der Secure Proxy Server

Netegrity® SiteMinder® Secure Proxy Server The Secure Gateway to Enterprise Resources

Netegrity White Paper July 2, 2003

© Copyright 2003 Netegrity, Inc.

1

Table of Contents Executive Summary ...................................................................................................................................... 3 Introduction ................................................................................................................................................... 4 Product Overview.......................................................................................................................................... 5

Architecture............................................................................................................................................. 5 Session Schemes................................................................................................................................... 7 Proxy Rules ............................................................................................................................................ 8 Secure Policy Server in Action ............................................................................................................... 9

Two Access Control Strategies................................................................................................................... 10 Agent-Based Deployment..................................................................................................................... 10 Proxy-Based Deployment..................................................................................................................... 11 Combining the Two Approaches .......................................................................................................... 12

Summary..................................................................................................................................................... 13

Netegrity® SiteMinder® Secure Proxy Server – The Secure Gateway to Enterprise Resources Netegrity, Inc. Proprietary

2

Executive Summary Resources across the network are valuable for every company, and therefore have to be protected from unauthorized access. Security considerations for these resources vary based on the sensitivity of content and the intended user community. The challenge is to implement secure solutions within the context of providing an integrated and centralized access control environment, while simultaneously supporting multiple authentication mechanisms and appropriate session controls. Netegrity provides both an agent-based solution and a proxy-based solution to meet those challenges.

This paper discusses Netegrity® SiteMinder® Secure Proxy Server. The Netegrity SiteMinder Secure Proxy Server is a high performance, proxy gateway that secures company’s backend servers. The product consists of two components – a Proxy engine, with a fully integrated SiteMinder Agent, and an Apache-based HTTP web listener. The Netegrity SiteMinder Secure Proxy product provides the following features:

• Access control for HTTP and HTTPS requests to and from backend destination servers. • Single sign-on as a standalone proxy or in combination with SiteMinder Agent enabled servers. • Multiple session schemes including SiteMinder cookies, mini-cookies, SSL session ID,

IP address, URL rewriting, HTTP header, and custom. • Session storage to maintain user session information in memory. • Intelligent proxy rules for flexible routing of incoming request to backend servers.

The SiteMinder Secure Proxy Server seamlessly integrates with your infrastructure to provide SiteMinder access control and entitlement management. It offers an alternative deployment model to Netegrity SiteMinder Agent deployment that enables central management of security policies for user access to resources. The SiteMinder Secure Proxy Server allows you to:

• Centralize Security – The SiteMinder Secure Proxy Server provides a central security management point that stops non-authenticated traffic from entering the DMZ. It supports multiple authentication schemes including passwords, tokens, X.509 certificates, custom forms, and biometrics, as well as combinations of authentication methods.

• Provide Access Management for Wireless Devices – The product architecture supports multiple session schemes including non-cookie based methods of session-tracking thereby providing a platform for building wireless solutions.

• Conceal Internal Network – The SiteMinder Secure Proxy Server never reveals the internal network topology to outsiders, including those who might attempt to attack an internal server.

• Lower Administrative Costs – The SiteMinder Secure Proxy Server is a single point of entry for all user requests. Therefore, it can be managed by a central IT organization and can enforce enterprise wide access control policy.

Netegrity offers two complementary policy enforcement strategies for a more flexible and secure web access architecture. Netegrity SiteMinder Agent-based solution provides distributed access control with fine-grained authorization tightly linked with individual applications and servers. The Netegrity SiteMinder Secure Proxy Server provides centralized access management to control traffic entering the enterprise DMZ. Customers may choose to deploy these solutions singly or in combination to provide the most appropriate security and administration solution for any site.


3

Introduction Sharing information broadly within the enterprise and creating value by making assets available to customers and partners online is crucial. Resources across the network are valuable for every company, and therefore have to be protected from unauthorized access. Enterprises employ multiple network configurations and policies to make these assets and information available to only trusted parties. Security considerations vary based on the sensitivity of content and the intended user community.

