e-Xpert Gate / Reverse Proxy - WAF 1ere génération

transcript

e-Xpert Gate

e-Xpert Solutions SAsmaret@e-xpertsolutions.com

2 mars 2001

e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève

e-Xpert Gate ?

Access your applications from everywhere with

strong confidentiality and authentication

About your need

Access internal information from everywhere

Access information with high security No specific client software Simple to use No dedicated station Cost effective solution

Solution ?

Use your favorite browser

Why my browser ?

Very good « footprint » Standard sofware client Free Very good level of security (with SSL) PKI enabled application

But how to solve security issue ?

Web-basedInternal Resources

What should I do ?

Firewall

Browser

Direct access with http or https ?

Firewall

Browser

Why not ?

Direct access drawback

Direct access using HTTP– Clear traffic (password and content snifing)

– No authentication

– No data integrity

Direct access to internal content servers– Permit attacks

– DoS

Direct access to internal networks– Permit to access other resources if server compromised

Secure access with e-Xpert Gate

Firewall

DmzBrowser

E-Xpert Gate

Secure access thrue e-Xpert Gate

Use SSL technology (PKI)– Provide authentication (server and client)– Provide confidentiality– Provide data integrity

No direct access to internal ressources URL content checking and blocking Permit content analysis with IDS system

Reverse Proxy Technology

Server withina firewall

The proxy serverappears to be the

content server

A client computeron the Internet

sends a request tothe proxy server

FirewallCACHE

The proxy server uses a regularmapping to forward the client request

to the internal content server

You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.

https (SSL)

http or

SSL/TLS Technology

Secure Sockets Layer TCP/IP socket encryption

Provides end-to-end protection of communications sections

Confidentiality protection via encryption

Integrity protection with MAC’s Can authenticate client (option)

SSL/TLS Technology

The SSL protocol runs above TCP/IP The SSL protocol runs below higher-

level protocols such as HTTP or IMAP

Applications that use SSL or TLS

e-Commerce – orders – e-Banking– protects contents of forms sent to server– protects sensitive personal data– provides authentication

Secure web-based intranet access– ensures secure transmission of confidential

content– provides authentication

SSL/TLS history

SSL v1 designed by Netscape in 1994 SSL v2 shipped with Navigator 1.0 and

2.0 SSL v3 latest version TLS v1 developed by IETF aka SSL

About authentication ?

Your business is on the line.

But do you really know

who’s on the other end?

Two-factor User Authentication

One-Factor User Authentication Drawback

Users choose weak password Easy to guess (Brute force, dictionary) Easy to use a key logger or sniffer Learn password by « Social Engineering »

e-Xpert Gate’s Authentication method

Native RSA SecurID authentication SSL Client authentication (PKI)

– Certificate store on SmartCard or iKey– Certificate store on a file

External authentication with firewall– Radius, Tacacs, Ldap

Basic HTTP authentication*

* Method not recommended

RSA SecurID implementation

E-Xpert Gate

RSA tokens

How it works ?

SeedTime

482392482392

ACE/ServerACE/ServerTokenToken

Algorithm

SeedTime

482392482392

Algorithm

Same SeedSame Seed

Same TimeSame Time

SecurID exemple

SSL client authentication implementation

E-Xpert Gate

PKIarchitecture

ClientX509

Certificate

What is a certificate

X509 Authentication

Uses SSL client X.509 certificate Provides strong authentication (“something

you have, something you know”) Requires a Certificate authority (Public or

Private) Certificate can be stored on local host or on

smart card or IKey

Client side authentication

WebClient Challenge

Client Certificate Request

Challenge answer

WebServer

Client Certificate

How secure is the private key ?

SmartSmartCardCard

How does the How does the user get access?user get access?

Where is it stored?Where is it stored?

LocalLocalBrowserBrowser

storestore

Private key

SmartCard and iKey

Provides strong authentication (protect the private key)

Serial, PCMCIA, USB Requires smart card reader...

e-Xpert Gate Applications

Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…

Accesses Intranet applications E-Banking solution (front-end) Extranet applications with partners Etc.

Lotus access with e-Xpert Gate

e-Xpert Gate’s key features

Authentication method– RSA SecurID– SSL client authentication– Basic HTTP– External authentication with firewall

PKI enabled application– Support Revocation CRL– Ldap

Security protocols– SSL version 2.0, 3.0– TLS version 1.0

Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,

RC2, IDEA 128

Hashes: MD5, SHA-1

Fully supports Verisign Global Server IDs (128 bits for every browser)

Supports hardware cryptographic accelerators– Rainbow

Secure OS (Linux or Solaris)– FIA with Tripwire– Management with SSH server– Secure file transfer with SSH– Syslog messages

Appliance solution– IBM– Sun Microsystems

Questions ?