Daniel Estermann, M.Sc.

Size: px
Start display at page:

Download "Daniel Estermann, M.Sc."

Transcription

1 Web Applikationen: Die intelligente Kombination von Schutzmechanismen macht den Unterschied Daniel Estermann, M.Sc. Web Applikationen: Die intelligente Kombination von Schutzmechanismen macht den Unterschied Web Application Security ist heute schon hochkomplex und die Komplexität wird sich mit der weiteren Entwicklung von Online-Services noch rasant erhöhen. Selbst der beste Programmierer kann nicht jede Angriffsmöglichkeit auf Web Applikationen kennen, zudem sind sie auch nur Menschen und machen ab und zu Fehler. Gemäß Gartner weisen drei Viertel der Web Applikationen Sicherheitslücken auf. Um diese Situation zu verbessern sind neben regelmäßigen Security Audits noch weitere, vor allem proaktive Maßnahmen angebracht. Eines der effektivsten Mittel ist der Einsatz einer Web Application Firewall. Der Vortrag erklärt bewährte Architekturmuster wie - proaktiver Schutz vor unbekannten Attacken dank dynamischem Whitelisting- Single-Sign-On mit vorgelagerter Authentisierung- Hohe Verfügbarkeit und Sicherheit kombiniert in einer Web Application Firewall. Durch die intelligente Kombination von Schutzmechanismen können Entwickler sich vermehrt auf die Business Logik konzentrieren und verkürzen so die Timeto-Market. Neben Schutz und Optimierung der Webumgebung wird zudem auch die Compliance verbessert (z.b. durch Sicherstellung des PCI Data Security Standard PCI DSS). Daniel Estermann, M.Sc. Daniel Estermann besitzt einen Master Abschluss in Informatik der Eidgenössischen Technischen Hochschule (ETH Zürich) mit den Schwerpunkten Informationssicherheit und Kryptographie und studierte außerdem Betriebswirtschaft im Nebenfach. Daniel Estermann beschäftigt sich seit über zehn Jahren intensiv mit Web Applikationen: Er kennt den Spagat zwischen Einhaltung von Projektterminen und sicherer Anwendungsentwicklung aus seiner Zeit als Entwickler und Projektleiter von anspruchsvollen Enterprise-Anwendungen. Bei Visonys (jetzt phion) konnte er diese Erfahrungen in die Entwicklung und Betriebsführung der Web Application Firewall 'airlock' einbringen. Als Professional Service Leiter lernte Estermann dort insbesondere auch den Blickwinkel der IT-Betreiber kennen. Nach der Übernahme durch phion steuert er nun als Produkt Manager die strategische Weiterentwicklung der phion airlock Produktlinie.

2 1 Web Application Security Was bringt eine Web Application Firewall? Daniel Estermann Dipl. Informatik Ing. ETH Zürich Product Manager Web Application Security phion AG Imagine This is your Web application server: in the center there is your Web application the users are the audience let s have a closer look... Everything under control? Slide 2 Goals and Challenges Stadium sold out Lots of goals Good ambiance Smooth operations No riots Keep away hooligans and other troublemakers Slide 3

3 2 Exposure, Attacks, Vulnerabilities, Threats Cross Site Scripting Denial of Service Forceful Browsing Slide 4 About phion AG Founded in 2000 HQ in Innsbruck Regional offices in Vienna, Munich, Düsseldorf, Zurich, Milan, London, Amsterdam, Dubai Since July, 4th 2007 plc at Vienna Stock Exchange (mid market) Numerous international customers from the Fortune 500 public and health sectors financial services (up to 85% of Austrian and Swiss banks) Leading enterprise security from the heart of Europe: Gartner: listed in the visionaries quadrant in Gartner s Magic Quadrant for Enterprise Network Firewalls ; November Burton Group: Enterprise Firewalls and Perimeter Architecture, 3 Nov 2005 Leading Web Application Firewall vendor in central Europe Slide 5 History of airlock Swiss Startup Seclutions, later renamed to Visonys Part of phion since June 2008, 2nd phion HQ in Zurich Highly qualified development & professional services teams Clear Focus on Web Application Security since 1996 Strong historical background in finance industry Evolved into a standard product airlock in 2001 Large Customer Base & Top References About 200 productive installations in 8 countries References in government, banks, insurances, industry, portals etc. GLOBAL SECURITY ALLIANCE Slide 6

