Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
38
Secure Gate Security Team, Datelec Networks SA Sylvain Maret, 6.1.2000 Rev: 1.0
-
Upload
sylvain-maret -
Category
Technology
-
view
1.234 -
download
1
description
Beta Version Reverse Proxy SSL and Strong AuthenticationDatelec 2000
Transcript of Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate
Security Team, Datelec Networks SA
Sylvain Maret, 6.1.2000
Rev: 1.0
Secure Gate ?
• Access Web Based Applications from Internet with strong
encryption and authentication
Customers Needs
• Access internal information from everywhere
• Access information with high security
• No specific client software
• Simple to use
• No dedicated station
• Cost effective solution
Solution
• Use your internet Browser (Netscape, Microsoft, etc.) to access information
But what about security ?
Web-basedInternal Resources
Firewall
Internet
InternetBrowser DMZ
What should I do?
Direct access using HTTP
Web-based Internal Resources
Firewall
Internet
InternetBrowser DMZ
Internet
HTTP Protocol
Direct access using HTTP
• Security problems:– Data transmitted in clear (easy to snoop)– Password sniffing– Replay attack– IP spoofing– Direct access to internal networks– Direct access to content server
Direct access using HTTPS (SSL)
Web-basedInternal Resources
Firewall
Internet
InternetBrowser DMZ
Internet
HTTPS Protocol
Direct access using HTTPS (SSL)
• Security problems:– Direct access to internal networks– Direct access to content server
Secure Gate Solution
Web-basedInternal Resources
Firewall
Internet
InternetBrowser
Internet
DMZ
Secure Gate
HTTPS
HTTP orHTTPS
Secure Gate in action
How does it work ?
• Based on reverse proxy technology
Server withina firewall
The proxy serverappears to be the
content server
A client computeron the Internet
sends a request tothe proxy server
FirewallCACHE
The proxy server uses a regularmapping to forward the client request
to the internal content server
You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.
How does it work ?
• Based on SSL provides
– Authentication = makes sure that only the authorized individual is accessing information
– Data Integrity = checks that the information comes from the authorized source, and that it has not been modified
– Confidentiality = verifies that the information transmitted is kept secret
What is SSL ?
• SSL = Secure Socket Layer
• Ancestor of TLS
• What is TLS ?– Transport Layer Security
• Protocol that sits between TCP/IP socket and application
• Developed since 1994 by Netscape and now IETF
What can SSL do for you ?
• Secure your data transport– secure tunnel for applications
• Provide secured access to protected content– better authentication mechanisms
• Reduce the risk of spoofing attacks
Applications that use SSL
• e-commerce - orders– protects contents of forms sent to server– protects sensitive personal data
• Payments– protects credit card information
• Secure web-based intranet access– ensures secure transmission of confidential content– provides authentication
SSL protocol
Authentication Methods supported
• Basic authentication
• External authentication with firewall– Radius, LDAP, SecurID, etc.
• SSL Client authentication (X.509)– certificate store on Smart Card– certificate store on local host
Basic authentication
• Static password
• Use SSL to transmit password
• User database store on Secure Gate
• Expose to brute “force attack” or “key logging”
• For low security applications
Basic authentication in action
External authentication
• Client authentication on the firewall
• Supports radius, ldap, tacacs, etc…*
• Support strong authentication like securID, Active card, etc.*
• User created on the firewall
• For high security requirements (with strong authentication)
* On Check Point’s FireWall-1
External authentication in action
X.509 authentication
• Uses SSL client X.509 certificate
• Provides strong authentication (“something you have, something you know”)
• Requires a Certificate authority (Public or Private)
• Certificate can be stored on local host or on smart card
• For high security requirements
Certificate X.509 ?
• What is a certificate ?– Same as a passport (certifies that your are who
you claim you are)– A digital information linking a name (identity)
with a Public/Private Key Pair– Delivered by a CA (internal or external)
Create a user certificate for Mom
We need to unambiguously identify
the user
First, we need a unique Name
Next, we need a Public/Private Key Pair
for user
Ms Mom,CEO of dummy.com
Certify the user
who can attest to Mom’s identity … to
sign a “document” that contains the Name and
the Public Key
Next, we need a trusted source …
What is a certificate ?
• A signed packet of identifying attributes
• Identifying Attributes:– Subject Name (the user
being identified)– Issuer Name (trusted
source identifying user)– Validity Period– Signature– Public Key
…the same as a Credit Card ...
Serial Number: 6cb0dad0137a5fa79888f
Validity: Nov.08,1997 - Nov.08,1998
Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - Individual SubscriberOrganizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 - NetscapeCommon Name = Keith H ErskineEmail Address = [email protected] Address = 160 Boston Rd Chelmsford
Status: Valid
Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5
Digital Credit Union
DCU
Andrew NashAndrew Nash
GOOD THRULAST DAY OF 06/9806/98
5867 9506 3461 19205867 9506 3461 1920
AUTHORIZEDSIGNATURE
Andrew K Nash
Validity Period
Signature
Issuer Name
Subject Name
Public Key
Credit Card attributes
SSL Client authentication
WebClient Certificate Verify
Client Certificate Request
Certificate
Client Certificate
Finish
WebServer
Client Side Authentication
X.509 authentication in action
1- Choose your Certificate
2- Enter your pin
On the browser side:
How secure is the private key ?
Local Local browser browser
StoreStore
SmartSmartCardCard
How does the How does the user get access?user get access?
Where is it stored?Where is it stored?
Smart Card
• Provides strong authentication
• Serial, PCMCIA, USB
• Requires smart card reader...
• Solution for the future
Secure Gate’s key features
• Security protocols– SSL version 2.0, 3.0– TLS version 1.0
• Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,
RC2, IDEA 128
• Hashes: MD5, SHA-1
Secure Gate’s key features
• Fully supports Verisign Global Server IDs (128 bits for every browser)
• Supports hardware cryptographic accelerators– NCipher
Secure Gate Bundle
• Reverse proxy SSL software (Stronghold)
• Sun Ultra 10 station or better
• Solaris 2.6 secured by Datelec
• SSH server and client for management
• Backup solution
• Documentation
• Options: disk mirroring
Secure Gate Applications
• Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…
• Accesses Intranet
• Accesses hosts (3270, 5250, VT, etc…) Web to hosts
• etc...
Availability
NOW Q1 2000
Questions ?
???
