1 / 15

WAF and Identity and Access Management Integration

WAF and Identity and Access Management Integration. The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com. Evolution Phase 0: Control The Connection. Everything focused on controlling the connection Proxy connections are everywhere

milly
Download Presentation

WAF and Identity and Access Management Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WAF and Identity and Access Management Integration The Next Step in the Evolution of Application Security Best Practices Jan Poczobutt jpoczobutt@barracuda.com

  2. Evolution Phase 0: Control The Connection • Everything focused on controlling the connection • Proxy connections are everywhere • No direct connections to backend servers • Multi-Zone Architecture • Defining what is allowed or not allowed in each layer • Network firewalls everywhere controlling connections between zones • Who talks to whom • Where they are allowed to come from If you can keep the “bad” connections out, put everything into zones and then control access between zones, then life will be good!

  3. Evolution Phase 1.0:Prevent interception in route • Content can get intercepted in route and modified/compromised • Especially true as traffic gets sent out over the Internet • Proliferation of public facing applications for customers and partners • Encryption of content in route seen as solution to this problem • Use SSL on anything & everything with sensitive info or data We already control connections, now all we need to do is make sure traffic does not get hijacked in route and life will be good!

  4. Evolution Phase 2.0:Inspection of Application Content • Rise of Application Layer attacks • Hackers shift tactics to exploit new weak link • 70-90% of attacks focused on app layer attacks • These new attacks are “invisible” to NW Firewalls • Port 80 & 443 traffic needs to be passed through • The Rise of the Web App Firewall (WAF) • Can inspect application layer content • Block malicious content • New phrase: “Do you block OWASP Top 10?” We already control connections and ensure traffic does not get hijacked in route, now all we need to do is inspect application layer content and life will be good!

  5. So What’s Next? • The world continues to change and the bad guys continue to change what they do. • Requirements and deployments continue to evolve • No more controlled access points or access devices • BYOD for Corp B to B apps • Explosion of access devices (mobile, etc) for B to C • Separation of Identity and access management from application logic • Single Sign on systems outside traditional application logic • P.S. There is no silver bullet! Let’s try looking at the different systems and solutions we have in place to see if integration and “better together” approaches delivers any benefits to us?

  6. Barracuda Web Application Firewalls SSL Accelerators Load Balancing Caching Access Control Security Web & XML Consolidation Drives ArchitectureEvolution Perimeter Servers

  7. Why Integrate your WAF & IAM Systems? • Where’s the best place to verify & control user access? • When they first enter your network • WAF in Reverse Proxy at the edge of the network is perfectly positioned for this • Inspect content AND verify users before passing anything back • Proxy connection provides isolation from backends as well as better ability to manage the user connections to various apps/sites • Holistic view and reporting to easily identify issues • Simpler deployment architecture • Simpler is better • Less complexity to manage • Cost reductions from fewer agents & operational effectiveness

  8. Barracuda Networks Confidential More Than Just A WAF Authorization Single Sign On Reporting Authentication Barracuda Web Application Firewall Intelligent Integration

  9. Barracuda Networks Confidential Non-Integrated Approach Start Page 2. Please Supply User – ID: Password: 1. Initial Access 3. User supplies Credentials 5. Access after successful sign on Internet Barracuda Web App Firewall Business Partner 4. DB verification External Authentication System LDAP, RADIUS…

  10. Barracuda Networks Confidential Integration between WAF & IAM Start Page 5. Access after successful sign on 1. Initial Access 3. User supplies Credentials 2. Please Supply User – ID: Password: Internet Barracuda Web App Firewall 4. DB verification Business Partner External Authentication System LDAP, RADIUS… Client Certificates Digital certificate based authentication can Also be used for additional security. Barracuda Web Application Firewall Proxies Authentication No access to back end Service until sign on is complete User DB Internal BWF Stored User Database (for Lab, etc.) Accesses Corporate Database for production: LDAP, RADIUS

  11. Authentication • LDAP / RADIUS integration • Client Certificates • RSA SecurID® • CA SiteMinder® • Single factor or multi factor authentication • One time password Authentication / Authorization Estore application www.estore.com/purchase/ www.estore.com/admin Customers Admin Portal Local User Database Administrator LDAP / RADIUS Database 11 Barracuda Networks Confidential

  12. Authorization • Granular control for different sections of the application • Based on roles / groups Authentication / Authorization Estore application www.estore.com/purchase/ www.estore.com/admin Customers Admin Portal Local User Database Administrator LDAP / RADIUS Database 12 Barracuda Networks Confidential

  13. Single Sign On • Integration with SiteMinder for comprehensive solution • Single domain / Multi domain SSO Authentication / Authorization Airlines application www.airlines.com Customers www.rentals.com Rentals Portal Local User Database LDAP / RADIUS Database 13 Barracuda Networks Confidential

  14. Reporting • Detailed Logs and reports • Integration with SIEM tools • ArcSight • Splunk • RSA enVision Barracuda Networks Confidential

  15. What are your next evolutionary steps? Thank You!

More Related