LBL Application Availability Infrastructure Unified Secure Reverse Proxy

LBL Application Availability Infrastructure Unified Secure Reverse Proxy Valerio Mezzalira

TCOGROUP Company Outline Mission: Development of Software Tools Aimed at Enhancing High Availability (HA) of IT in Mission Critical and Business Critical Environments Main Focus: HA, Business Continuity, and Disaster-Recovery Target Markets: Finance, TELCO, e-commerce, Healthcare, Transportation, Energy Oil & Gas, Manufacturing, Education, Public Administrations, Service Providers

The Reference Scenario IT services evolution: Security, Performance, Control by design SSO Analysis & Reporting Billing Security Speed & Performance Full Availability Solution Features IaaS OpenStack SDN

The Reference Scenario IT services evolution: from individual application... Service Layers Network Security Application Database SAN

The Reference Scenario... to service... Service Layers Network Security Reverse-proxy B Application B Reverse-proxy A Application A Reverse-proxy C Application C Reverse-proxy DBMS A Reverse-proxy DBMS B Database Reverse-proxy DBMS DBMS A C Database DBMS B Database DIRSRV Reverse-proxy DIRSRV SAN Virtualization SAN Database Text Database img Database logs

LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application B Application A Security Application C Dynamic Path Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

LBL LoadBalancer Unified Reverse Proxy Business Continuity Sites Primary building Secondary building Disaster Recovery Site

LBL LoadBalancer Unified Reverse Proxy Business Continuity Sites Primary building Secondary building Disaster Recovery Site

LBL LoadBalancer Unified Reverse Proxy ON CLOUD Border Router Protocol (Amazon Regions Compliant) DoS/DDoS resolver DoS/DDoS Resolver

Header rewriting GET / HTTP/1.1 Host: www.tcoproject.dev User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; it; rv:1.9.2.2) Gecko/20100316 Firefox/3.6.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Cookie: LBLSESSIONID=1277228676044; TCOPROJECTAUTH=1277048578420; TCOPROJECTSESSIONID=1277048578511 L7 HTTP/S / L4 TCP/UDP Contents rewriting Content inspection and rewriting of data streams through regular expressions or/and by easy java programming (call-back). LBL Content Rewriter allows you to perform complex operations by SSO integration and actively intervene in relation to the content or quantity of data traffic load. /* Linee di inclusione titolo e bottom della pagina */ td.encloserline { height: 2px; background-color: rgb(51, 51, 255); } /* Tabella di contenuti */ table.contenttable { text-align: left; width: 100%; } /* titolo del paragrafo */ td.paragraphtitle { text-align: left; color: black; font-weight: bold; font-style: italic; background-color: rgb(255, 143, 89); } Body rewriting /* corpo del paragrafo */ td.paragraphbody { text-align: left; }

TLS & Certificates management A<----SSL---->LBL<----NOSSL---->B A<----SSLa-m---->LBL<----SSLm-b---->B (1) (3) host: localhost user-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; it; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3 accept-encoding: gzip,deflate accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 keep-alive: 115 connection: keep-alive referer: https://localhost/trainingw/ cookie: LBLSESSIONID=1280903726322 content-type: application/x-www-form-urlencoded content-length: 33 x-fwdcertserialnumber_0: 1282479557 x-fwdcertdatenotbefore_0: 2010-08-22 14:19:17.0 UTC x-fwdcertdatenotafter_0: 2011-08-22 14:19:17.0 UTC x-fwdcertsubject_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT x-fwdcertissuer_0: CN=clientname, OU=clientlob, O=clientcompany, L=clientcountry, ST=clientdistrict, C=IT x-fwdcertencodedpem_0: -----BEGIN+CERTIFICATE---- 0AMIICdTCCAd6gAwIBAgIETHEVxTANBgkqhkiG9w0BAQUFADB2FMQswCQYDVQQGEwJJVDEXMBUGA1UECBMOY2xpZW50ZGlzdHJp0AY3QxFjAU BgNVBAcTDWNsaWVudGNvdW50cnkxFjAUBgNVBAoTDWNsaWVudGNvbXBhbnkxEjAQBgNVBAsTCWNsaWVudGxvYjET0AMBEGA1UEAxMKY2xpZW 50bmFtZTAeFw0xMDA4MjIxMjE5MTdaFw0xMTA4MjIxMjE5MTdaMH8xCzAJBgNVBAYTAklUMRcwFQYD0AVQQIEw5jbGllbnRkaXN0cmljdDEWMBQG A1UEBxMNY2xpZW50Y291bnRyeTEWMBQGA1UEChMNY2xpZW50Y29tcGFueTESMBAG0AA1UECxMJY2xpZW50bG9iMRMwEQYDVQQDEwpjbGllbnR uyw1lmigfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcgmdlc3mhc0arflqnppgubfg2yyvnbuejsarzn6l0cjcqxlqpfmrh0npridg2blsp98tisi2bk Mlcxbvl3Y6Dk6QTUCw1AxN7vUUapZ4tJBwzM0AUACAYp6HCr1tFTvgU8XQui74hqkcZjSPOSvoX2BuIjmSl832O6Iu0hoG0GPE2FqF3THQIDAQABMA0GCS qgsib3dqebbquaa4gb0aadumybb76yzrcgvvdjttqnltfcxrwunkj2qkbdde9esp2f9h8zqucowcig5pj0zryyapfqsowwdz18rut1scqeux2%2f7l2f 2FFyk0AEeSVL8mr9eB4mMxgACNFn6GzUTkUD2PBO5HNBc9TcKvEzTtTP35x13pNTaWvhNBL2Li09y5xUfIi%0D%0A----END+CERTIFICATE----- %0D%0A x-forwarded-for: 127.0.0.1 TLS Termination & Spontaneous offloading Client Certificate forwarding (Integrating J2EE application with no change) TLS Re-encryption

