White Paper Secure Reverse Proxy Server and Web Application Firewall



Similar documents
WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Security

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Application Firewall Overview. Published: February 2007 For the latest information, please see

Guidelines for Web applications protection with dedicated Web Application Firewall

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Where every interaction matters.

Check list for web developers

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Adobe Systems Incorporated

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Reverse Proxy for Trusted Web Environments > White Paper

Specific recommendations

The Top Web Application Attacks: Are you vulnerable?

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Recommended Practice Case Study: Cross-Site Scripting. February 2007

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Information Technology Policy

What is Web Security? Motivation

How To Manage Web Content Management System (Wcm)

The Benefits of SSL Content Inspection ABSTRACT

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Imperva s Response to Information Supplement to PCI DSS Requirement Section 6.6

Achieving PCI Compliance Using F5 Products

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Sitefinity Security and Best Practices

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Basic & Advanced Administration for Citrix NetScaler 9.2

SiteCelerate white paper

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Application Security Testing

How To Protect A Web Application From Attack From A Trusted Environment

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Barracuda Web Site Firewall Ensures PCI DSS Compliance

PortWise Access Management Suite

Solutions for Web. Citrix NetScaler

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Hack Proof Your Webapps

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

IJMIE Volume 2, Issue 9 ISSN:

Rational AppScan & Ounce Products

NSFOCUS Web Vulnerability Scanning System

Guideline on Auditing and Log Management

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

White paper. Keys to SAP application acceleration: advances in delivery systems.

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Application Security Made in Switzerland

HTTPS Inspection with Cisco CWS

How To Secure An Rsa Authentication Agent

Data Security and Governance with Enterprise Enabler

WEB ATTACKS AND COUNTERMEASURES

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

F5 and Microsoft Exchange Security Solutions

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Ovation Security Center Data Sheet

Using Palo Alto Networks to Protect the Datacenter

Web Application Security 101

OWASP Top Ten Tools and Tactics

Building A Secure Microsoft Exchange Continuity Appliance

The Key to Secure Online Financial Transactions

F5 Silverline Web Application Firewall Onboarding: Technical Note

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Inspection of Encrypted HTTPS Traffic

Cloud Security:Threats & Mitgations

Essential IT Security Testing

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Troux Hosting Options

Protect Your Business and Customers from Online Fraud

External Supplier Control Requirements

The Hillstone and Trend Micro Joint Solution

REPORT & ENFORCE POLICY

Ovation Security Center Data Sheet

Locking down a Hitachi ID Suite server

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

OWASP AND APPLICATION SECURITY

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

App-ID. PALO ALTO NETWORKS: App-ID Technology Brief

Proxies. Chapter 4. Network & Security Gildas Avoine

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

NetScaler: A comprehensive replacement for Microsoft Forefront Threat Management Gateway

BYOD Guidance: Architectural Approaches

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Penetration Testing Service. By Comsec Information Security Consulting

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

SANS Top 20 Critical Controls for Effective Cyber Defense

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

CompTIA Security+ (Exam SY0-410)

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Transcription:

White Paper Secure Reverse Proxy Server and Web Application Firewall

2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security solution Convenient, reliable configuration Ergon Informatik AG, May 2010, Revision 1.0. The information contained within this document is confidential and proprietary to Ergon Informatik AG. No portion of this document may be copied, distributed, publicised or used for other than internal documentary purposes without the written consent of an official representative of Ergon Informatik AG. All specifications are subject to change without notice. Ergon Informatik AG assumes no responsibility for any inaccuracies in this document. Ergon Informatik AG reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Airlock is a registered trademark of Ergon Informatik AG.

3 Losing control The Internet allows sensitive data and transactions to be accessed directly using electronic means. Web applications are vulnerable at many different levels, even when priority has been given to addressing security at the development stage. The complexity of the attack scenarios and the increasing number of vulnerabilities in Web applications is leading to loss of control and extremely high levels of risk. Internet attackers have both commercial and criminal motivation. Systems that fall victim to a successful attack can deliver valuable data and make it possible to manipulate transactions, as well as providing the ideal platform for distributing malicious software (malware, viruses, Trojans) to unsuspecting users. The consequences of an attack may include identity theft, access to confidential data, falsified transactions, poor availability and serious damage to an organisation s reputation. The challenge facing companies today is how to get a handle on the security measures necessary to meet with compliance requirements and to guarantee the security of applications and data, with an acceptable expenditure of time, effort and money. Online accessibility means vulnerability When Web applications are developed, the primary focus is on business processes, not protection against attacks. In the best-case scenario, developers can take some action to mitigate against known modes of attack. As soon as the application is up and running in a live environment and new, previously unknown types of attack are deployed, it becomes necessary to apply security patches and updates to every application. An equally big challenge is faced by staff tasked with maintaining security: Web applications constantly reveal different weaknesses and are continuously bombarded with new attacks. Cross-site request forgery Session hijacking Forceful browsing Cross-site scripting Cookie tampering Communication interception Path traversal Unauthorized access Injections Identity theft

4 Regain control with a central access point Because it acts as a central access point, Airlock gives staff responsible for security an important tool for maintaining control over their systems. Web applications and Web services are protected proactively. All requests and data are monitored at all times. Where necessary, specific URLs can be blocked. Operating as both a secure reverse proxy server and Web application firewall, Airlock offers a unique combination of protection mechanisms. All access attempts are systematically controlled and filtered at every layer. Moreover, Airlock can also force user authentication while allowing single sign-on and offering SSL VPN access. All important information is available through a range of monitoring and reporting functions. As the only Web application security solution on the market, Airlock covers every aspect of protecting and optimizing the complete Web environment. Strategic security solution A successful attack requires just a single vulnerability, which could be in any layer. Therefore, to be effective a Web applications security solution must provide simultaneous coverage in every relevant layer. TCP/IP termination Virtualisation Flow control / rewriting Reverse proxy Load balancing Compression / clustering availability Encryption Offloading Black-/whitelist Protocols / SOAP XML cookies SSL termination Multi-level filtering Application security Access control Authentication Management Secure session handling Delivery & reports Adminitsration Monitoring & Tracking Anti-Hijacking Log analysis Statistics - alerting / audit Secure OS / configuration Operation / deployment Authentication / authorisation Single sign-on / IAM

