WAF and Identity and Access Management Integration
advertisement
WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com CONFIDENTIAL & PROPRIETARY 1 Evolution Phase 0: Control The Connection • Everything focused on controlling the connection • Proxy connections are everywhere • No direct connections to backend servers • Multi-Zone Architecture • Defining what is allowed or not allowed in each layer • Network firewalls everywhere controlling connections between zones • Who talks to whom • Where they are allowed to come from If you can keep the “bad” connections out, put everything into zones and then control access between zones, then life will be good! CONFIDENTIAL & PROPRIETARY 2 Evolution Phase 1.0: Prevent interception in route • Content can get intercepted in route and modified/compromised • Especially true as traffic gets sent out over the Internet • Proliferation of public facing applications for customers and partners • Encryption of content in route seen as solution to this problem • Use SSL on anything & everything with sensitive info or data We already control connections, now all we need to do is make sure traffic does not get hijacked in route and life will be good! CONFIDENTIAL & PROPRIETARY 3 Evolution Phase 2.0: Inspection of Application Content • Rise of Application Layer attacks • Hackers shift tactics to exploit new weak link • 70-90% of attacks focused on app layer attacks • These new attacks are “invisible” to NW Firewalls • Port 80 & 443 traffic needs to be passed through • The Rise of the Web App Firewall (WAF) • Can inspect application layer content • Block malicious content • New phrase: “Do you block OWASP Top 10?” We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will be good! CONFIDENTIAL & PROPRIETARY 4 So What’s Next? • The world continues to change and the bad guys continue to change what they do. • Requirements and deployments continue to evolve • No more controlled access points or access devices • BYOD for Corp B to B apps • Explosion of access devices (mobile, etc) for B to C • Separation of Identity and access management from application logic • Single Sign on systems outside traditional application logic • P.S. There is no silver bullet! Let’s try looking at the different systems and solutions we have in place to see if integration and “better together” approaches delivers any benefits to us? CONFIDENTIAL & PROPRIETARY 5 Consolidation Drives ArchitectureEvolution Perimeter Load Balancing SSL Accelerators Caching Barracuda Web Application Firewalls Servers Access Control Security Web & XML CONFIDENTIAL & PROPRIETARY 6 Why Integrate your WAF & IAM Systems? • Where’s the best place to verify & control user access? • When they first enter your network • WAF in Reverse Proxy at the edge of the network is perfectly positioned for this • Inspect content AND verify users before passing anything back • Proxy connection provides isolation from backends as well as better ability to manage the user connections to various apps/sites • Holistic view and reporting to easily identify issues • Simpler deployment architecture • Simpler is better • Less complexity to manage • Cost reductions from fewer agents & operational effectiveness CONFIDENTIAL & PROPRIETARY 7 More Than Just A WAF Authorization Single Sign On Reporting Authentication Barracuda Web Application Firewall Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY Intelligent Integration 8 8 Non-Integrated Approach 2. Please Supply User – ID: Password: Start Page 1. Initial Access 3. User supplies Credentials 5. Access after successful sign on Internet Barracuda Web App Firewall Business Partner 4. DB verification External Authentication System LDAP, RADIUS… Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY 9 9 Integration between WAF & IAM Start Page 1. Initial Access 3. User supplies Credentials 5. Access after successful sign on 2. Please Supply User – ID: Password: Internet Barracuda Web App Firewall 4. DB verification Business Partner External Authentication System LDAP, RADIUS… Barracuda Web Application Firewall Proxies Authentication No access to back end Service until sign on is complete Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY User DB Internal BWF Stored User Database (for Lab, etc.) Accesses Corporate Database for production: LDAP, RADIUS Client Certificates Digital certificate based authentication can Also be used for additional security. 10 10 Authentication • Single factor or multi factor authentication • One time password • • • • LDAP / RADIUS integration Client Certificates RSA SecurID® CA SiteMinder® Authentication / Authorization Estore application www.estore.com/purchase/ Customers www.estore.com/admin Admin Portal Local User Database Administrator LDAP / RADIUS Database Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY 11 11 11 Authorization • Based on roles / groups • Granular control for different sections of the application Authentication / Authorization Estore application www.estore.com/purchase/ Customers www.estore.com/admin Admin Portal Local User Database Administrator LDAP / RADIUS Database Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY 12 12 12 Single Sign On • Single domain / Multi domain SSO • Integration with SiteMinder for comprehensive solution Authentication / Authorization Airlines application www.airlines.com Customers www.rentals.com Rentals Portal Local User Database LDAP / RADIUS Database Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY 13 13 13 Reporting • • Detailed Logs and reports Integration with SIEM tools • ArcSight • Splunk • RSA enVision Barracuda Networks Confidential CONFIDENTIAL & PROPRIETARY 14 14 What are your next evolutionary steps? Thank You! CONFIDENTIAL & PROPRIETARY 15
