WAF and Identity and Access Management Integration

CONFIDENTIAL & PROPRIETARY 1

WAF and Identity and Access Management Integration

The Next Step in the Evolution of Application Security Best Practices

Jan [email protected]


Evolution Phase 0: Control The Connection

• Everything focused on controlling the connection• Proxy connections are everywhere

• No direct connections to backend servers• Multi-Zone Architecture

• Defining what is allowed or not allowed in each layer• Network firewalls everywhere controlling connections

between zones• Who talks to whom• Where they are allowed to come from

If you can keep the “bad” connections out, put everything into zones and then control access between zones, then

life will be good!


Evolution Phase 1.0:Prevent interception in route

• Content can get intercepted in route and modified/compromised

• Especially true as traffic gets sent out over the Internet• Proliferation of public facing applications for customers and

partners• Encryption of content in route seen as solution to this

problem• Use SSL on anything & everything with sensitive info or data

We already control connections, now all we need to do is make sure traffic does not get hijacked in

route and life will be good!


Evolution Phase 2.0:Inspection of Application Content

• Rise of Application Layer attacks• Hackers shift tactics to exploit new weak link• 70-90% of attacks focused on app layer attacks

• These new attacks are “invisible” to NW Firewalls• Port 80 & 443 traffic needs to be passed through

• The Rise of the Web App Firewall (WAF)• Can inspect application layer content• Block malicious content

• New phrase: “Do you block OWASP Top 10?”

We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will

be good!


So What’s Next?

• The world continues to change and the bad guys continue to change what they do.

• Requirements and deployments continue to evolve• No more controlled access points or access devices

• BYOD for Corp B to B apps• Explosion of access devices (mobile, etc) for B to C

• Separation of Identity and access management from application logic

• Single Sign on systems outside traditional application logic

• P.S. There is no silver bullet!

Let’s try looking at the different systems and solutions we have in place to see if integration and “better

together” approaches delivers any benefits to us?


Servers

Perimeter

SSL Accelerators

SecurityWeb & XML

Caching

Barracuda Web Application Firewalls

Load Balancing

Access Control

Consolidation Drives ArchitectureEvolution


Why Integrate your WAF & IAM Systems?

• Where’s the best place to verify & control user access?• When they first enter your network• WAF in Reverse Proxy at the edge of the network is perfectly

positioned for this• Inspect content AND verify users before passing anything back• Proxy connection provides isolation from backends as well as

better ability to manage the user connections to various apps/sites

• Holistic view and reporting to easily identify issues• Simpler deployment architecture

• Simpler is better• Less complexity to manage• Cost reductions from fewer agents & operational effectiveness


More Than Just A WAF

Barracuda Networks Confidential 8

Single Sign OnAuthorization

AuthenticationReporting

Barracuda Web Application Firewall

Intelligent Integration


Non-Integrated Approach


Start Page

Internet

Business Partner

Barracuda Web App Firewall

External Authentication SystemLDAP, RADIUS…

1. Initial Access

2. Please SupplyUser – ID:Password:

3. User supplies Credentials5. Access after successful sign on

4. DB verification


Integration between WAF & IAM


Start Page

Internet

Business Partner

Barracuda Web App Firewall

External Authentication SystemLDAP, RADIUS…

1. Initial Access 2. Please SupplyUser – ID:Password:

3. User supplies Credentials 5. Access after successfulsign on

4. DB verification

Barracuda Web Application FirewallProxies AuthenticationNo access to back end Service untilsign on is complete

User DBInternal BWF Stored User Database(for Lab, etc.)

Accesses Corporate Database for production:LDAP, RADIUS

Client CertificatesDigital certificate based authentication canAlso be used for additional security.


11 11

Authentication

Local User Database

Estore application

Admin Portal

www.estore.com/purchase/

www.estore.com/admin

Authentication / Authorization

Administrator

Customers

LDAP / RADIUS Database

Barracuda Networks Confidential

• Single factor or multi factor authentication

• One time password

• LDAP / RADIUS integration• Client Certificates• RSA SecurID®• CA SiteMinder®


12 12

Local User Database

Estore application

Admin Portal

www.estore.com/purchase/

www.estore.com/admin


Administrator

Customers



• Based on roles / groups • Granular control for different sections of the application

Authorization


13 13

Local User Database

Airlines application

Rentals Portal

www.airlines.com

www.rentals.com


Customers



• Single domain / Multi domain SSO • Integration with SiteMinder for comprehensive solution

Single Sign On



Reporting• Detailed Logs and reports• Integration with SIEM tools

• ArcSight• Splunk• RSA enVision


What are your next evolutionary steps?

Thank You!

WAF and Identity and Access Management Integration

Documents

Transcript of WAF and Identity and Access Management Integration