LBL Application Availability Infrastructure Unified Secure Reverse Proxy

Transcription

1 LBL Application Availability Infrastructure Unified Secure Reverse Proxy Valerio Mezzalira

2 TCOGROUP Company Outline Mission: Development of Software Tools Aimed at Enhancing High Availability (HA) of IT in Mission Critical and Business Critical Environments Main Focus: HA, Business Continuity, and Disaster-Recovery Target Markets: Finance, TELCO, e-commerce, Healthcare, Transportation, Energy Oil & Gas, Manufacturing, Education, Public Administrations, Service Providers

3 The Reference Scenario IT services evolution: Security, Performance, Control by design SSO Analysis & Reporting Billing Security Speed & Performance Full Availability Solution Features IaaS OpenStack SDN

4 The Reference Scenario IT services evolution: from individual application... Service Layers Network Security Application Database SAN

5 The Reference Scenario... to service... Service Layers Network Security Reverse-proxy B Application B Reverse-proxy A Application A Reverse-proxy C Application C Reverse-proxy DBMS A Reverse-proxy DBMS B Database Reverse-proxy DBMS DBMS A C Database DBMS B Database DIRSRV Reverse-proxy DIRSRV SAN Virtualization SAN Database Text Database img Database logs

6 LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

7 LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

8 LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application B Application A Security Application C Dynamic Path Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

9 LBL LoadBalancer Unified Reverse Proxy Business Continuity Sites Primary building Secondary building Disaster Recovery Site

10 LBL LoadBalancer Unified Reverse Proxy Business Continuity Sites Primary building Secondary building Disaster Recovery Site

11 LBL LoadBalancer Unified Reverse Proxy ON CLOUD Border Router Protocol (Amazon Regions Compliant) DoS/DDoS resolver DoS/DDoS Resolver

12 Header rewriting GET / HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv: ) Gecko/ Firefox/3.6.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: LBLSESSIONID= ; TCOPROJECTAUTH= ; TCOPROJECTSESSIONID= L7 HTTP/S / L4 TCP/UDP Contents rewriting Content inspection and rewriting of data streams through regular expressions or/and by easy java programming (call-back). LBL Content Rewriter allows you to perform complex operations by SSO integration and actively intervene in relation to the content or quantity of data traffic load. /* Linee di inclusione titolo e bottom della pagina */ td.encloserline { height: 2px; background-color: rgb(51, 51, 255); } /* Tabella di contenuti */ table.contenttable { text-align: left; width: 100%; } /* titolo del paragrafo */ td.paragraphtitle { text-align: left; color: black; font-weight: bold; font-style: italic; background-color: rgb(255, 143, 89); } Body rewriting /* corpo del paragrafo */ td.paragraphbody { text-align: left; }

13 TLS & Certificates management A<----SSL---->LBL<----NOSSL---->B A<----SSLa-m---->LBL<----SSLm-b---->B (1) (3) host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; it; rv: ) Gecko/ Firefox/3.6.3 (.NET CLR ) accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 accept-encoding: gzip,deflate accept-charset: ISO ,utf-8;q=0.7,*;q=0.7 keep-alive: 115 connection: keep-alive referer: cookie: LBLSESSIONID= content-type: application/x-www-form-urlencoded content-length: 33 x-fwdcertserialnumber_0: x-fwdcertdatenotbefore_0: :19:17.0 UTC x-fwdcertdatenotafter_0: :19:17.0 UTC x-fwdcertsubject_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT x-fwdcertissuer_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT x-fwdcertencodedpem_0: -----BEGIN+CERTIFICATE---- 0AMIICdTCCAd6gAwIBAgIETHEVxTANBgkqhkiG9w0BAQUFADB2FMQswCQYDVQQGEwJJVDEXMBUGA1UECBMOY2xpZW50ZGlzdHJp0AY3QxFjAU BgNVBAcTDWNsaWVudGNvdW50cnkxFjAUBgNVBAoTDWNsaWVudGNvbXBhbnkxEjAQBgNVBAsTCWNsaWVudGxvYjET0AMBEGA1UEAxMKY2xpZW 50bmFtZTAeFw0xMDA4MjIxMjE5MTdaFw0xMTA4MjIxMjE5MTdaMH8xCzAJBgNVBAYTAklUMRcwFQYD0AVQQIEw5jbGllbnRkaXN0cmljdDEWMBQG A1UEBxMNY2xpZW50Y291bnRyeTEWMBQGA1UEChMNY2xpZW50Y29tcGFueTESMBAG0AA1UECxMJY2xpZW50bG9iMRMwEQYDVQQDEwpjbGllbnR uyw1lmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcgmdlc3mhc0arflqnppgubfg2yyvnbuejsarzn6l0cjcqxlqpfmrh0npridg2blsp98tisi2bk Mlcxbvl3Y6Dk6QTUCw1AxN7vUUapZ4tJBwzM0AUACAYp6HCr1tFTvgU8XQui74hqkcZjSPOSvoX2BuIjmSl832O6Iu0hoG0GPE2FqF3THQIDAQABMA0GCS qgsib3dqebbquaa4gb0aadumybb76yzrcgvvdjttqnltfcxrwunkj2qkbdde9esp2f9h8zqucowcig5pj0zryyapfqsowwdz18rut1scqeux2%2f7l2f 2FFyk0AEeSVL8mr9eB4mMxgACNFn6GzUTkUD2PBO5HNBc9TcKvEzTtTP35x13pNTaWvhNBL2Li09y5xUfIi%0D%0A----END+CERTIFICATE----- %0D%0A x-forwarded-for: TLS Termination & Spontaneous offloading Client Certificate forwarding (Integrating J2EE application with no change) TLS Re-encryption