4 3 Target No. 1: Web Applications Network has become increasingly hardened Number of web-based applications and their complexity exploded Additional classes of web application vulnerabilities classes were discovered Attackers began targeting end users, particularly with the emergence of web 2.0 applications and user-generated content delivery How do we protect our applications and data? Slide 7 Security Instruments Compared There is no silver bullet: Web Application Security is always a combination of instruments. But not every instrument is in the magic quadrant. Effectivity =Security Code Analysis Penetration Tests Security Training for developers IPS / Deep Inspection Efficiency =Cost vs. Value Web Application Firewall Vulnerability Scanning Slide 8 Deployment example: Entry Server (Reverse Proxy) Application Server e Business, e Banking, e Government or e Learning acts as reverse proxy Application Server Web Services, B2B Application Application Server SSH-Admin, Terminal Services, Antivirus Server (ICAP) Service Directory B2B Client Web Client Remote Access Internet DMZ Secured Area Attacker Slide 9

5 4 Typical Features SSL Termination Encryption Offloading Multi-Level Filtering Black/Whitelist Protocols SOAP/XML Cookies Reverse Proxy TCP/IP term. Virtualization Flow control Rewriting Access Control Autorization Single Sign On IAM Web Application Firewall () Delivery & Availability Loadbalancing Compression Clustering Secure Session Handling Tracking Anti-Hijacking Management & Admin Secure OS Configuration Operation Deployment Monitoring & Reports Log analysis Statistics Alerting Audit Slide 10 Security for Application Servers WHOM are we dealing with? Access Control WHAT are we dealing with? Filtering Slide 11 Multi-Level Filtering Strict flow control Multiple validation processes Filtering all Requests and Data Real dynamic Whitelist Filtering Slide 12

6 5 Blacklist Filter: Negative Security Model Examples: Virus/Malware Scanner IDS/IPS Airport Security X-Ray Issues Thousands of signatures Critical timing Completely reactive, always behind Prevents only known attacks Evasion techniques possible Blacklist Filter are necessary but not sufficient against today s targeted attacks! Slide 13 Whitelist Filter: Positive Security Model Everything forbidden unless allowed explicitly Prevents unknown attacks Challenge: How to define good and easy to manage whitelist rules? Key questions: What is good (allowed) in today s dynamic application environments? Slide 14 Whitelisting Web Applications Enforcement of valid Web application usage Valid URLs Valid Parameters Length restrictions according to input fields Verification of predefined values (selections, hidden fields, radio buttons, etc) Protection against type or range violations Slide 15

7 6 whitelisting approaches Manual whitelist rules Too much work for complex applications Static ruleset Makes sense for critical hotspots (e.g. login page) Learning mode Records good traffic during learning phase Generates static whitelist ruleset Strong dependency on application content High maintenance cost Dynamic whitelisting Learning at runtime Allow only URLs generated by the application Often session-based allows to protect application flow Slide 16 Dynamic Whitelisting: URL Encryption Example requests start page: https://www.myapp.com CRM Application sends HTML containing plain URLs like ERP Any Web Application browser receives encrypted URLs: https://www.myapp.com/$xp1/gmnguyqptcsymqqnwftb Server Directory Internet Secured Area Attacker Manipulated requests are blocked: https://www.myapp.com/news.php? include=../../../../../etc/passwd Error! Slide 17 phion 17AG Live Hacking Demo HacmeBooks (Foundstone/McAfee) Bookshop Java2 Enterprise Web Application Several intentional vulnerabilities Used for training and demos Both HacmeBooks and airlock are running on VMware Slide 18