The challenge is to implement secure solutions within the context of providing an integrated access control environment, while simultaneously supporting multiple authentication mechanisms and appropriate session controls. These solutions must support heterogeneous environments, including a wide variety of platforms, servers, and end-user devices. Providing access to network resources for employees, customers, and partners presents a number of challenges, including:

• Directing requests to appropriate services

• Verifying user identities and establishing entitlements

• Maintaining sessions for authorized users

• Providing centralized access control

• Supporting multiple device types

• Employing flexible and secure architectures

The Netegrity SiteMinder Secure Proxy Server provides solutions to many of these challenges, including authentication and authorization of users, and a complex engine for evaluating user entitlements. The Netegrity Secure Proxy Server further expands the benefits of its core SiteMinder Policy Server and Agent functionality by providing a secure reverse proxy solution. The Netegrity Secure Proxy Server is a high performance, proxy gateway that secures a company’s backend servers. The SiteMinder Secure Proxy Server patent pending technology offers a turnkey reverse proxy solution built upon market-proven Java technologies and components. The SiteMinder Secure Proxy Server provides the following capabilities:

• Centralized administration with flexible, powerful proxy rules

• Cookie-less single sign-on and session storage

• Multiple options for maintaining sessions

• Multiple device support

• Interoperability with existing SiteMinder Web Agents

This paper provides an overview of Netegrity SiteMinder Secure Proxy Server, including product architecture, features, and benefits to customers. It also discusses the use of the SiteMinder Secure Proxy Server as a standalone security solution and its use with SiteMinder agent technology to achieve a complete, robust security infrastructure. For more information on the SiteMinder Secure Proxy Server or any of the Netegrity identity and access management product solutions please visit our website at www.netegrity.com.


4

http://www.netegrity.com/

Product Overview The Netegrity SiteMinder Secure Proxy Server provides a reverse proxy solution for access control to an company’s backend servers. It can be used as a standalone solution or in conjunction with SiteMinder web server and application server agents. The SiteMinder Secure Proxy Server accepts HTTP and HTTP over SSL (HTTPS) requests from web clients, passes those requests to enterprise backend content servers, and then returns resources to the requesting client. Advanced proxy rules control how requests are routed to destination servers.

The SiteMinder Secure Proxy Server sits in the DMZ between firewalls separating Internet users and backend resources. It prevents non-authenticated users from entering at any point in the DMZ. Access to the entire enterprise is managed through a single enforcement point. The internal network topology is made opaque to external users.

The SiteMinder Secure Proxy Server offers the following features:

• Access Control for HTTP and HTTPS Requests - The SiteMinder Secure Proxy Server allows you to control the flow of HTTP and HTTPS requests to and from destination servers using an embedded SiteMinder Web Agent. In addition, the SiteMinder Secure Proxy Server is fully integrated with SiteMinder to securely manage e-business transactions.

• Single Sign-on - The SiteMinder Web Agent embedded in the SiteMinder Secure Proxy Server enables single sign-on (SSO) across an enterprise, including SSO with SiteMinder Web Agents that may be installed on destination servers within the enterprise.

• Multiple Session Schemes - A session scheme is a method for maintaining the identity of a user after authentication. The SiteMinder Secure Proxy Server supports multiple session schemes based on SSL ID, mini-cookies, device IDs for handheld devices, URL rewriting, IP addresses, and schemes created using the Session Scheme API.

• Session Storage - The SiteMinder Secure Proxy Server is equipped with an in-memory session store to maintain user session information. The SiteMinder Secure Proxy Server uses a token such as a mini-cookie or SSL ID access a particular user’s session information. Cookie-less session schemes and the SiteMinder Secure Proxy Server in-memory session storage provide a solution for e-business management beyond PCs, including wireless devices, such as PDAs and cell phones.

• Intelligent Proxy Rules - Proxy rules allow you to configure different paths for fulfilling client requests from the SiteMinder Secure Proxy Server based on characteristics such as the requested virtual host or URI string. The SiteMinder Proxy Engine interprets a set of proxy rules to determine how to handle user requests.

Architecture

The SiteMinder Secure Proxy Server serves as a single gateway for access to enterprise resources, regardless of a user’s method of network access. It consists of two components – a proxy engine with a fully integrated SiteMinder Agent and an Apache-based HTTP web listener. It works with the SiteMinder Policy Server which provides authentication and authorization services. Administrators secure backend content by specifying security policies using the SiteMinder Policy Server, which are then enforced by the SiteMinder Secure Proxy Server.


