CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan.

Slides:

Advertisements

Similar presentations

FI-WARE Testbed Access Control temporary solution.

Advertisements

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Secure Lync mobile Authentication

Secure SharePoint mobile connectivity

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Barracuda Web Application Firewall

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

1 Integrating ISA Server and Exchange Server. 2 How works.

Barracuda Networks Steve Scheidegger Commercial Account Manager

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Mobile One-Time Password. Page 2 About Changingtec -Member of group -Focus on IT security software CompanyChanging Information Technology Inc Set upApril.

Securing Microsoft® Exchange Server 2010

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.

Module 11: Remote Access Fundamentals

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.

® Gradient Technologies, Inc. Inter-Cell Interworking Access Control Across the Boundary Open Group Members Meeting Sand Diego, CA USA April 1998 Brian.

Network Edge Protection: A Technical Deep-Dive into Internet Security & Acceleration Server

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.

Firewall Security.

CIO Perspectives on Security Fabrício Brasileiro Regional Sales Manager.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Computer Security By Duncan Hall.

Secure Skype for Business

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

1 CONFIDENTIAL – INTERNAL ONLY1 Fortinet Confidential June 23, 2016 Securing The Cloud & Data Center.

Web Content Security Unlock the Power of the Web

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Identity and Access Management

CudaLaunch for Barracuda NG Firewall.

Chapter 5 Electronic Commerce | Security Threats - Solution

Stop Those Prying Eyes Getting to Your Data

Fortinet NSE8 Exam Do You Want To Pass In First Attempt.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Web Application Protection Against Hackers and Vulnerabilities

Barracuda Networks Creates Next-Generation Security Solutions That Enable Customers to Accelerate Their Adoption of Microsoft Azure MICROSOFT AZURE APP.

Securing the Network Perimeter with ISA 2004

Chapter 5 Electronic Commerce | Security Threats - Solution

Forefront Security ISA

Introduction to Networking

Security in Networking

Multifactor Authentication & First Time Login

11/15/2018 3:42 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Message Digest Cryptographic checksum One-way function Relevance

AKAMAI INTELLIGENT PLATFORM™

Check Point Connectra NGX R60

4/9/2019 5:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS.

Securing web applications Externally

Presentation transcript:

CONFIDENTIAL & PROPRIETARY 1 WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt

CONFIDENTIAL & PROPRIETARY 2 Evolution Phase 0: Control The Connection Everything focused on controlling the connection Proxy connections are everywhere No direct connections to backend servers Multi-Zone Architecture Defining what is allowed or not allowed in each layer Network firewalls everywhere controlling connections between zones Who talks to whom Where they are allowed to come from If you can keep the “bad” connections out, put everything into zones and then control access between zones, then life will be good!

CONFIDENTIAL & PROPRIETARY 3 Evolution Phase 1.0: Prevent interception in route Content can get intercepted in route and modified/compromised Especially true as traffic gets sent out over the Internet Proliferation of public facing applications for customers and partners Encryption of content in route seen as solution to this problem Use SSL on anything & everything with sensitive info or data We already control connections, now all we need to do is make sure traffic does not get hijacked in route and life will be good!

CONFIDENTIAL & PROPRIETARY 4 Evolution Phase 2.0: Inspection of Application Content Rise of Application Layer attacks Hackers shift tactics to exploit new weak link 70-90% of attacks focused on app layer attacks These new attacks are “invisible” to NW Firewalls Port 80 & 443 traffic needs to be passed through The Rise of the Web App Firewall (WAF) Can inspect application layer content Block malicious content New phrase: “Do you block OWASP Top 10?” We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will be good!

CONFIDENTIAL & PROPRIETARY 5 So What’s Next? The world continues to change and the bad guys continue to change what they do. Requirements and deployments continue to evolve No more controlled access points or access devices BYOD for Corp B to B apps Explosion of access devices (mobile, etc) for B to C Separation of Identity and access management from application logic Single Sign on systems outside traditional application logic P.S. There is no silver bullet! Let’s try looking at the different systems and solutions we have in place to see if integration and “better together” approaches delivers any benefits to us?

CONFIDENTIAL & PROPRIETARY 6 Servers Perimeter SSL Accelerators Security Web & XML Caching Barracuda Web Application Firewalls Load Balancing Access Control Consolidation Drives ArchitectureEvolution

CONFIDENTIAL & PROPRIETARY 7 Why Integrate your WAF & IAM Systems? Where’s the best place to verify & control user access? When they first enter your network WAF in Reverse Proxy at the edge of the network is perfectly positioned for this Inspect content AND verify users before passing anything back Proxy connection provides isolation from backends as well as better ability to manage the user connections to various apps/sites Holistic view and reporting to easily identify issues Simpler deployment architecture Simpler is better Less complexity to manage Cost reductions from fewer agents & operational effectiveness

CONFIDENTIAL & PROPRIETARY 8 More Than Just A WAF Barracuda Networks Confidential 8 Single Sign OnAuthorization Authentication Reporting Barracuda Web Application Firewall Intelligent Integration

CONFIDENTIAL & PROPRIETARY 9 Non-Integrated Approach Barracuda Networks Confidential 9 Start Page Internet Business Partner Barracuda Web App Firewall External Authentication System LDAP, RADIUS… 1. Initial Access 2. Please Supply User – ID: Password: 3. User supplies Credentials 5. Access after successful sign on 4. DB verification

CONFIDENTIAL & PROPRIETARY 10 Integration between WAF & IAM Barracuda Networks Confidential 10 Start Page Internet Business Partner Barracuda Web App Firewall External Authentication System LDAP, RADIUS… 1. Initial Access 2. Please Supply User – ID: Password: 3. User supplies Credentials 5. Access after successful sign on 4. DB verification Barracuda Web Application Firewall Proxies Authentication No access to back end Service until sign on is complete User DB Internal BWF Stored User Database (for Lab, etc.) Accesses Corporate Database for production: LDAP, RADIUS Client Certificates Digital certificate based authentication can Also be used for additional security.

CONFIDENTIAL & PROPRIETARY 11 Authentication Local User Database Estore application Admin Portal Authentication / Authorization Administrator Customers LDAP / RADIUS Database Barracuda Networks Confidential Single factor or multi factor authentication One time password LDAP / RADIUS integration Client Certificates RSA SecurID® CA SiteMinder®

CONFIDENTIAL & PROPRIETARY 12 Local User Database Estore application Admin Portal Authentication / Authorization Administrator Customers LDAP / RADIUS Database Barracuda Networks Confidential Based on roles / groups Granular control for different sections of the application Authorization

CONFIDENTIAL & PROPRIETARY 13 Local User Database Airlines application Rentals Portal Authentication / Authorization Customers LDAP / RADIUS Database Barracuda Networks Confidential Single domain / Multi domain SSO Integration with SiteMinder for comprehensive solution Single Sign On

CONFIDENTIAL & PROPRIETARY 14 Barracuda Networks Confidential 14 Reporting Detailed Logs and reports Integration with SIEM tools ArcSight Splunk RSA enVision

CONFIDENTIAL & PROPRIETARY 15 What are your next evolutionary steps? Thank You!