV NAC_AV_<name> NOTIFICATION Attributes (multivalued) NOTIF_ NOTIF_<Predefined_MX>_username> Ressources Attributes (multivalued) HOST HOST_<IpAddr>_<Protocols**> HOST_<Hostname>_<Protocols**> NET * NET_<CIDR>_<Protocols**> APP APP_<AppName> Link Attributes (multivalued) LINK_EDGECLIENT LINK_OESISDEBUG * Only VPN Mode ** HTTP/HTTPS(<port>)-RDP-VNC-SSH-TCP(PORT)-UDP(PORT)-ICMP
  • 17. Thanks ! Get in touch : ndestor@3aprotect.com, @nicolasdestor