1. CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com

2. CONFIDENTIAL & PROPRIETARY 2 Evolution Phase 0: Control The Connection Everything focused on controlling the connection Proxy connections are everywhere No direct connections to backend servers Multi-Zone Architecture Defining what is allowed or not allowed in each layer Network firewalls everywhere controlling connections between zones Who talks to whom Where they are allowed to come from If you can keep the “bad” connections out, put everything into zones and then control access between zones, then life will be good!

3. CONFIDENTIAL & PROPRIETARY 3 Evolution Phase 1.0: Prevent interception in route Content can get intercepted in route and modified/compromised Especially true as traffic gets sent out over the Internet Proliferation of public facing applications for customers and partners Encryption of content in route seen as solution to this problem Use SSL on anything & everything with sensitive info or data We already control connections, now all we need to do is make sure traffic does not get hijacked in route and life will be good!

4. CONFIDENTIAL & PROPRIETARY 4 Evolution Phase 2.0: Inspection of Application Content Rise of Application Layer attacks Hackers shift tactics to exploit new weak link 70-90% of attacks focused on app layer attacks These new attacks are “invisible” to NW Firewalls Port 80 & 443 traffic needs to be passed through The Rise of the Web App Firewall (WAF) Can inspect application layer content Block malicious content New phrase: “Do you block OWASP Top 10?” We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will be good!

5. CONFIDENTIAL & PROPRIETARY 5 So What’s Next? The world continues to change and the bad guys continue to change what they do. Requirements and deployments continue to evolve No more controlled access points or access devices BYOD for Corp B to B apps Explosion of access devices (mobile, etc) for B to C Separation of Identity and access management from application logic Single Sign on systems outside traditional application logic P.S. There is no silver bullet! Let’s try looking at the different systems and solutions we have in place to see if integration and “better together” approaches delivers any benefits to us?

6. CONFIDENTIAL & PROPRIETARY 6 Servers Perimeter SSL Accelerators Security Web & XML Caching Barracuda Web Application Firewalls Load Balancing Access Control Consolidation Drives ArchitectureEvolution

7. CONFIDENTIAL & PROPRIETARY 7 Why Integrate your WAF & IAM Systems? Where’s the best place to verify & control user access? When they first enter your network WAF in Reverse Proxy at the edge of the network is perfectly positioned for this Inspect content AND verify users before passing anything back Proxy connection provides isolation from backends as well as better ability to manage the user connections to various apps/sites Holistic view and reporting to easily identify issues Simpler deployment architecture Simpler is better Less complexity to manage Cost reductions from fewer agents & operational effectiveness

8. CONFIDENTIAL & PROPRIETARY 8 More Than Just A WAF Barracuda Networks Confidential 8 Single Sign OnAuthorization Authentication Reporting Barracuda Web Application Firewall Intelligent Integration

9. CONFIDENTIAL & PROPRIETARY 9 Non-Integrated Approach Barracuda Networks Confidential 9 Start Page Internet Business Partner Barracuda Web App Firewall External Authentication System LDAP, RADIUS… 1. Initial Access 2. Please Supply User – ID: Password: 3. User supplies Credentials 5. Access after successful sign on 4. DB verification

10. CONFIDENTIAL & PROPRIETARY 10 Integration between WAF & IAM Barracuda Networks Confidential 10 Start Page Internet Business Partner Barracuda Web App Firewall External Authentication System LDAP, RADIUS… 1. Initial Access 2. Please Supply User – ID: Password: 3. User supplies Credentials 5. Access after successful sign on 4. DB verification Barracuda Web Application Firewall Proxies Authentication No access to back end Service until sign on is complete User DB Internal BWF Stored User Database (for Lab, etc.) Accesses Corporate Database for production: LDAP, RADIUS Client Certificates Digital certificate based authentication can Also be used for additional security.

11. CONFIDENTIAL & PROPRIETARY 11 Authentication Local User Database Estore application Admin Portal www.estore.com/purchase/ www.estore.com/admin Authentication / Authorization Administrator Customers LDAP / RADIUS Database Barracuda Networks Confidential Single factor or multi factor authentication One time password LDAP / RADIUS integration Client Certificates RSA SecurID® CA SiteMinder®

12. CONFIDENTIAL & PROPRIETARY 12 Local User Database Estore application Admin Portal www.estore.com/purchase/ www.estore.com/admin Authentication / Authorization Administrator Customers LDAP / RADIUS Database Barracuda Networks Confidential Based on roles / groups Granular control for different sections of the application Authorization

13. CONFIDENTIAL & PROPRIETARY 13 Local User Database Airlines application Rentals Portal www.airlines.com www.rentals.com Authentication / Authorization Customers LDAP / RADIUS Database Barracuda Networks Confidential Single domain / Multi domain SSO Integration with SiteMinder for comprehensive solution Single Sign On

14. CONFIDENTIAL & PROPRIETARY 14 Barracuda Networks Confidential 14 Reporting Detailed Logs and reports Integration with SIEM tools ArcSight Splunk RSA enVision

15. CONFIDENTIAL & PROPRIETARY 15 What are your next evolutionary steps? Thank You!