8 7 Dynamic Whitelisting: Benefits URL Encryption Effective protection against forceful browsing URLs and parameters 100% protected Topology and technology hiding Dynamic, no static configuration Smart Form Protection Cryptographic protection of HTML forms Only valid inputs allowed Automatic protection of hidden fields, selection lists, etc Dynamic, no static configuration Application dynamically defines valid URLs, parameters and values. enforces valid usage! Slide 19 phion 19AG Access Control WHOM are we dealing with? Access Control WHAT are we dealing with? Filtering Slide 20 Access Control (Theory) Service Identity Propagation Directory Fine-Autorization (who can access what data?) Identity Management Web Application Slide 21

9 8 Access Control (Real Life) may depend on user type, role and origin Anonymous user Customer Partner Employee Employee* (Intranet) Service CA Cert. Partner Portal CRM Public Web Site Customers Partners Employees Web Shop ERP CMS Admin * ACE/Radius Server Slide 22 Identity Propagation (1) 1. Authenticate user (once) userid: sample password: ********* Service Directory Slide 23 Identity Propagation (2) 1. Authenticate user (once) 2. Fetch identity information from directory (once) Authenticatio CMS: id=sample n Service ERP: roles=employee, userid=s.user sales userid: sample role: employee, sales erp-userid: s.user first name: sample Directory last name: user Slide 24

10 9 Identity Propagation (3) 1. Authenticate user (once) 2. Fetch identity information from directory (once) 3. Propagate user identity to each web application (with each request) Single sign-on Access web applications without logging in again CMS: id=sample airlock ERP: userid=s.user roles=employee, sales CMS ERP Slide 25 Identitiy Propagation Techniques Basic-Auth header Add a basic-authentication header to each request Example: Authorization: Basic c2ftcgxlonbhc3n3b3jk [ =base64( sample:password ) ] Cookie/Header Add a cookie or arbitrary http header containing any user details, e.g. userid + roles Example: SAP_USER_ID: sample Example: Cookie: USER_INFO=sample;sales,employee Example: Cookie: ASSERTION=********************** (encrypted/signed) SAML Assertion Kerberos Ticket In the name of the user, get a Kerberos ticket for the desired server and add it to each request. The user does not even have to provide his password! Slide 26 Kerberos Identity Propagation (Front-end) Service Kerberos Agent Windows Server Ticket Active Directory KDC Kerberos v5 https + Control API (SSL Client Cert. Auth.) Windows Web Server IIS, ISA, Exchange, Sharepoint etc. http(s) + SPNEGO/Kerberos Windows/Kerberos Domain Slide 27

11 10 Access Control: Typical Features of a Simply connect existing user directories (LDAP, AD, SQL/DB) and authentication servers (RADIUS, RSA/ACE) Authorization based on group membership or any other directory information Single Sign-on Secure session handling Multiple authentication levels depending on application Change authentication scheme without touching the applications Auditing, monitoring and usage analysis (optional user id in logs) Slide 28 Preceding : Benefits Developers can focus on business logic Ease of use (e.g. Single Sign-On) Maximum security Flexibility and speed by separating application and authentication: Change the authentication scheme without touching the applications Add new applications to a SSO domain quickly Cost and time savings in application development Slide 29 Cookie Protection Pass-through conventional, may be read and manipulated in the browser Encrypt or sign encrypts/signs cookie before sending it to the browser Cookie not forgeable because a valid signature/encryption is required Store cookies are not sent to the browser but held in the user session on the Slide 30

12 11 Protecting Web Services SOAP/XML Filter Built-in or add-on module Typical Features: Well formatted validation Schema/WSDL validation Methods selection Blacklists for typical attacks Backend parser protection Full request logging Slide 31 Why a Web Application Firewall? Typical Drivers are... mostly security (prevent attacks) compliance (e.g. PCI DSS) sometimes also application delivery (high availability, load balancing etc.) puzzle piece in a Identity Management/SSO project Slide 32 Recommendations Make part of an overall application security strategy. Consider layering of functionality to minimize risk and maximize flexibility. Involve enterprise architects, application delivery, and developers in order to maximize benefit and comfort with security controls. Strongly consider non core- functionality during evaluation and ensure these are in line with evolving delivery and development models. Use out-of-the box black list rules for basic security, but prepare to spend time and effort to customize in order to achieve proper efficacy. Exercise application change process during evaluation to guess maintenance costs Slide 33