5

A set of configurable proxy rules determines how the SiteMinder Secure Proxy Server handles a user’s request. Users may access resources through multiple session schemes based on mappings between user agent types and virtual hosts. Users can access the SiteMinder Secure Proxy Server using various devices. Requests may be routed to different destination servers based on the type of device being used to access the network. The SiteMinder Secure Proxy Server determines session schemes and forwards or redirects requests to the appropriate destination servers. The enterprise network is opaque to users, who simply access the SiteMinder Secure Proxy Server which uses its proxy engine to route requests.

The following diagram illustrates a typical process flow when the SIteMinder Secure Proxy Server receives an HTTP or HTTPS request.

7 6

5

2 4 3

1

Firewall Firewall DMZ

proxy_rules.xml

server.conf

Policy Server

Destination Server 1

NetegritySiteMinder

Secure Proxy Server

Agent

All HTTP/ HTTPS Traffic

1. A user’s request is received by the SiteMinder Secure Proxy Server.

2. The SiteMinder Secure Proxy Server determines the session scheme to be used based on the virtual host requested and device type defined in the server.conf file

3. The embedded SiteMinder Agent performs the necessary authentication and authorization process.

4. Proxy rules, defined in the proxy_rules.xml file, are used by the SiteMinder Secure Proxy Server to determine how to handle the incoming request.

5. Based on the applicable proxy rule, the SiteMinder Secure Proxy Server constructs a new request and forwards it to the backend server.

6. The SiteMinder Secure Proxy Server gets a response back from the backend server.

7. An appropriate response is constructed and sent back to the user.


6

Session Schemes

Session schemes are provided to track user sessions. The SiteMinder Secure Proxy Server supports multiple session schemes, in addition to the SiteMinder HTTP Session cookies, to manage user sessions.

A site administrator may determine that device or security requirements preclude the use of cookies or that a smaller cookie would be preferable for performance reasons. To meet these needs, alternative session schemes are available. The SiteMinder Secure Proxy Server caches these user sessions based on keys. Several schemes are supported:

• SiteMinder Cookies: This scheme uses the normal SiteMinder cookie to track the user session.

• HTTP Header: A very general and easy to configurable Session Scheme can be derived from any HTTP header found in a client request, provided that the header value uniquely identifies a user. The header value is used as a key to a user session. An example is provided of a Session Scheme that is based on a device ID.

• SSL Session ID: In this Session Scheme, the content is served over SSL and the SSL session ID is used as a key to the user session. This scheme provides a highly secure means of holding user sessions that are resistant to spoofing. However, it is limited in scalability since all content must be served over SSL and the user must continue to access the same Secure Proxy Server for the session to persist. This scheme is used for intranet and extranet applications with very high security needs.

• Mini Cookies: This Session Scheme is designed for the clients that accept cookies, but due to size or bandwidth limitations cannot accept a standard SiteMinder cookie. A smaller cookie contains a key to the user session.

This scheme is ideal for applications where user clients accept cookies but are accessing the application over connections of limited speed and bandwidth. This would include some wireless environments and desktop users who use slow modem connections to the internet.

• IP Address: This Session Scheme is designed for environments that can uniquely identify an active user by the IP address, which is used as a key to a user session.

This scheme should only be used for applications where users are retrieving information (with HTTP GET) from protected resources. If HTTP POST or HTTP PUT is used for sending information to a secure application then applications need to keep in mind that IP addresses can be spoofed for the purposes of sending data to the server.

• URL Rewriting: This scheme uses an encrypted session key inserted into a URL to track the user’s session. The SiteMinder Secure Proxy Server finds the session key on subsequent requests, uses it to achieve single sign-on, and then strips it out of the URL before completing the request.

For example, for the request http://www.company.com/marketing/index.html, the user is redirected to http://www.company.com/smkey=123/marketing/index.html where the session key is “123”.

This scheme is ideal for environments that do not support cookies (such as some wireless environments) and for applications supporting user communities who do not want to use cookies.

