SlideShare a Scribd company logo

Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec

Download as PPT, PDF
Sylvain Maret
Sylvain Maret

Secure Gate is a web-based solution that provides secure remote access to internal resources using strong encryption and authentication over the internet. It acts as a reverse proxy, sitting within the firewall, to allow authenticated and encrypted access to internal servers from any internet browser without requiring custom client software. It supports SSL/TLS to encrypt communications and offers authentication methods like basic authentication, external authentication via RADIUS/LDAP, and client-side certificate authentication for high security requirements.

Related slideshows

web security
web securityweb security
web security
 
Symantec SSL Explained
Symantec SSL ExplainedSymantec SSL Explained
Symantec SSL Explained
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
1 of 38
Secure Gate Security Team, Datelec Networks SA Sylvain Maret, 6.1.2000 Rev: 1.0
Secure Gate ? Access Web Based Applications from Internet with strong encryption and authentication
Customers Needs Access internal information from everywhere Access information with high security No specific client software Simple to use No dedicated station Cost effective solution
Solution Use your internet Browser (Netscape, Microsoft, etc.) to access information
But what about security ? What should I do? Web-based Internal Resources Firewall Internet Internet Browser DMZ
Direct access using HTTP Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTP Protocol
Direct access using HTTP Security problems: Data transmitted in clear (easy to snoop) Password sniffing Replay attack IP spoofing Direct access to internal networks Direct access to content server
Direct access using HTTPS (SSL) Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTPS Protocol
Direct access using HTTPS (SSL) Security problems: Direct access to internal networks Direct access to content server
Secure Gate Solution Web-based Internal Resources Firewall Internet Internet Browser Internet DMZ HTTPS HTTP or HTTPS Secure Gate
Secure Gate in action
How does it work ? Based on reverse proxy technology Server within a firewall The proxy server appears to be the content server A client computer on the Internet sends a request to the proxy server Firewall CACHE The proxy server uses a regular mapping to forward the client request to the internal content server You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machine in or out.
How does it work ? Based on SSL provides Authentication = makes sure that only the authorized individual is accessing information Data Integrity = checks that the information comes from the authorized source, and that it has not been modified Confidentiality = verifies that the information transmitted is kept secret
What is SSL ? SSL = Secure Socket Layer Ancestor of TLS What is TLS ? Transport Layer Security Protocol that sits between TCP/IP socket and application Developed since 1994 by Netscape and now IETF
What can SSL do for you ? Secure your data transport secure tunnel for applications Provide secured access to protected content better authentication mechanisms Reduce the risk of spoofing attacks
Applications that use SSL e-commerce - orders protects contents of forms sent to server protects sensitive personal data Payments protects credit card information Secure web-based intranet access ensures secure transmission of confidential content provides authentication
SSL protocol
Authentication Methods supported Basic authentication External authentication with firewall Radius, LDAP, SecurID, etc. SSL Client authentication (X.509) certificate store on Smart Card certificate store on local host
