1 / 23

Securing Legacy Host Access with Reflection for the Web

Securing Legacy Host Access with Reflection for the Web. Denis Guyonnaud. Security for Legacy Host Access. Modern Multi-Layered Approaches to Security Legacy Host Applications without Security First-Generation Host Security: SSL Direct to Host

awentia
Download Presentation

Securing Legacy Host Access with Reflection for the Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Legacy Host Accesswith Reflection for the Web Denis Guyonnaud

  2. Security for Legacy Host Access • Modern Multi-Layered Approaches to Security • Legacy Host Applications without Security • First-Generation Host Security:SSL Direct to Host • Next-Generation Host Security:Layered Security for Legacy Host Applications • Next-Generation Host Security:Reflection® for the Web and Windows®-Based Reflection • Non-Intrusive Multi-Layered Security for Legacy Host Applications

  3. Modern Multi-Layered Approaches to Security Firewall Firewall DMZ Reverse Proxy Security Appliance Web Servers Client (Web Browser) Authentication Server LDAP

  4. Modern Multi-Layered Approaches to Security • EncryptionData is encrypted when passing through the non-secure network outside the perimeter • Centralized identity managementAn enterprise LDAP repository manages identity information for all users • Centralized access controlAuthentication and authorization policies are applied at the perimeter to all traffic between clients and servers • Centralized auditingAccess to network resources is centrally monitored at the access control point • Centralized threat monitoringIncoming and outgoing traffic is scanned at the perimeter

  5. Legacy Host Applications without Security Telnet (port 23) Terminal Emulation Client Authentication At Host

  6. Legacy Host Applications without Security • No confidentiality of data or passwordsWithout encryption, data and passwords are exposed • Weak authenticationMany hosts are limited to case-insensitive eight-character passwords • Decentralized authenticationHost-based authentication is often difficult to tie in to LDAP • Decentralized accesscontrol.Access control happens only at the host, so there is no centralized control over access to enterprise resources • Decentralized auditing.Access to hosts is monitored only by the hosts themselves

  7. First-Generation Host Security:SSL Direct-to-Host Firewall SSL/TLS Open Door/ No Authentication Terminal Emulation Client Authentication At Host

  8. First-Generation Host Security:SSL Direct-to-Host • Data and passwords are encrypted • Weak, decentralized authenticationIn most SSL deployments, authentication is still handled completely by the host • Decentralized access controlAccess control happens only at the host • Unauthenticated SSL traffic is passed straight to hostEncrypted SSL tunnel makes it impossible to monitor the connection • Decentralized auditingAccess to hosts is monitored only by the hosts themselves

  9. Next-Generation Host Security:Layered Security for Legacy Host Applications Firewall Firewall DMZ SSL/TLS Security Proxy Security Appliance Host Terminal Emulation Client HTTPS Management Server LDAP

  10. Next-Generation Host Security:Layered Security for Legacy Host Applications • Centralized authentication • Centralized access control • Access control at perimeter • Encryption • Centralized auditing • Centralized threat monitoring at the perimeter

  11. Next-Generation Host Security:Reflection for the Web and Windows-Based Reflection Firewall Firewall SSL/TLS Security Proxy Security Appliance Host Reflection Management Server LDAP Reflection Metering Server

  12. Next-Generation Host Security: Reflection for the Web and Windows-Based Reflection • Reflection Management Server • Reflection Security Proxy • Reflection Metering Server • Reflection thin client

  13. Reflection Interoperates with All Common LDAP servers • Active Directory • Novell • iPlanet/Netscape/SunOne • IBM Directory Server • IBM RACF • OpenLDAP • Other RFC 2256-compliant LDAP servers

  14. Reflection Interoperates with All Common LDAP servers • Reflection uses non-intrusive read-only access to LDAP directories • Access to hosts is controlled using existing LDAP user and group structure.

  15. Reflection Interoperates with Popular Portal and Web Authentication Tools • WebSphere portal • BEA WebLogic portal • Plumtree (BEA AquaLogic) portal • SiteMinder

  16. Unique Secure Token Authorization Mechanism • Simple SSL gateways or redirectors do not authenticate users or require authorization in order to connect to a host • The Reflection Security Proxy requires clients to prove that they have been both authenticated and authorized to access the host • When a user is authenticated and authorized by the Reflection Management server, they receive a secure token. Only users with this secure token can connect to the Security Proxy

  17. Broad Platform Compatibility The Reflection Management and Metering servers can be deployed on any J2EE-compliant web application server, including: • Tomcat (default shipping installation) • IBM WebSphere • BEA WebLogic

  18. Broad Platform Compatibility • Reflection Security Proxy can be installed on any platform that supports Java, including: • Windows • Linux • Solaris • HP-UX • z/OS

  19. Broad Platform Compatibility Reflection for the Web thin client emulators run on any platform that supports Java, including: • OS X • Linux • Windows

  20. Broad Platform Compatibility Reflection for the Web thin client emulators support popular web browsers, including: • Internet Explorer • Mozilla FireFox • Safari • Netscape • Using all common Java clients • Sun JRE 1.6 and earlier • Microsoft 1.1 VM

  21. Non-Intrusive Multi-Layered Security for Legacy Host Applications The Reflection security architecture offers the following advantages • Layers of security in front of your host • Non-intrusive security • Can be used with Reflection thin client emulators or Windows-based thick clients. • Both the Reflection Management Server and the Security Proxy server are compatible with commonly used load balancers

More Related