170 likes | 392 Vues
WAF and Identity and Access Management Integration. The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com. Evolution Phase 0: Control The Connection. Everything focused on controlling the connection Proxy connections are everywhere
E N D
WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com
Evolution Phase 0: Control The Connection • Everything focused on controlling the connection • Proxy connections are everywhere • No direct connections to backend servers • Multi-Zone Architecture • Defining what is allowed or not allowed in each layer • Network firewalls everywhere controlling connections between zones • Who talks to whom • Where they are allowed to come from If you can keep the “bad” connections out, put everything into zones and then control access between zones, then life will be good!
Evolution Phase 1.0:Prevent interception in route • Content can get intercepted in route and modified/compromised • Especially true as traffic gets sent out over the Internet • Proliferation of public facing applications for customers and partners • Encryption of content in route seen as solution to this problem • Use SSL on anything & everything with sensitive info or data We already control connections, now all we need to do is make sure traffic does not get hijacked in route and life will be good!
Evolution Phase 2.0:Inspection of Application Content • Rise of Application Layer attacks • Hackers shift tactics to exploit new weak link • 70-90% of attacks focused on app layer attacks • These new attacks are “invisible” to NW Firewalls • Port 80 & 443 traffic needs to be passed through • The Rise of the Web App Firewall (WAF) • Can inspect application layer content • Block malicious content • New phrase: “Do you block OWASP Top 10?” We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will be good!
So What’s Next? • The world continues to change and the bad guys continue to change what they do. • Requirements and deployments continue to evolve • No more controlled access points or access devices • BYOD for Corp B to B apps • Explosion of access devices (mobile, etc) for B to C • Separation of Identity and access management from application logic • Single Sign on systems outside traditional application logic • P.S. There is no silver bullet! Let’s try looking at the different systems and solutions we have in place to see if integration and “better together” approaches delivers any benefits to us?
Barracuda Web Application Firewalls SSL Accelerators Load Balancing Caching Access Control Security Web & XML Consolidation Drives ArchitectureEvolution Perimeter Servers
Why Integrate your WAF & IAM Systems? • Where’s the best place to verify & control user access? • When they first enter your network • WAF in Reverse Proxy at the edge of the network is perfectly positioned for this • Inspect content AND verify users before passing anything back • Proxy connection provides isolation from backends as well as better ability to manage the user connections to various apps/sites • Holistic view and reporting to easily identify issues • Simpler deployment architecture • Simpler is better • Less complexity to manage • Cost reductions from fewer agents & operational effectiveness
Barracuda Networks Confidential More Than Just A WAF Authorization Single Sign On Reporting Authentication Barracuda Web Application Firewall Intelligent Integration
Barracuda Networks Confidential Non-Integrated Approach Start Page 2. Please Supply User – ID: Password: 1. Initial Access 3. User supplies Credentials 5. Access after successful sign on Internet Barracuda Web App Firewall Business Partner 4. DB verification External Authentication System LDAP, RADIUS…
Barracuda Networks Confidential Integration between WAF & IAM Start Page 5. Access after successful sign on 1. Initial Access 3. User supplies Credentials 2. Please Supply User – ID: Password: Internet Barracuda Web App Firewall 4. DB verification Business Partner External Authentication System LDAP, RADIUS… Client Certificates Digital certificate based authentication can Also be used for additional security. Barracuda Web Application Firewall Proxies Authentication No access to back end Service until sign on is complete User DB Internal BWF Stored User Database (for Lab, etc.) Accesses Corporate Database for production: LDAP, RADIUS
Authentication • LDAP / RADIUS integration • Client Certificates • RSA SecurID® • CA SiteMinder® • Single factor or multi factor authentication • One time password Authentication / Authorization Estore application www.estore.com/purchase/ www.estore.com/admin Customers Admin Portal Local User Database Administrator LDAP / RADIUS Database 11 Barracuda Networks Confidential
Authorization • Granular control for different sections of the application • Based on roles / groups Authentication / Authorization Estore application www.estore.com/purchase/ www.estore.com/admin Customers Admin Portal Local User Database Administrator LDAP / RADIUS Database 12 Barracuda Networks Confidential
Single Sign On • Integration with SiteMinder for comprehensive solution • Single domain / Multi domain SSO Authentication / Authorization Airlines application www.airlines.com Customers www.rentals.com Rentals Portal Local User Database LDAP / RADIUS Database 13 Barracuda Networks Confidential
Reporting • Detailed Logs and reports • Integration with SIEM tools • ArcSight • Splunk • RSA enVision Barracuda Networks Confidential
What are your next evolutionary steps? Thank You!