5 Secure communication Operating as a reverse proxy server, Airlock actively ensures that all data connections that need protecting are encrypted and integrity-protected. By taking over this function, Airlock removes a heavy load from the Web and application servers. This results in increased application availability and performance and ensures that communications channels remain consistently secure. Authentication and user sessions When it comes to applications that require authentication of users, from a security perspective the issues of authentication and secure session control are much more important than any filter. Airlock therefore provides the ability to authenticate users upstream and conduct user sessions in a secure manner. This prevents anonymous connections to the application servers per se, thereby drastically reducing the scope of potential attacks. From a security point of view, decoupling authentication from the application logic is an important consideration. Airlock achieves this neatly, while still allowing the flexibility to choose an authentication method. B2B client (Web services) Internet Firewall ICAP e.g. malware scanner Airlock e-business, e-government e.g. SAP, Oracle Web services e.g. SharePoint Remote access e.g. SSH, RDT Authentication Service User Directories

6 Access Control Users should not necessarily be permitted to do everything, even after they have been authenticated. In combination with the preceding authentication, Airlock ensures at all times that users are only able to use those applications and functions for which they have authorisation. Working in conjunction with various different applications, single sign-on scenarios can be implemented that are highly attractive to users but do not compromise on the necessary security. Filtering and acceleration Web applications and Web services are nothing more than electronic interfaces to data and transactions. Because the browser displays the actual user application, attackers are able to communicate far too freely with the application server, allowing them to exploit vulnerabilities. Airlock functions as a central access point and performs strict filtering on all requests and data. Only requests that the system determines to be valid are passed to the application server. To determine the validity of requests, Airlock employs a range of techniques, including highly dynamic security functions: Whitelist filter Blacklist filter Character ncoding and Unicode verification Cookie protection Protocol validation and rebuilding URL encrypting SSL termination Smart form protection Network filter level Response content filter Content rewriting

7 Dynamic filter mechanisms, such as URL encryption, HTML form signatures and dynamic whitelists, offer the advantage that the Airlock filter configuration is automatically adapted to the application. Even if URLs change or parameters are renamed, the security checks will remain valid without the need to reconfigure any filters. Statically generated filter rules cannot respond to the dynamic behaviour of modern Web applications, even when they are generated using a so-called «learning mode». Special techniques for network connection handling and support for real-time compression over HTTP/S deliver an additional level of acceleration that is noticeable to the user. The bandwidth requirement for the use of Web applications is also similarly reduced. Virtualization of the Web presence The internal architecture of a DMZ and the Web environment is often visible from the outside due to a lack of suitable precautions. This offers a potential attacker avoidable opportunities to easily obtain information. Thanks to the comprehensive reverse proxy functionality provided by Airlock, which also supports full rewriting of HTML and any other content, the Web environment that is presented to the outside world is fully virtualized. This makes the system extremely user-friendly, while at the same time reducing the size of the target exposed to attack. Load-balancing and failover Additional security features for Web applications only really make sense when the availability of services can also be increased. Instead of having solutions for handling requests and sessions distributed across different application serves, Airlock offers this functionality directly. Indeed, functionality to ensure high availability of Airlock itself is also integrated into the system (failover cluster). «By using dynamic filter mechanisms, the Airlock filter configuration automatically adapts itself to the application. Even if URLs change or parameters are renamed, the security checks will remain valid without any need to reconfigure filters.»

8 Monitoring and reporting Eliminating the need to fly blind is one of the greatest challenges that must be overcome when implementing security solutions. Because Airlock addresses every relevant layer of the system, it offers an unrivalled quality of data for use in reports and interactive monitoring. Whenever Airlock detects a security breach, all relevant data is immediately made available in the graphical reporting and monitoring tool. This information includes, for example, which user caused the breach during which session and what other actions that user carried out before and after the breach. Flexible integration with associated systems A central security solution does not operate as an isolated system, but rather interacts with numerous associated systems such as monitoring systems and user directories. In order to ensure that it integrates seamlessly with these other systems, Airlock operates at the protocol level and offers standardised interfaces The Airlock authentication service incorporates the most up-to-date authentication techniques and, whenever necessary, can easily be linked to any other authentication services that may be required.

Convenient, reliable configuration Security solutions are often difficult to administer. The Web administration interface for Airlock was developed from the ground up to ensure that the system configuration process was convenient and reliable. Virtual hosts are linked graphically with mappings and back-end hosts. This means that it is always easy to get a good overview of the Web environment as it is presented to the outside user. A variety of administrator roles means that access powers can be separated. The system maintains a configuration version history, allowing rollback to a previous state to be carried out whenever needed. Various assistance features, such as the real-time regular expression tester and integrated comment fields, help simplify the configuration process and reduce overheads.

Leading international security solution Airlock protects Web applications and Web services against attacks and provides sustainable, centrally monitored security. 200 customers in 8 countries already protect over 5000 applications with Airlock. Ergon delivers specialist IT excellence with a clear focus on customer advantage. The company leads the field in the implementation of customised applications and is an established producer of software products. Ergon Informatik AG Kleinstrasse 15 CH-8008 Zurich Tel.: +41 44 268 89 00 Fax: +41 44 261 27 50 www.ergon.ch

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information