VMware Identity Manager Integration with Active Directory ...
WAF and Identity and Access Management Integration
description
Transcript of WAF and Identity and Access Management Integration
CONFIDENTIAL & PROPRIETARY 1
WAF and Identity and Access Management Integration
The Next Step in the Evolution of Application Security Best Practices
CONFIDENTIAL & PROPRIETARY 2
Evolution Phase 0: Control The Connection
• Everything focused on controlling the connection• Proxy connections are everywhere
• No direct connections to backend servers• Multi-Zone Architecture
• Defining what is allowed or not allowed in each layer• Network firewalls everywhere controlling connections
between zones• Who talks to whom• Where they are allowed to come from
If you can keep the “bad” connections out, put everything into zones and then control access between zones, then
life will be good!
CONFIDENTIAL & PROPRIETARY 3
Evolution Phase 1.0:Prevent interception in route
• Content can get intercepted in route and modified/compromised
• Especially true as traffic gets sent out over the Internet• Proliferation of public facing applications for customers and
partners• Encryption of content in route seen as solution to this
problem• Use SSL on anything & everything with sensitive info or data
We already control connections, now all we need to do is make sure traffic does not get hijacked in
route and life will be good!
CONFIDENTIAL & PROPRIETARY 4
Evolution Phase 2.0:Inspection of Application Content
• Rise of Application Layer attacks• Hackers shift tactics to exploit new weak link• 70-90% of attacks focused on app layer attacks
• These new attacks are “invisible” to NW Firewalls• Port 80 & 443 traffic needs to be passed through
• The Rise of the Web App Firewall (WAF)• Can inspect application layer content• Block malicious content
• New phrase: “Do you block OWASP Top 10?”
We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will
be good!
CONFIDENTIAL & PROPRIETARY 5
So What’s Next?
• The world continues to change and the bad guys continue to change what they do.
• Requirements and deployments continue to evolve• No more controlled access points or access devices
• BYOD for Corp B to B apps• Explosion of access devices (mobile, etc) for B to C
• Separation of Identity and access management from application logic
• Single Sign on systems outside traditional application logic
• P.S. There is no silver bullet!
Let’s try looking at the different systems and solutions we have in place to see if integration and “better
together” approaches delivers any benefits to us?
CONFIDENTIAL & PROPRIETARY 6
Servers
Perimeter
SSL Accelerators
SecurityWeb & XML
Caching
Barracuda Web Application Firewalls
Load Balancing
Access Control
Consolidation Drives ArchitectureEvolution
CONFIDENTIAL & PROPRIETARY 7
Why Integrate your WAF & IAM Systems?
• Where’s the best place to verify & control user access?• When they first enter your network• WAF in Reverse Proxy at the edge of the network is perfectly
positioned for this• Inspect content AND verify users before passing anything back• Proxy connection provides isolation from backends as well as
better ability to manage the user connections to various apps/sites
• Holistic view and reporting to easily identify issues• Simpler deployment architecture
• Simpler is better• Less complexity to manage• Cost reductions from fewer agents & operational effectiveness
CONFIDENTIAL & PROPRIETARY 8
More Than Just A WAF
Barracuda Networks Confidential 8
Single Sign OnAuthorization
AuthenticationReporting
Barracuda Web Application Firewall
Intelligent Integration
CONFIDENTIAL & PROPRIETARY 9
Non-Integrated Approach
Barracuda Networks Confidential 9
Start Page
Internet
Business Partner
Barracuda Web App Firewall
External Authentication SystemLDAP, RADIUS…
1. Initial Access
2. Please SupplyUser – ID:Password:
3. User supplies Credentials5. Access after successful sign on
4. DB verification
CONFIDENTIAL & PROPRIETARY 10
Integration between WAF & IAM
Barracuda Networks Confidential 10
Start Page
Internet
Business Partner
Barracuda Web App Firewall
External Authentication SystemLDAP, RADIUS…
1. Initial Access 2. Please SupplyUser – ID:Password:
3. User supplies Credentials 5. Access after successfulsign on
4. DB verification
Barracuda Web Application FirewallProxies AuthenticationNo access to back end Service untilsign on is complete
User DBInternal BWF Stored User Database(for Lab, etc.)
Accesses Corporate Database for production:LDAP, RADIUS
Client CertificatesDigital certificate based authentication canAlso be used for additional security.
CONFIDENTIAL & PROPRIETARY 11
11 11
Authentication
Local User Database
Estore application
Admin Portal
www.estore.com/purchase/
www.estore.com/admin
Authentication / Authorization
Administrator
Customers
LDAP / RADIUS Database
Barracuda Networks Confidential
• Single factor or multi factor authentication
• One time password
• LDAP / RADIUS integration• Client Certificates• RSA SecurID®• CA SiteMinder®
CONFIDENTIAL & PROPRIETARY 12
12 12
Local User Database
Estore application
Admin Portal
www.estore.com/purchase/
www.estore.com/admin
Authentication / Authorization
Administrator
Customers
LDAP / RADIUS Database
Barracuda Networks Confidential
• Based on roles / groups • Granular control for different sections of the application
Authorization
CONFIDENTIAL & PROPRIETARY 13
13 13
Local User Database
Airlines application
Rentals Portal
www.airlines.com
www.rentals.com
Authentication / Authorization
Customers
LDAP / RADIUS Database
Barracuda Networks Confidential
• Single domain / Multi domain SSO • Integration with SiteMinder for comprehensive solution
Single Sign On
CONFIDENTIAL & PROPRIETARY 14
Barracuda Networks Confidential 14
Reporting• Detailed Logs and reports• Integration with SIEM tools
• ArcSight• Splunk• RSA enVision
CONFIDENTIAL & PROPRIETARY 15
What are your next evolutionary steps?
Thank You!