Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
-
Upload
sylvain-maret -
Category
Technology
-
view
1.236 -
download
1
description
Transcript of Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
![Page 1: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/1.jpg)
Secure Gate
Security Team, Datelec Networks SA
Sylvain Maret, 6.1.2000
Rev: 1.0
![Page 2: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/2.jpg)
Secure Gate ?
• Access Web Based Applications from Internet with strong
encryption and authentication
![Page 3: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/3.jpg)
Customers Needs
• Access internal information from everywhere
• Access information with high security
• No specific client software
• Simple to use
• No dedicated station
• Cost effective solution
![Page 4: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/4.jpg)
Solution
• Use your internet Browser (Netscape, Microsoft, etc.) to access information
![Page 5: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/5.jpg)
But what about security ?
Web-basedInternal Resources
Firewall
Internet
InternetBrowser DMZ
What should I do?
![Page 6: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/6.jpg)
Direct access using HTTP
Web-based Internal Resources
Firewall
Internet
InternetBrowser DMZ
Internet
HTTP Protocol
![Page 7: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/7.jpg)
Direct access using HTTP
• Security problems:– Data transmitted in clear (easy to snoop)– Password sniffing– Replay attack– IP spoofing– Direct access to internal networks– Direct access to content server
![Page 8: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/8.jpg)
Direct access using HTTPS (SSL)
Web-basedInternal Resources
Firewall
Internet
InternetBrowser DMZ
Internet
HTTPS Protocol
![Page 9: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/9.jpg)
Direct access using HTTPS (SSL)
• Security problems:– Direct access to internal networks– Direct access to content server
![Page 10: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/10.jpg)
Secure Gate Solution
Web-basedInternal Resources
Firewall
Internet
InternetBrowser
Internet
DMZ
Secure Gate
HTTPS
HTTP orHTTPS
![Page 11: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/11.jpg)
Secure Gate in action
![Page 12: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/12.jpg)
How does it work ?
• Based on reverse proxy technology
Server withina firewall
The proxy serverappears to be the
content server
A client computeron the Internet
sends a request tothe proxy server
FirewallCACHE
The proxy server uses a regularmapping to forward the client request
to the internal content server
You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.
![Page 13: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/13.jpg)
How does it work ?
• Based on SSL provides
– Authentication = makes sure that only the authorized individual is accessing information
– Data Integrity = checks that the information comes from the authorized source, and that it has not been modified
– Confidentiality = verifies that the information transmitted is kept secret
![Page 14: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/14.jpg)
What is SSL ?
• SSL = Secure Socket Layer
• Ancestor of TLS
• What is TLS ?– Transport Layer Security
• Protocol that sits between TCP/IP socket and application
• Developed since 1994 by Netscape and now IETF
![Page 15: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/15.jpg)
What can SSL do for you ?
• Secure your data transport– secure tunnel for applications
• Provide secured access to protected content– better authentication mechanisms
• Reduce the risk of spoofing attacks
![Page 16: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/16.jpg)
Applications that use SSL
• e-commerce - orders– protects contents of forms sent to server– protects sensitive personal data
• Payments– protects credit card information
• Secure web-based intranet access– ensures secure transmission of confidential content– provides authentication
![Page 17: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/17.jpg)
SSL protocol
![Page 18: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/18.jpg)
Authentication Methods supported
• Basic authentication
• External authentication with firewall– Radius, LDAP, SecurID, etc.