14 TLS-SNI (Server Name Indication) public network TLS handshake using SNI Client Hello requesting secursite2.com Server Hello secursite2.com certificate Listen on port 80 DNS: No number certificates limits per address/port More certificates container with different passwords

15 SUCCESS STORIES Microsoft TMG replacement from 2011

16 LBL Application Availability Infrastructure ALL ASL / Health for Regione Sardegna (over 7 years of uninterrupted service) +CRESSAN

17 LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Database DBMS A Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

18 LBL LoadBalancer Unified Secure Reverse Proxy Service Layers Network Application A Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Security Database Text Exchange Database img SAN Virtualization SAN

19 LBL LoadBalancer Unified Secure Reverse Proxy Service Layers Network Application A Application B Remote Desktop Network File System Database DIRSRV Unified Secure Reverse Proxy Application C Database Text Database img Exchange SAN Virtualization SAN

20 LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers

21 LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers 1. Session Cookie 2. Set-Cookie app server generation 3. HSTS: Redirect from http to https 4. HSTS: Strict-Transport-Security injection on response 5. Check body lenght in POST no dependent by content-type / transfer enconding 6. DoS (Unique feature in today market) 7. DDoS (Unique feature in today market) 8. DDoS iredcarpet (Application Quality of Service) (Unique feature in today market) 9. Client SSL Protocols interceptor and tracing 10. SSL ciphers suite And Protocols Global / Listeners / Backend abilitations 11. SSO e client certificate management 12. XSS mitigation 13. END POINT MASKERATION

22 LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers Least priority DoS DDoS Attack Mitigation Least priority Very Important Person Least priority Very Important Person Least priority Very Important Person Very Important Person

23 LBL LoadBalancer Unified Secure Reverse Proxy Run-Time Tracing Consumers Dispatcher Producers LBL Traffic Monetizer Transactional data aggregation engine, tens millions of hits hour

24 LBL Unified Reverse Proxy Real-Time traffic analisys Consumers Dispatcher Producers Attack Prophecy

25 LBL Unified Reverse Proxy Real-Time reaction to Run-Time filtering Consumers Dispatcher Producers Attack Prophecy SOC

26 Cyber security cycle LBL Security cycle (compliance DPCM 24 gennaio 2013) External assessment Continuous assessment Add rules WAF DoS DDoS resolver WAF Event notification for authority Real-time Interceptions Real-time analisys Real-time Reaction Data aggregation Data collection

27 LBL Traffic Monetizer The best solution is the next generation systems Attack Prophecy SOC NOC APPLICATIONS BUSINESS

28 LBL A.A.I. TARGET

29 LBL A.A.I. products map LBL Application Availability Infrastructure WAF Developer WAF ADVANCED SECURITY LoadBalancer TRAFFIC DATA SECURITY LBL A.A.I. BC/DR Commander DNS & PROXY Manager Platform Standard HA Decision Engine WorkFlow Enterprise HA Selected Capacity S1 Selected Capacity S1 HA MANAGEMENT Management Console Selected Capacity S2 Selected Capacity S3 Selected Capacity S2 HA Selected Capacity S3 HA TRACING/SECURITY PERFORMANCE Traffic Monetizer Catalog Catalog Selected Capacity DoS/DDoS attack mitigation Attack Prophecy Customer Experience DB Embedded appliance

30 LBL A.A.I. DoS Attack Prevention LBL DoS DDoS Attack Prevention VIP iredcarpet Least priority Least priority Very Important Person Least priority Very Important Person Least priority Very Important Person Very Important Person

31 Thank you for your attention TCOGROUP S.r.l. TCO Software Group Inc.

32 LBL WAF DEVELOPER (Unique feature in today market) With consumer WAF developer there are multiple implementations in the dark. Everything that is implemented can be deeply tested before entry into production. The times of implementations are reduced from 1000 to 1. LBL WAF Developer allows you to follow the evolution of enterprise security, SSO, quickly adapting policies with drastic costs reduction and GUARANTEE OF A RESULT.