• Custom: Additionally, users can create custom session schemes using the Java™-based Session Scheme API provided with the SiteMinder Secure Proxy Server.

The SiteMinder Secure Proxy Server’s configuration file contains mappings between session schemes and user agent types. A separate set of mappings may be defined in the configuration file for each virtual host.


7

Proxy Rules

One of the most important capabilities of the SiteMinder Secure Proxy Server is the ability to route requests to the appropriate destination servers in the enterprise. The Proxy Rules for the SiteMinder Secure Proxy Server are defined in an XML file and contain the logic required by the SiteMinder Proxy Engine to process requests. The SiteMinder Proxy Engine interprets those rules and provides both a forward and a redirect service to handle the disposition of all user requests for backend resources.

The Proxy Rules have three basic constructs – conditions, cases and destinations. Conditions specify the attribute(s) of a request that must be evaluated by the SiteMinder Proxy Engine. A case specifies a value to be matched. Conditions must contain at least one case, but may contain multiple cases. Simple conditions may be combined to make complex conditions. If the incoming request has a value that matches the one specified in a case, the request is forwarded or redirected to the associated destination. Destinations represent back end resources protected by the SiteMinder Secure Proxy Server.

A condition defines the part of the incoming request that the SiteMinder Proxy Engine evaluates against defined cases. Supported conditions include:

• URI: Matches the portion of the requested URL after the host name to the URI string defined in the condition. Portions of the URI can be evaluated by the SiteMinder Proxy Engine. For example, the endswith criteria can be used to match the file extension of a requested resource.

• Query String: Matches the query string portion (all chars after the “?”) of the requested URL to the query string defined in the condition.

• Host Name: Matches the value of the HTTP HOST header variable to the value of the hostname defined in the condition. This type of condition is used when the SiteMinder Secure Proxy Server is configured to support multiple virtual hosts.

• HTTP Header: Matches any HTTP Header, including SiteMinder responses, to the value defined in the condition. For example, a user’s device type, which is part of the USER_AGENT HTTP header, can be evaluated by the SiteMinder Proxy Engine.

The SiteMinder Proxy Engine compares the attribute specified in a condition to the specific values defined in cases according to one of the following criteria: equals, beginswith, endswith, and contains. A special type of a condition is a Regular Expression. Regular expressions offer a very flexible and powerful tool that can be employed in SiteMinder Secure Proxy Server proxy rules. Regular expressions can be used to evaluate incoming URIs and query strings.

A case specifies a value of the request that is evaluated by the SiteMinder Proxy Engine. If the value matches, the request is forwarded or redirected to a destination or another condition.

• Forward: Service that forwards requests to a specific destination server. Any response from a destination server is returned to the user through the SiteMinder Secure Proxy Server.

• Redirect: Service that redirects requests to a specific destination server. Any response from a destination server is returned directly to the user, without passing through the SiteMinder Secure Proxy Server.


8

The SiteMinder Secure Proxy Server can also use SiteMinder responses to determine a destination for a request. A user’s entitilements, gathered during the authentication and authorization process, can be used to personalize the user’s experience.

For example, if a user directory contains information about the account type for a banking web site, the SiteMinder Secure Proxy Server can proxy users with different types of accounts to different destinations. Customers with standard accounts can be handled by one set of destination servers, while customers with premium accounts can be handled by a separate set of high performance destination servers. This enables an enterprise to provide a higher quality of service to its best customers.

Secure Policy Server in Action

Now let’s look at an example. This example shows how session schemes and proxy rules can be used together to provide a very flexible proxy configuration. The diagram below shows the deployment.

4

3

2

1

4 – SSL ID

2 - Mini Cookie

3 – URL Rewriting

1 - SM Cookie

Web browser Standard Card

Mobile Phone

Web browser

Bank Application Server For wireless users

High Security Bond Trading

Application Server

Bank Application Server For wired users

Consumer Portal

bondtrading.company.com

banking.company.com

www.company.com

In this example an enterprise has three virtual hosts. The http://www.company.com URL is the company’s public page and points to a consumer portal that supports browser clients. The http://banking.company.com URL points the user to the banking application that supports browser and wireless phone clients. The https://bondtrading.company.com points the user to a high security bond trading application that supports only HTTPS clients.

