Application Security Made in Switzerland

Transcription

1 Application Security Made in Switzerland

2 Overview The problem of internet security is almost as old as the internet itself. But there is a reliable solution: Airlock Suite from Ergon. Airlock Suite is underpinned by superb Swiss engineering expertise, many years of experience and well thought-out concepts that master the most complex challenges. Airlock Suite deals with the issues of filtering and authentication in one complete and coordinated solution setting new standards for usability and services. WAF Login IAM Online banking, ecommerce, mobile access: the Airlock Web Application Firewall will reliably protect your internet applications thanks to systematic control and filtering mechanisms backed up by a diverse range of enhancement options. When combined with Airlock WAF, Airlock Login ensures reliable user authentication and authorization. But that s not all: as well as superlative security, Airlock Login delivers high usability and cost-efficiency. Airlock IAM is the suite s central authen tication platform, including enter prise functions. With this pro duct, customers, partners or employ ees log in just once for secure access to data and applications. Airlock IAM also automates user administration. Security at bank level Airlock is now the established Swiss standard for ebanking and that s a fact. Our lengthy experience of wor king in the international financial sector means that you benefit from the best possible online security reliable, efficient and process-optimized. Cutting cost Intelligent software architecture, central authentication functionalities and cutting-edge user self-services: these are the assets that make the Airlock solution so outstandingly attractive in terms of cost a solution that will permanently reduce your IT expenditure. Integrated solutions, one single source Individual components, perfectly coordinated in one complete package that s Airlock. No matter how varied your requirements are, Airlock Suite is your guarantee of well thought-out solutions from one single sourcescalable and flexible. Flexibility The Airlock Suite is just as flexible as your requirements. That s because Airlock can adapt to existing environments, new challenges and individual needs. The result: your investment is excellently protected, and you benefit from customized solutions. User self services Forgotten passwords, lost logins, new user accounts customer support has to deal with a host of routine tasks. That s why we opt for well-designed user self-services. Thanks to this approach, Airlock can cut costs while boosting your customer and employee satisfaction level. Swiss made No doubt about it: the highest qual ity that s what Airlock offers you, because our security applications are developed exclusively in Switzerland: your guarantee of maximum reliability, precision and perfection.

3 Product information WAF The Airlock Web Application Firewall offers a unique combination of protective mechanisms for web applications. Whether your objective is legal compliance, security for your applications or protection for ecommerce: Airlock WAF will upgrade security for your internet applications a permanent solution with a host of well thought-out functionalities. Thanks to Airlock WAF, businesses can exploit the potential of the internet without jeopardizing the security and availability of their web applications and services. Each access is systematically monitored and filtered at every level. Used in conjunction with an authentication solution such as Airlock Login or IAM, Airlock WAF can force upstream user authentication and authorization. This allows a uni - form, central single sign-on infrastructure. All information is also made available via monitoring and reporting functions. Airlock WAF is one of a few web application security solution on the market that provides superlative end-to-end protection for complex web environments. Reverse Proxy and Web Application Firewall Airlock WAF offers a unique protection mechanism by operating as a combined secure reverse proxy server and web application firewall. All access attempts are systematically controlled and filtered. Control via a central access point Airlock WAF is a central point of control for web access, avoiding anonymous interactions with applications that have user authentication. Airlock covers every layer reducing costs and dependencies. Shorter time to market thanks to virtual patching Secure now, fix later that s virtual patching in a nutshell. Airlock WAF s reverse proxy approach makes it very easy for you to virtualize servers and services. Virtual import of patches is also possible. The benefit: security-relevant weaknesses are quickly remedied at a central point over all applications. Improved availability and performance Web applications and web services deal only with authorised users and valid data traffic. High availability is guaranteed through load balancing and failover functions. SIEM integration The Airlock Operations app for Splunk Enterprise makes aggregated management reports available on security issues and application usage. Network administrators can use various dashboards to investigate security-critical events so application and performance problems are rapidly resolved. Simple operation Airlock is a linux-based software appliance with a hardened operating system. It runs on the common hardware platforms, in virtual machines and in the cloud. Airlock offers a fast and easy installation and allows cost efficient operation. Airlock system overview SAML Assertion Flickering Mobile TAN Client Certificate Cross Domain SSO with SAML or OAuth 2.0 Corporate Network Kerberos/ Smart Card Password Management/ Transaction Signing RADIUS Client A B C D Mobile TAN Mobile OTP Database/ Directory PKI Applications Application in other Domain

4 Product information Login Practical, lean and secure: Airlock Login is the ideal complement to Airlock WAF for reliable user authentication and authorization. Airlock Login offers efficient solutions and easy handling at an attractive price. Airlock Login features convincingly high usability and straightforward configuration. Solid basis for more Because it is directly integrated with Airlock WAF, Airlock Login allows fast and convenient implementation of strong upstream user authentications with in-company single sign-on. There may be a need for extensive additional functions such as web service interfaces, step-up authentication workflows, support for cross-domain SSO or user self services. In these cases, an upgrade from Airlock Login to Airlock IAM could not be easier: simply import a new license, and the Airlock IAM functions will be activated. Secure and strong access control Virtually every modern web application requires user identification to allow certain types and levels of access. Airlock Login provides upstream authentication and allows access control for customers and employees to be centralised and run independently of the business logic. Single sign-on (SSO) Airlock Login ensures that even legacy web applications with own user master records can be easily integrated in the standardised web single sign-on infrastructure. Easy configuration also in regard to running time Configurations can be efficiently processed using the graphic editor. Airlock Login has a flexible architecture that permits configuration changes at run-time without any session loss or operational disruption. Airlock Login and Airlock IAM compaired Components Web-based login application Web-based administration interface Integrated database for user profiles Service containers for batch jobs and letter generation Technical interfaces Authentication 1 and 2-factor authentication Password verification against directory (LDAP, MSAD), OTP token server via RADIUS, RSA SecurID, MTAN (SMS), client certificates Role-based access control (RBAC) Complex authentication workflows (e.g. step-up, step-down) Support for a wide range of additional authentication methods Dynamic access control (based on environment attributes) Login application Change and reset password via Portal funktion User self-services Various other functions (representation, GTCs, maintenance reports /notifications, etc.) Single Sign-on (SSO) and identity federation Simple SSO (using cookies, HTTP headers, on-behalf form login, back-side Kerberos, etc.) Cross-domain SSO and identity federation Identity Management Find and show users Manage, aggregate and provision identity and role information Deployment Integration in Airlock WAF Deployment is possible outside of Airlock WAF Client capability

