Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
- 2. Secure Gate ? Access Web Based Applications from Internet with strong encryption and authentication
- 3. Customers Needs Access internal information from everywhere Access information with high security No specific client software Simple to use No dedicated station Cost effective solution
- 4. Solution Use your internet Browser (Netscape, Microsoft, etc.) to access information
- 5. But what about security ? What should I do? Web-based Internal Resources Firewall Internet Internet Browser DMZ
- 6. Direct access using HTTP Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTP Protocol
- 7. Direct access using HTTP Security problems: Data transmitted in clear (easy to snoop) Password sniffing Replay attack IP spoofing Direct access to internal networks Direct access to content server
- 8. Direct access using HTTPS (SSL) Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTPS Protocol
- 9. Direct access using HTTPS (SSL) Security problems: Direct access to internal networks Direct access to content server
- 10. Secure Gate Solution Web-based Internal Resources Firewall Internet Internet Browser Internet DMZ HTTPS HTTP or HTTPS Secure Gate
- 12. How does it work ? Based on reverse proxy technology Server within a firewall The proxy server appears to be the content server A client computer on the Internet sends a request to the proxy server Firewall CACHE The proxy server uses a regular mapping to forward the client request to the internal content server You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machine in or out.
- 13. How does it work ? Based on SSL provides Authentication = makes sure that only the authorized individual is accessing information Data Integrity = checks that the information comes from the authorized source, and that it has not been modified Confidentiality = verifies that the information transmitted is kept secret
- 14. What is SSL ? SSL = Secure Socket Layer Ancestor of TLS What is TLS ? Transport Layer Security Protocol that sits between TCP/IP socket and application Developed since 1994 by Netscape and now IETF
- 15. What can SSL do for you ? Secure your data transport secure tunnel for applications Provide secured access to protected content better authentication mechanisms Reduce the risk of spoofing attacks
- 16. Applications that use SSL e-commerce - orders protects contents of forms sent to server protects sensitive personal data Payments protects credit card information Secure web-based intranet access ensures secure transmission of confidential content provides authentication
- 18. Authentication Methods supported Basic authentication External authentication with firewall Radius, LDAP, SecurID, etc. SSL Client authentication (X.509) certificate store on Smart Card certificate store on local host
- 19. Basic authentication Static password Use SSL to transmit password User database store on Secure Gate Expose to brute “force attack” or “key logging” For low security applications
- 21. External authentication Client authentication on the firewall Supports radius, ldap, tacacs, etc…* Support strong authentication like securID, Active card, etc.* User created on the firewall For high security requirements (with strong authentication) * On Check Point’s FireWall-1
- 23. X.509 authentication Uses SSL client X.509 certificate Provides strong authentication (“something you have, something you know”) Requires a Certificate authority (Public or Private) Certificate can be stored on local host or on smart card For high security requirements
- 24. Certificate X.509 ? What is a certificate ? Same as a passport (certifies that your are who you claim you are) A digital information linking a name (identity) with a Public/Private Key Pair Delivered by a CA (internal or external)
- 25. Create a user certificate for Mom We need to unambiguously identify the user First, we need a unique Name Next, we need a Public/Private Key Pair for user Ms Mom, CEO of dummy.com
- 26. Certify the user who can attest to Mom’s identity … to sign a “document” that contains the Name and the Public Key Next, we need a trusted source …
- 27. What is a certificate ? A signed packet of identifying attributes Identifying Attributes: Subject Name (the user being identified) Issuer Name (trusted source identifying user) Validity Period Signature Public Key … the same as a Credit Card ... Serial Number : 6cb0dad0137a5fa79888f Validity : Nov.08,1997 - Nov.08,1998 Subject / Name / Organization Locality = Internet Organization = VeriSign, Inc. Organizational Unit = VeriSign Class 2 CA - Individual Subscriber Organizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96 Organizational Unit = Digital ID Class 2 - Netscape Common Name = Keith H Erskine Email Address = kerskine@ne.mediaone.net Unstructured Address = 160 Boston Rd Chelmsford Status: Valid Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl Signed By : VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
- 28. Credit Card attributes Validity Period Signature Issuer Name Subject Name Public Key Digital Credit Union DCU Andrew Nash GOOD THRU LAST DAY OF 06/98 5867 9506 3461 1920 AUTHORIZED SIGNATURE Andrew K Nash
- 29. SSL Client authentication Web Client Web Server Client Side Authentication Certificate Verify Client Certificate Request Certificate Client Certificate Finish
- 31. How secure is the private key ? PIN Password How does the user get access? Where is it stored? Local browser Store Smart Card
- 32. Smart Card Provides strong authentication Serial, PCMCIA, USB Requires smart card reader... Solution for the future
- 33. Secure Gate’s key features Security protocols SSL version 2.0, 3.0 TLS version 1.0 Ciphers and Algorithms Key exchange: RSA Symmetric ciphers: DES 56, 3DES 168, RC4, RC2, IDEA 128 Hashes: MD5, SHA-1
- 34. Secure Gate’s key features Fully supports Verisign Global Server IDs (128 bits for every browser) Supports hardware cryptographic accelerators NCipher
- 35. Secure Gate Bundle Reverse proxy SSL software (Stronghold) Sun Ultra 10 station or better Solaris 2.6 secured by Datelec SSH server and client for management Backup solution Documentation Options: disk mirroring
- 36. Secure Gate Applications Consults Email system like Microsoft Exchange, Lotus, Netscape, etc… Accesses Intranet Accesses hosts (3270, 5250, VT, etc…) Web to hosts etc...