13 12 Looking from the right angle Looking at network packets is sometimes a too narrow view... Slide 34 Looking from the right angle Only a has the full picture because it works on the application level Slide 35 Thank you! Slide 36

Web Application Security

Web Application Security Web Application Security Erwin Huber Head of Research & Development Web Application Security Web Application Security Unit Strong Focus on Web Application Security since 1996 Protection of Web Applications

More information

White Paper Secure Reverse Proxy Server and Web Application Firewall

White Paper Secure Reverse Proxy Server and Web Application Firewall White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Basic & Advanced Administration for Citrix NetScaler 9.2

Basic & Advanced Administration for Citrix NetScaler 9.2 Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network

70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network 70 299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network Course Number: 70 299 Length: 1 Day(s) Course Overview This course is part of the MCSA training.. Prerequisites

More information

Introduction to the EIS Guide

Introduction to the EIS Guide Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Application Security Made in Switzerland

Application Security Made in Switzerland Application Security Made in Switzerland Overview The problem of internet security is almost as old as the internet itself. But there is a reliable solution: Airlock Suite from Ergon. Airlock Suite is

More information

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services Table of Contents Table of Contents Using the BIG-IP Edge Gateway for layered security and

More information

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0 Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual Document Version 1.0 Table of Contents 1 SWAF... 4 1.1 SWAF Features... 4 2 Operations and User Manual... 7 2.1 SWAF Administrator

More information

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Advanced Administration for Citrix NetScaler 9.0 Platinum Edition Course Length: 5 Days Course Code: CNS-300 Course Description This course provides the foundation to manage, configure and monitor advanced

More information

quick documentation Die Parameter der Installation sind in diesem Artikel zu finden:

quick documentation Die Parameter der Installation sind in diesem Artikel zu finden: quick documentation TO: FROM: SUBJECT: ARND.SPIERING@AS-INFORMATIK.NET ASTARO FIREWALL SCAN MIT NESSUS AUS BACKTRACK 5 R1 DATE: 24.11.2011 Inhalt Dieses Dokument beschreibt einen Nessus Scan einer Astaro

More information

Implementation of Web Application Firewall

Implementation of Web Application Firewall Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway

Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration

More information

Move over, TMG! Replacing TMG with Sophos UTM

Move over, TMG! Replacing TMG with Sophos UTM Move over, TMG! Replacing TMG with Sophos UTM Christoph Litzbach, Pre-Sales Engineer NSG 39 Key Features of TMG HTTP Antivirus/spyware URL Filtering HTTPS forward inspection Web Caching Role based access

More information

WatchGuard SSL 2.0 New Features

WatchGuard SSL 2.0 New Features WatchGuard SSL 2.0 New Features For Secure Remote Access, Identity Management, and Network Access Control Introduction WatchGuard SSL 2.0 unifies identity and access management capabilities, with features

More information

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG) A RSACCESS WHITE PAPER 1 Microsoft Forefront Unified Access Gateway Overview 2 Safe-T RSAccess Secure Front-end Overview

More information

Barracuda Web Application Firewall

Barracuda Web Application Firewall Barracuda Networks Technical Documentation Barracuda Web Application Firewall Administrator s Guide Version 7.6 RECLAIM YOUR NETWORK Copyright Notice Copyright (c) 2004-2011, Barracuda Networks, Inc.,

More information

Cyan Networks Secure Web vs. Websense Security Gateway Battle card

Cyan Networks Secure Web vs. Websense Security Gateway Battle card URL Filtering CYAN Secure Web Database - over 30 million web sites organized into 31 categories updated daily, periodically refreshing the data and removing expired domains Updates of the URL database

More information

Guidelines for Web applications protection with dedicated Web Application Firewall

Guidelines for Web applications protection with dedicated Web Application Firewall Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security