Basic authentication Static password Use SSL to transmit password User database store on Secure Gate Expose to brute “force attack” or “key logging” For low security applications
Basic authentication in action
External authentication Client authentication on the firewall Supports radius, ldap, tacacs, etc…* Support strong authentication like securID, Active card, etc.* User created on the firewall For high security requirements (with strong authentication) * On Check Point’s FireWall-1
External authentication in action
X.509 authentication Uses SSL client X.509 certificate Provides strong authentication (“something you have, something you know”) Requires a Certificate authority (Public or Private) Certificate can be stored on local host or on smart card For high security requirements
Certificate X.509 ? What is a certificate ? Same as a passport (certifies that your are who you claim you are) A digital information linking a name (identity) with a Public/Private Key Pair Delivered by a CA (internal or external)
Create a user certificate for Mom We need to unambiguously identify the user First, we need a unique Name Next, we need a Public/Private Key Pair for user Ms Mom, CEO of dummy.com
Certify the user who can attest to Mom’s identity … to sign a “document” that contains the Name and the Public Key Next, we need a trusted source …
What is a certificate ? A signed packet of identifying attributes Identifying Attributes: Subject Name (the user being identified) Issuer Name (trusted source identifying user) Validity Period Signature Public Key … the same as a Credit Card ... Serial Number : 6cb0dad0137a5fa79888f Validity : Nov.08,1997 - Nov.08,1998 Subject / Name / Organization Locality = Internet Organization = VeriSign, Inc. Organizational Unit = VeriSign Class 2 CA - Individual Subscriber Organizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96 Organizational Unit = Digital ID Class 2 - Netscape Common Name = Keith H Erskine Email Address = kerskine@ne.mediaone.net Unstructured Address = 160 Boston Rd Chelmsford Status: Valid Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl Signed By : VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
Credit Card attributes Validity Period Signature Issuer Name Subject Name Public Key Digital Credit Union DCU Andrew Nash GOOD THRU LAST DAY OF 06/98 5867 9506 3461 1920 AUTHORIZED SIGNATURE Andrew K Nash
SSL Client authentication Web Client Web Server Client Side Authentication Certificate Verify Client Certificate Request Certificate Client Certificate Finish
X.509 authentication in action 1- Choose your Certificate 2- Enter your pin On the browser side:
How secure is the private key ? PIN Password How does the user get access? Where is it stored? Local browser Store Smart Card
Smart Card Provides strong authentication Serial, PCMCIA, USB Requires smart card reader... Solution for the future
Secure Gate’s key features Security protocols SSL version 2.0, 3.0 TLS version 1.0 Ciphers and Algorithms Key exchange: RSA Symmetric ciphers: DES 56, 3DES 168, RC4, RC2, IDEA 128 Hashes: MD5, SHA-1
Secure Gate’s key features Fully supports Verisign Global Server IDs (128 bits for every browser) Supports hardware cryptographic accelerators NCipher
Secure Gate Bundle Reverse proxy SSL software (Stronghold) Sun Ultra 10 station or better Solaris 2.6 secured by Datelec SSH server and client for management Backup solution Documentation Options: disk mirroring
Secure Gate Applications Consults Email system like Microsoft Exchange, Lotus, Netscape, etc… Accesses Intranet Accesses hosts (3270, 5250, VT, etc…) Web to hosts etc...
Availability NOW Q1 2000
Questions ? ???