5 Product information IAM Airlock IAM is the suite s central authentication platform, including enterprise functions. With this product, customers, partners or employees log in just once for secure access to data and applications. Airlock IAM also automates user administration and provides user self-services. SSO for heterogeneous application environments In addition to a large number of supported SSO mechanisms (e. g. SAML, OpenID Connect), Airlock IAM also accepts authentication tickets issued by other entities. Cross-domain single sign-on Airlock IAM supports Federated Identity Management (FIdM) and therefore facilitates cross-domain SSO. Acting as a central identity provider (IDP) in this case, Airlock IAM registers, reports and manages user data. User data are automatically synchronised with third-party systems via the standardised interface. This always ensures a consistent status of user data for all parties. Another advantage is maximum usability. The specific services (service providers) come from other domains and use identities transmitted via SAML, OAuth or OpenID Connect. Authentication services Airlock IAM has its own integrated authentication services for matrix cards, mobile TAN via SMS and mobile OTP. All these variants are very cheap since there is no need to purchase any tokens or any special operating hardware. Their administration is fully integrated in the product. In addition other authentication services as well as many different hardware or software tokens are supported. Centralisation of user data Airlock IAM is the central point of control for the administration of authentication data. For other applications or com - ponents in SOA environments Airlock IAM provides a web service interface (SOAP or REST) which offers actions related to authentication: for example, Airlock IAM can enforce complex password policies while password changes are still made remotely in a business application. User self-services In addition to user administration, there are a number of user self-services which cover the entire lifecycle of a user account for single sign-on. The workflows for self-administration of user data cover self-registration, self-migration, self-provisioning of external logins, password changes and user profile data editing. Features Airlock WAF Secure Reverse Proxy Termination of TCP / IP SSL, SSL VPN, HTTP / S, AMF, JSON and SOAP / XML filter Multi-level filtering Dynamic whitelisting URL encryption Smart form protection Cookie protection Load balancing ICAP content filtering Content rewriter (Raw, HTML) Access control, authentication & SSO HSM support Airlock Operations App for Splunk Airlock Login Supported tokens OTP token via Radius (RSA SecurID, Kobil SecOVID, VASCO Digipass, etc.), Client certificates (X.509, SuisseID, etc.) Integrated tokens Password, Mobile TAN, -OTP Single sign-on Kerberos, HTTP Cookies, HTTP Headers, URL-Tickets, Basic Auth, Form Post on behalf User directories JDBC databases, LDAP directories / MS ActiveDirectory User self-services automatic password reset, portal function Operational features failover, audit log, log viewer, web-based administration console, hot deployment without restart Operatingsystems Java-based: Linux, Windows, VMWare Airlock IAM additional to Airlock Login Supported tokens CrontoSign, Kobil AST, Swisscom MobileID, OATH -Tokens Integrated tokens Mobile OTP, matrix card Identity Federation SAML 2.0 IDP / SP, OAuth 2.0, OpenID Connect Single sign-on NTLM Integrated database for user extension User administration / IAM User, token and role administration, report engine, password policy enforcement User self-services Self-registration, self-migration, self-administration, kiosk and portal function for own user data Interfaces Webapplication, RADIUS, SOAP, REST, EAP / TLS 802.1X Operational features Multitenancy, statistical evaluations

6 Ergon Informatik AG Merkurstrasse 43 CH 8032 Zurich twitter.com/ergonairlock Copyright Notice Copyright 2015 Ergon Informatik AG. All Rights Reserved. All technical documentation that is made available by Ergon Informatik AG is the copyrighted work of Ergon Informatik AG and is owned by Ergon Informatik AG. Ergon, the Ergon logo, smart people smart software and Airlock are registered trademarks of Ergon Informatik AG. Microsoft and ActiveDirectory are registered trademarks or trademarks of Microsoft Corporation in the United States and / or other countries. Other products or trademarks mentioned are the property of their respective owners. smart people smart software Founded in 1984, Ergon Informatik AG now has workforce of 235 and numbers among the most long-standing and successful IT service providers in Switzerland. Over 80 % of our employees are graduate software developers, and most of them have trained as IT engineers at the Swiss Federal Institute of Technology (ETH), Zurich one of the world s top ten universities. Ergon Informatik AG has also won multiple awards for its sustainable personnel policy. Ergon Informatik AG is a broadly diversified company that provides services to a wide variety of sectors. Ergon has exceptional expertise in sectors such as financial services, ebanking, telecommunications and security. In 1997, Ergon developed Switzerland s first ebanking system for a well-known Swiss bank. Airlock Suite, our security product, was launched on the market in 2002 and is now used by 300 customers around the globe. For more information visit