More information

Oracle Web Cache 11g Overview

<Insert Picture Here> Oracle Web Cache 11g Overview Oracle Web Cache 11g Overview Oracle Web Cache Oracle Web Cache is a secure reverse proxy cache and a compression engine deployed between Browser and HTTP server Browser and Content

More information

Citrix NetScaler Best Practices. Claudio Mascaro Senior Systems Engineer BCD-Sintrag AG

Citrix NetScaler Best Practices. Claudio Mascaro Senior Systems Engineer BCD-Sintrag AG Citrix NetScaler Best Practices Claudio Mascaro Senior Systems Engineer BCD-Sintrag AG Agenda Deployment Initial Konfiguration Load Balancing NS Wizards, Unified GW, AAA Feature SSL 2 FTP SQL NetScaler

More information

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams.

SAP Certified Technology Professional - Security with SAP NetWeaver 7.0. Title : Version : Demo. The safer, easier way to help you pass any IT exams. Exam : P_ADM_SEC_70 Title : SAP Certified Technology Professional - Security with SAP NetWeaver 7.0 Version : Demo 1 / 5 1.Which of the following statements regarding SSO and SAP Logon Tickets are true?

More information

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall

More information

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security

More information

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007 DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007 With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category

More information

Locking down a Hitachi ID Suite server

Locking down a Hitachi ID Suite server Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime

More information

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Ensuring the Security of Your Company s Data & Identities. a best practices guide a best practices guide Ensuring the Security of Your Company s Data & Identities Symplified 1600 Pearl Street, Suite 200» Boulder, CO, 80302» www.symplified.com» @Symplified Safe and Secure Identity Management

More information

Reverse Proxy for Trusted Web Environments > White Paper

Reverse Proxy for Trusted Web Environments > White Paper > White Paper ProxySG for Reverse Proxy Web-based solutions are being implemented for nearly every aspect of business operations, and increasingly for trusted environments with mission-critical business

More information

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS INCONVENIENT STATISTICS 70% of ALL threats are at the Web application layer. Gartner 73% of organizations have been hacked in the past two

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Benutzerfreundlich, tiefe Betriebskosten und hohe Sicherheit. Warum sich diese Ziele nicht widersprechen müssen

Benutzerfreundlich, tiefe Betriebskosten und hohe Sicherheit. Warum sich diese Ziele nicht widersprechen müssen Benutzerfreundlich, tiefe Betriebskosten und hohe Sicherheit. Warum sich diese Ziele nicht widersprechen müssen Jean Paul Kölbl CEO IT-Secure.com AG Total access security Heutige Situation Kostendruck

More information

SiteCelerate white paper

SiteCelerate white paper SiteCelerate white paper Arahe Solutions SITECELERATE OVERVIEW As enterprises increases their investment in Web applications, Portal and websites and as usage of these applications increase, performance

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF

A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF A viable alternative to TMG / UAG Web Application security, acceleration and authentication with DenyAll s DA-WAF Whitepaper 08/17/2015 Summary 1. Introductio... 3 1.1 What is TMG / UAG?... 3 2. How can

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary

More information

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting?

Executive Summary. What is Authentication, Authorization, and Accounting? Why should I perform Authentication, Authorization, and Accounting? Executive Summary As the leader in Wide Area Application Delivery, Blue Coat products accelerate and secure applications within your WAN and across the Internet. Blue Coat provides a robust and flexible

More information

THE OPEN UNIVERSITY OF TANZANIA

THE OPEN UNIVERSITY OF TANZANIA THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather

More information

Moderne Sicherheit. Fokussiert auf Business Continuity, Mobilität & Application Control. Marc Mathys Country Manager Switzerland

Moderne Sicherheit. Fokussiert auf Business Continuity, Mobilität & Application Control. Marc Mathys Country Manager Switzerland Moderne Sicherheit Fokussiert auf Business Continuity, Mobilität & Application Control Marc Mathys Country Manager Switzerland Network Security History in a Nutshell 1990s The Internet is bad if we do

More information

NETASQ ACTIVE DIRECTORY INTEGRATION

NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION NETASQ ACTIVE DIRECTORY INTEGRATION RUNNING THE DIRECTORY CONFIGURATION WIZARD 2 VALIDATING LDAP CONNECTION 5 AUTHENTICATION SETTINGS 6 User authentication 6 Kerberos