More Related Content

Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec

  • 1. Secure Gate Security Team, Datelec Networks SA Sylvain Maret, 6.1.2000 Rev: 1.0
  • 2. Secure Gate ? Access Web Based Applications from Internet with strong encryption and authentication
  • 3. Customers Needs Access internal information from everywhere Access information with high security No specific client software Simple to use No dedicated station Cost effective solution
  • 4. Solution Use your internet Browser (Netscape, Microsoft, etc.) to access information
  • 5. But what about security ? What should I do? Web-based Internal Resources Firewall Internet Internet Browser DMZ
  • 6. Direct access using HTTP Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTP Protocol
  • 7. Direct access using HTTP Security problems: Data transmitted in clear (easy to snoop) Password sniffing Replay attack IP spoofing Direct access to internal networks Direct access to content server
  • 8. Direct access using HTTPS (SSL) Web-based Internal Resources Firewall Internet Internet Browser DMZ Internet HTTPS Protocol
  • 9. Direct access using HTTPS (SSL) Security problems: Direct access to internal networks Direct access to content server
  • 10. Secure Gate Solution Web-based Internal Resources Firewall Internet Internet Browser Internet DMZ HTTPS HTTP or HTTPS Secure Gate
  • 11. Secure Gate in action
  • 12. How does it work ? Based on reverse proxy technology Server within a firewall The proxy server appears to be the content server A client computer on the Internet sends a request to the proxy server Firewall CACHE The proxy server uses a regular mapping to forward the client request to the internal content server You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machine in or out.
  • 13. How does it work ? Based on SSL provides Authentication = makes sure that only the authorized individual is accessing information Data Integrity = checks that the information comes from the authorized source, and that it has not been modified Confidentiality = verifies that the information transmitted is kept secret
  • 14. What is SSL ? SSL = Secure Socket Layer Ancestor of TLS What is TLS ? Transport Layer Security Protocol that sits between TCP/IP socket and application Developed since 1994 by Netscape and now IETF
  • 15. What can SSL do for you ? Secure your data transport secure tunnel for applications Provide secured access to protected content better authentication mechanisms Reduce the risk of spoofing attacks
  • 16. Applications that use SSL e-commerce - orders protects contents of forms sent to server protects sensitive personal data Payments protects credit card information Secure web-based intranet access ensures secure transmission of confidential content provides authentication
  • 18. Authentication Methods supported Basic authentication External authentication with firewall Radius, LDAP, SecurID, etc. SSL Client authentication (X.509) certificate store on Smart Card certificate store on local host
  • 19. Basic authentication Static password Use SSL to transmit password User database store on Secure Gate Expose to brute “force attack” or “key logging” For low security applications
  • 21. External authentication Client authentication on the firewall Supports radius, ldap, tacacs, etc…* Support strong authentication like securID, Active card, etc.* User created on the firewall For high security requirements (with strong authentication) * On Check Point’s FireWall-1
  • 23. X.509 authentication Uses SSL client X.509 certificate Provides strong authentication (“something you have, something you know”) Requires a Certificate authority (Public or Private) Certificate can be stored on local host or on smart card For high security requirements
  • 24. Certificate X.509 ? What is a certificate ? Same as a passport (certifies that your are who you claim you are) A digital information linking a name (identity) with a Public/Private Key Pair Delivered by a CA (internal or external)
  • 25. Create a user certificate for Mom We need to unambiguously identify the user First, we need a unique Name Next, we need a Public/Private Key Pair for user Ms Mom, CEO of dummy.com
  • 26. Certify the user who can attest to Mom’s identity … to sign a “document” that contains the Name and the Public Key Next, we need a trusted source …
  • 27. What is a certificate ? A signed packet of identifying attributes Identifying Attributes: Subject Name (the user being identified) Issuer Name (trusted source identifying user) Validity Period Signature Public Key … the same as a Credit Card ... Serial Number : 6cb0dad0137a5fa79888f Validity : Nov.08,1997 - Nov.08,1998 Subject / Name / Organization Locality = Internet Organization = VeriSign, Inc. Organizational Unit = VeriSign Class 2 CA - Individual Subscriber Organizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96 Organizational Unit = Digital ID Class 2 - Netscape Common Name = Keith H Erskine Email Address = kerskine@ne.mediaone.net Unstructured Address = 160 Boston Rd Chelmsford Status: Valid Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl Signed By : VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
  • 28. Credit Card attributes Validity Period Signature Issuer Name Subject Name Public Key Digital Credit Union DCU Andrew Nash GOOD THRU LAST DAY OF 06/98 5867 9506 3461 1920 AUTHORIZED SIGNATURE Andrew K Nash
  • 29. SSL Client authentication Web Client Web Server Client Side Authentication Certificate Verify Client Certificate Request Certificate Client Certificate Finish
  • 30. X.509 authentication in action 1- Choose your Certificate 2- Enter your pin On the browser side:
  • 31. How secure is the private key ? PIN Password How does the user get access? Where is it stored? Local browser Store Smart Card
  • 32. Smart Card Provides strong authentication Serial, PCMCIA, USB Requires smart card reader... Solution for the future
  • 33. Secure Gate’s key features Security protocols SSL version 2.0, 3.0 TLS version 1.0 Ciphers and Algorithms Key exchange: RSA Symmetric ciphers: DES 56, 3DES 168, RC4, RC2, IDEA 128 Hashes: MD5, SHA-1
  • 34. Secure Gate’s key features Fully supports Verisign Global Server IDs (128 bits for every browser) Supports hardware cryptographic accelerators NCipher
  • 35. Secure Gate Bundle Reverse proxy SSL software (Stronghold) Sun Ultra 10 station or better Solaris 2.6 secured by Datelec SSH server and client for management Backup solution Documentation Options: disk mirroring
  • 36. Secure Gate Applications Consults Email system like Microsoft Exchange, Lotus, Netscape, etc… Accesses Intranet Accesses hosts (3270, 5250, VT, etc…) Web to hosts etc...