TLS-SNI (Server Name Indication) public network TLS handshake using SNI Client Hello requesting secursite2.com Server Hello secursite2.com certificate Listen on 10.8.1.212 port 80 DNS: 10.8.1.212 https://www.securesite1.com https://www.securesite2.com https://www.securesite3.com No number certificates limits per address/port More certificates container with different passwords

SUCCESS STORIES Microsoft TMG replacement from 2011

LBL Application Availability Infrastructure ALL ASL / Health for Regione Sardegna (over 7 years of uninterrupted service) +CRESSAN

LBL LoadBalancer Unified Reverse Proxy Service Layers Network Application A Security Application C Application B Database DBMS A Network File System Database DIRSRV Unified Reverse Proxy Database Text Exchange Database img SAN Virtualization SAN

LBL LoadBalancer Unified Secure Reverse Proxy Service Layers Network Application A Application C Application B Remote Desktop Network File System Database DIRSRV Unified Reverse Proxy Security Database Text Exchange Database img SAN Virtualization SAN

LBL LoadBalancer Unified Secure Reverse Proxy Service Layers Network Application A Application B Remote Desktop Network File System Database DIRSRV Unified Secure Reverse Proxy Application C Database Text Database img Exchange SAN Virtualization SAN

LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers

LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers 1. Session Cookie 2. Set-Cookie app server generation 3. HSTS: Redirect from http to https 4. HSTS: Strict-Transport-Security injection on response 5. Check body lenght in POST no dependent by content-type / transfer enconding 6. DoS (Unique feature in today market) 7. DDoS (Unique feature in today market) 8. DDoS iredcarpet (Application Quality of Service) (Unique feature in today market) 9. Client SSL Protocols interceptor and tracing 10. SSL ciphers suite And Protocols Global / Listeners / Backend abilitations 11. SSO e client certificate management 12. XSS mitigation 13. END POINT MASKERATION

LBL LoadBalancer Unified Secure Reverse Proxy Run-Time security Consumers Dispatcher Producers Least priority DoS DDoS Attack Mitigation Least priority Very Important Person Least priority Very Important Person Least priority Very Important Person Very Important Person

LBL LoadBalancer Unified Secure Reverse Proxy Run-Time Tracing Consumers Dispatcher Producers LBL Traffic Monetizer Transactional data aggregation engine, tens millions of hits hour

LBL Unified Reverse Proxy Real-Time traffic analisys Consumers Dispatcher Producers Attack Prophecy

LBL Unified Reverse Proxy Real-Time reaction to Run-Time filtering Consumers Dispatcher Producers Attack Prophecy SOC

Cyber security cycle LBL Security cycle (compliance DPCM 24 gennaio 2013) External assessment Continuous assessment Add rules WAF DoS DDoS resolver WAF Event notification for authority Real-time Interceptions Real-time analisys Real-time Reaction Data aggregation Data collection

LBL Traffic Monetizer The best solution is the next generation systems Attack Prophecy SOC NOC APPLICATIONS BUSINESS

LBL A.A.I. TARGET

LBL A.A.I. products map LBL Application Availability Infrastructure WAF Developer WAF ADVANCED SECURITY LoadBalancer TRAFFIC DATA SECURITY LBL A.A.I. BC/DR Commander DNS & PROXY Manager Platform Standard HA Decision Engine WorkFlow Enterprise HA Selected Capacity S1 Selected Capacity S1 HA MANAGEMENT Management Console Selected Capacity S2 Selected Capacity S3 Selected Capacity S2 HA Selected Capacity S3 HA TRACING/SECURITY PERFORMANCE Traffic Monetizer Catalog Catalog Selected Capacity DoS/DDoS attack mitigation Attack Prophecy Customer Experience DB Embedded appliance

LBL A.A.I. DoS Attack Prevention LBL DoS DDoS Attack Prevention VIP iredcarpet Least priority Least priority Very Important Person Least priority Very Important Person Least priority Very Important Person Very Important Person

Thank you for your attention TCOGROUP S.r.l. TCO Software Group Inc. Info.usa@tcoproject.com

LBL WAF DEVELOPER (Unique feature in today market) With consumer WAF developer there are multiple implementations in the dark. Everything that is implemented can be deeply tested before entry into production. The times of implementations are reduced from 1000 to 1. LBL WAF Developer allows you to follow the evolution of enterprise security, SSO, quickly adapting policies with drastic costs reduction and GUARANTEE OF A RESULT.