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by

More information

Enabling SSL and Client Certificates on the SAP J2EE Engine

Enabling SSL and Client Certificates on the SAP J2EE Engine Enabling SSL and Client Certificates on the SAP J2EE Engine Angel Dichev RIG, SAP Labs SAP AG 1 Learning Objectives As a result of this session, you will be able to: Understand the different SAP J2EE Engine

More information

TIBCO Spotfire Platform IT Brief

TIBCO Spotfire Platform IT Brief Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1 Pass Through Proxy How-to Overview:..1 Why PTP?...1 Via an SA port...1 Via external DNS resolution...1 Examples of Using Passthrough Proxy...2 Example configuration using virtual host name:...3 Example

More information

Vidder PrecisionAccess

Vidder PrecisionAccess Vidder PrecisionAccess Security Architecture February 2016 910 E HAMILTON AVENUE. SUITE 410 CAMPBELL, CA 95008 P: 408.418.0440 F: 408.706.5590 WWW.VIDDER.COM Table of Contents I. Overview... 3 II. Components...

More information

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses Professional Integrated Appliance for Small and Medium-sized businesses Benefits Clientless Secure Remote Access Seamless Integration behind the Existing Firewall Infrastructure UTM Security Integration

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

DV4 - Citrix CloudGateway: Access and control Windows, SaaS and web applications. Systems Engineer, Citrix Systems GmbH

DV4 - Citrix CloudGateway: Access and control Windows, SaaS and web applications. Systems Engineer, Citrix Systems GmbH DV4 - Citrix CloudGateway: Access and control Windows, SaaS and web applications Rob Sanders Oliver Lomberg Systems Engineer, Citrix Systems Systems Engineer, Citrix Systems GmbH Corporate PC Corporate

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

ADMINISTRATOR S GUIDE

ADMINISTRATOR S GUIDE STONEGATE SSL VPN 1.4.3 ADMINISTRATOR S GUIDE V IRTUAL PRIVATE NETWORKS Legal Information End-User License Agreement The use of the products described in these materials is subject to the then current

More information

Durée 4 jours. Pré-requis

Durée 4 jours. Pré-requis F5 - BIG-IP Application Security Manager V11.0 Présentation du cours Ce cours traite des attaques applicatives orientées Web et de la façon d utiliser Application Security Manager (ASM) pour s en protéger.

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

Secure remote access to your applications and data. Secure Application Access

Secure remote access to your applications and data. Secure Application Access Secure Application Access Secure remote access to your applications and data Accops HySecure is an application access gateway that enables secure access to corporate applications, desktops and network

More information

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity SSL-VPN Combined With Network Security Introducing A popular feature of the SonicWALL Aventail SSL VPN appliances is called End Point Control (EPC). This allows the administrator to define specific criteria

More information

Deploying RSA ClearTrust with the FirePass controller

Deploying RSA ClearTrust with the FirePass controller Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you

More information

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT

SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT SAP SECURITY AND AUTHORIZATIONS - RISK MANAGEMENT AND COMPLIANCE WITH LEGAL REGULATIONS IN THE SAP ENVIRONMENT Foreword by Prof. Wolfgang Lassmann... 15 Foreword by Dr. Sachar Paulus... 17 1 Introduction...

More information

Citrix NetScaler 10 Essentials and Networking

Citrix NetScaler 10 Essentials and Networking Citrix NetScaler 10 Essentials and Networking CNS205 Rev 04.13 5 days Description The objective of the Citrix NetScaler 10 Essentials and Networking course is to provide the foundational concepts and advanced

More information

FileCloud Security FAQ

FileCloud Security FAQ is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

More information

HP WebInspect Tutorial

HP WebInspect Tutorial HP WebInspect Tutorial Introduction: With the exponential increase in internet usage, companies around the world are now obsessed about having a web application of their own which would provide all the

More information

How Reflection Software Facilitates PCI DSS Compliance

How Reflection Software Facilitates PCI DSS Compliance Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit

