3. Office
Home
En Route
Apps are usually embedded into a larger system
Seite 3
Workstation
Notebook
Mobile
Tablet
Email
Time Schedulie
Intranet
Applications
Users
Devices
Entry Points
Services
Employees
Field Worker
Externals
Specialists
Guests
Threat Agents
4. Web Application Security Architecture Components
Seite 4
Cloud Services
Internal Network
Web Applications
Web Applications
Service
Provider
Employees / Customers /
Partners (External)
Central Identity Store
Employees (Internal)
Intranet
2FA Provider
Internet
IdM Solution
WAF
Auth
IdP
5. United Security Providers’ Products and Services
Firewall Wide Area
Network
Remote
Access
Mail Gateway
Network
Access
Web Proxy Web
Application
Firewall
Web
Authenti-
cation
600
world wide customer locations
850’000
end users
7x24h
security operations
6. www.bluesec.pl
BLUEsec is a team of professionals working in the field of information security. Our goal is to
provide the highest possible level of cybernetic security for organization assets. We provide
a wide range of high-quality services and products to build an adequate to needs security
model. Our values are knowledge, responsibility and trust. We always seek to be the best.
We perform projects in the areas of critical infrastructure and in the field of systems and
special purpose infrastructure. We worked for organizations from the energy, finance, public
administration, government, health and construction sectors.
We are a part of BLUE energy, a Polish consulting company operating in the fields of
management, organization, security, strategy and development. The mission of BLUE
energy is to develop Polish entrepreneurship by providing efficient and innovative business,
organizational and IT solutions and by improve efficiency of communication between
business and the public sector.
BLUE energy – polish consulting company| BLUEsec – cybernetic security
9. Web Application Security Architecture Components
Seite 9
Cloud Services
Internal Network
Web Applications
Web Applications
Service
Provider
Employees / Customers /
Partners (External)
Central Identity Store
Employees (Internal)
Intranet
2FA Provider
Internet
IdM Solution
WAF
Auth
IdP
10. Goals
1
You know how a (typical) Web Application
Security Architecture looks like and what
components it (usually) consists of.
2
You know how to integrate your
applications into such an environment.
12. A Practical Example of a Web Application Security Architecture
Seite 12
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
AD (LDAPS)
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
active passiveAccessWAF
Managed VPN Remote Access
Federate
13. A Practical Example – Network Firewalls / Network Zones
Seite 13
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
AD (LDAPS)
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
active passiveAccessWAF
Managed VPN Remote Access
Federate
14. A Practical Example – Web Applications and Services
Seite 14
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
AD (LDAPS)
OWA
Portal App
active passiveAccessWAF
Managed VPN Remote Access
Federate
15. A Practical Example – Web Application Firewall
Seite 15
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
AD (LDAPS)
OWA
Portal App
active passiveAccessWAF
Managed VPN Remote Access
Federate
16. A Practical Example – Users and Devices
Seite 16
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal AppDMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
AD (LDAPS)
Field Workers
BYOD, in an «untrusted»
IP-Subnet
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
active passiveAccessWAF
Managed VPN Remote Access
Federate
17. A Practical Example – User Identities
Seite 17
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
AD (LDAPS)
active passiveAccessWAF
Managed VPN Remote Access
Federate
18. A Practical Example – Authentication Systems (SSO)
Seite 18
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
OWA
Portal App
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
SMS-Provider /
YubiCloud / …
AD (LDAPS)
active passiveAccessWAF
Managed VPN Remote Access
Federate
19. A Practical Example – Identity Federation Components (CDSSO)
Seite 19
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
AD (LDAPS)
active passiveAccessWAF
Managed VPN Remote Access
Federate
20. A Practical Example – Managed Services and SOC
Seite 20
Field Workers
DMZ (Dual-Homed) Server Zone
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Internet
AD (LDAPS)
USP
Mgmt-Access
SOC
active passiveAccessWAF
Managed VPN Remote Access
Federate
21. A Practical Example of a Web Application Security Architecture
Seite 21
Field Workers
DMZ (Dual-Homed) Server Zone
USP
Client Zone
SMS-Provider /
YubiCloud / …
OWA
Portal App
AD (LDAPS)
Customer’s trusted devices
(EMM), in a «trusted» IP-
Subnet
DMZ IP
(shared)
Internal IP 1
Internal IP 2
Public IP / Port-
Forwarding (80/443)
SaaS App 1
SaaS App 2
SAML SPs
SAML IdP
BYOD, in an «untrusted»
IP-Subnet
portal.customer.com
=> WAF’s Public IP
portal.customer.com
=> WAF’s DMZ IP
Mgmt-Access
SOC
Internet
active passiveAccessWAF
Managed VPN Remote Access
Federate