• SSL Client authentication (X.509)– certificate store on Smart Card– certificate store on local host
![Page 19: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/19.jpg)
Basic authentication
• Static password
• Use SSL to transmit password
• User database store on Secure Gate
• Expose to brute “force attack” or “key logging”
• For low security applications
![Page 20: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/20.jpg)
Basic authentication in action
![Page 21: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/21.jpg)
External authentication
• Client authentication on the firewall
• Supports radius, ldap, tacacs, etc…*
• Support strong authentication like securID, Active card, etc.*
• User created on the firewall
• For high security requirements (with strong authentication)
* On Check Point’s FireWall-1
![Page 22: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/22.jpg)
External authentication in action
![Page 23: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/23.jpg)
X.509 authentication
• Uses SSL client X.509 certificate
• Provides strong authentication (“something you have, something you know”)
• Requires a Certificate authority (Public or Private)
• Certificate can be stored on local host or on smart card
• For high security requirements
![Page 24: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/24.jpg)
Certificate X.509 ?
• What is a certificate ?– Same as a passport (certifies that your are who
you claim you are)– A digital information linking a name (identity)
with a Public/Private Key Pair– Delivered by a CA (internal or external)
![Page 25: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/25.jpg)
Create a user certificate for Mom
We need to unambiguously identify
the user
First, we need a unique Name
Next, we need a Public/Private Key Pair
for user
Ms Mom,CEO of dummy.com
![Page 26: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/26.jpg)
Certify the user
who can attest to Mom’s identity … to
sign a “document” that contains the Name and
the Public Key
Next, we need a trusted source …
![Page 27: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/27.jpg)
What is a certificate ?
• A signed packet of identifying attributes
• Identifying Attributes:– Subject Name (the user
being identified)– Issuer Name (trusted
source identifying user)– Validity Period– Signature– Public Key
…the same as a Credit Card ...
Serial Number: 6cb0dad0137a5fa79888f
Validity: Nov.08,1997 - Nov.08,1998
Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - Individual SubscriberOrganizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 - NetscapeCommon Name = Keith H ErskineEmail Address = [email protected] Address = 160 Boston Rd Chelmsford
Status: Valid
Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
![Page 28: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/28.jpg)
Digital Credit Union
DCU
Andrew NashAndrew Nash
GOOD THRULAST DAY OF 06/9806/98
5867 9506 3461 19205867 9506 3461 1920
AUTHORIZEDSIGNATURE
Andrew K Nash
Validity Period
Signature
Issuer Name
Subject Name
Public Key
Credit Card attributes
![Page 29: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/29.jpg)
SSL Client authentication
WebClient Certificate Verify
Client Certificate Request
Certificate
Client Certificate
Finish
WebServer
Client Side Authentication
![Page 30: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/30.jpg)
X.509 authentication in action
1- Choose your Certificate
2- Enter your pin
On the browser side:
![Page 31: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/31.jpg)
How secure is the private key ?
Local Local browser browser
StoreStore
SmartSmartCardCard
How does the How does the user get access?user get access?
Where is it stored?Where is it stored?
![Page 32: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/32.jpg)
Smart Card
• Provides strong authentication
• Serial, PCMCIA, USB
• Requires smart card reader...
• Solution for the future
![Page 33: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/33.jpg)
Secure Gate’s key features
• Security protocols– SSL version 2.0, 3.0– TLS version 1.0
• Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,
RC2, IDEA 128
• Hashes: MD5, SHA-1
![Page 34: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/34.jpg)
Secure Gate’s key features
• Fully supports Verisign Global Server IDs (128 bits for every browser)
• Supports hardware cryptographic accelerators– NCipher
![Page 35: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/35.jpg)
Secure Gate Bundle
• Reverse proxy SSL software (Stronghold)
• Sun Ultra 10 station or better
• Solaris 2.6 secured by Datelec
• SSH server and client for management
• Backup solution
• Documentation
• Options: disk mirroring
![Page 36: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/36.jpg)
Secure Gate Applications
• Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…
• Accesses Intranet
• Accesses hosts (3270, 5250, VT, etc…) Web to hosts
• etc...
![Page 37: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/37.jpg)
Availability
NOW Q1 2000
![Page 38: Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec](https://reader036.fdocuments.us/reader036/viewer/2022081421/555a08a5d8b42aa8098b53e2/html5/thumbnails/38.jpg)
Questions ?
???