More information

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0 EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single

More information

enterprise^ IBM WebSphere Application Server v7.0 Security "publishing Secure your WebSphere applications with Java EE and JAAS security standards

enterprise^ IBM WebSphere Application Server v7.0 Security publishing Secure your WebSphere applications with Java EE and JAAS security standards IBM WebSphere Application Server v7.0 Security Secure your WebSphere applications with Java EE and JAAS security standards Omar Siliceo "publishing enterprise^ birmingham - mumbai Preface 1 Chapter 1:

More information

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM sajayrai@securelyyoursllc.com Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]

More information

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction

More information

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12

DEPLOYMENT GUIDE Version 1.2. Deploying F5 with Oracle E-Business Suite 12 DEPLOYMENT GUIDE Version 1.2 Deploying F5 with Oracle E-Business Suite 12 Table of Contents Table of Contents Introducing the BIG-IP LTM Oracle E-Business Suite 12 configuration Prerequisites and configuration

More information

IONA Security Platform

IONA Security Platform IONA Security Platform February 22, 2002 Igor Balabine, PhD IONA Security Architect Copyright IONA Technologies 2001 End 2 Anywhere Agenda IONA Security Platform (isp) architecture Integrating with Enterprise

More information

Last Updated: July 2011. STATISTICA Enterprise Server Security

Last Updated: July 2011. STATISTICA Enterprise Server Security Last Updated: July 2011 STATISTICA Enterprise Server Security STATISTICA Enterprise Server Security Page 2 of 10 Table of Contents Executive Summary... 3 Introduction to STATISTICA Enterprise Server...

More information

Barracuda Web Application Firewall Best Practices Guide

Barracuda Web Application Firewall Best Practices Guide Barracuda Web Application Firewall Best Practices Guide US 1.0 Copyright 2011 Barracuda Networks Inc. 3175 S. Winchester Blvd., Campbell, CA 95008 1-888-268-4772 www.barracuda.com Table of Contents Introduction.................................................................................................................

More information

CNS-200-1I Basic Administration for Citrix NetScaler 9.0

CNS-200-1I Basic Administration for Citrix NetScaler 9.0 CNS-200-1I Basic Administration for Citrix NetScaler 9.0 This course covers the initial configuration and administration of Citrix NetScaler 9.0. Learners gain an understanding of NetScaler features such

More information

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led

Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led Citrix NetScaler 10.5 Essentials for ACE Migration CNS208; 5 Days, Instructor-led Course Description The objective of the Citrix NetScaler 10.5 Essentials for ACE Migration course is to provide the foundational

More information

Web Application Proxy

Web Application Proxy Application Proxy Ing. Ondřej Ševeček GOPAS a.s. MCSM:Directory2012 MCM:Directory2008 MVP:Enterprise Security CEH: Certified Ethical Hacker CHFI: Computer Hacking Forensic Investigator ondrej@sevecek.com

More information

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 Imperva Technical Brief Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6 The PCI Security Standards Council s (PCI SSC) recent issuance of an Information Supplement piece

More information

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Load Balancing. Outlook Web Access. Web Mail Using Equalizer Load Balancing Outlook Web Access Web Mail Using Equalizer Copyright 2009 Coyote Point Systems, Inc. Printed in the USA. Publication Date: January 2009 Equalizer is a trademark of Coyote Point Systems

More information

Exchange Synchronization AX 2012

Exchange Synchronization AX 2012 Exchange Synchronization AX 2012 Autor... Pascal Gubler Dokument... Exchange Synchronization 2012 (EN) Erstellungsdatum... 25. September 2012 Version... 2 / 17.06.2013 Content 1 PRODUKTBESCHREIBUNG...

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Designing and Implementing a Server Infrastructure MOC 20413

Designing and Implementing a Server Infrastructure MOC 20413 Designing and Implementing a Server Infrastructure MOC 20413 In dieser 5-tägigen Schulung erhalten Sie die Kenntnisse, welche benötigt werden, um eine physische und logische Windows Server 2012 Active

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information