The first user accesses the consumer portal and the banking application from a browser. The SiteMinder Secure Proxy Server is configured to manage the session based on the requested URL and the device type of the user. The second user accesses the banking application through a mobile device. Since that mobile device does not accept cookies, the SiteMinder Secure Proxy Server has been configured to manage that user’s session through URL rewriting. Finally, the high security bond trading application supports only HTTPS and the session scheme is configured to use SSL session ID.


9

http://www.company.com/

http://banking.company.com/

https://bondtrading.company.com/

Two Access Control Strategies In general, there are two architectural approaches to managing access to web-based applications and resources. In the agent-based approach, a software filter or agent is installed on a web or application server. The agent provides high security on the local server by mediating all HTTP(s) traffic and granting access to resources on that server based on a flexible, powerful policy model. In the proxy-based approach, a server configured as a reverse proxy acts as a gateway for all user requests to various backend servers. User requests are routed to backend servers through a set of configurable proxy rules.

Agent-based and proxy-based solutions can be use singly or in combination to provide optimum security and administration flexibility. Netegrity provides both agent-based and proxy-based access control solutions.

Agent-Based Deployment

In general, agent-based deployment is used for distributed access control. The agents provide a local policy enforcement point on each server and can be tightly integrated with the applications running on that local server. This distributed model allows for fine-grained access control and personalization in the protected applications. The agent-based deployment is better suited for heterogeneous environments with multiple application platforms and/or a wide variety of user types. It is also easier to delegate policy and user administration in a large, complex enterprise with multiple applications.

SiteMinder is Netegrity’s solution for securely managing e-business. It consists of a policy server that allows you to specify policies for your enterprise, and agents that are installed on web and application servers. The SiteMinder Agents communicate with the Policy Server and provide authentication, authorization, and other functions. A wide variety of authentication mechanisms are supported including passwords, tokens, X.509 certificates, custom forms, and biometrics, as well as combinations of authentication methods.

The SiteMinder Agent is a program that acts as a filter to enforce access control on a wide variety of web and application servers. When a user requests a resource protected by SiteMinder, the Agent prompts the user for credentials based on the administrator configured authentication scheme and sends the credentials to the SiteMinder Policy Server. Based on pre-defined rules and according to the user’s credentials, the Policy Server determines whether the user can be authenticated and entitled to use the requested resource. The Policy Server then advises the Agent whether to allow or deny access to the requested resource. If access is allowed, the Policy Server may also add responses to the HTTP stream. Response headers are configured by SiteMinder administrators, and are typically profile or entitlement information which a requested application may use in its business logic. Header variables allow for fine-grained access control and personalization in the application. In an agent-based deployment, SiteMinder sessions are controlled by storing user information in an encrypted cookie.


10

Proxy-Based Deployment

In general, proxy-based deployment is best suited for centralized access control. It is easier to administer because it is a single control point for all backend applications. This centralized access control model is typically used in applications that have a single entry point for a relatively homogeneous user group (e.g. a consumer portal). The proxy rules provide a more coarse form of access control. Multiple session schemes provide additional flexibility including cookie-less session management for wireless devices. The proxy-based approach also obscures the internal network topology.

The SiteMinder Secure Proxy Server is Netegrity’s proxy-based solution. The SiteMinder Secure Proxy Server sits in the DMZ between firewalls separating Internet users and backend resources. It contains a fully functional SiteMinder Web Agent that can communicate with the SiteMinder Policy Server to authenticate users and verify user entitlements. Destination servers do not require SiteMinder Agents.

A virtual host configuration controls the session scheme that is used for a particular user accessing an application through a particular device. Proxy rules determine how requests are routed to the destination servers. Standard HTTP headers, SiteMinder headers and cookies are added to the incoming client request. When the response is received from the backend content server, the SiteMinder Secure Proxy Server adds session information to the response and returns the desired content to the requesting client. A common use of the SiteMinder Secure Proxy Server is as a central entry point for all destination servers within the enterprise. Any HTTP or HTTPS requests from users are first funneled through the SiteMinder Secure Proxy Server, so that only authenticated and authorized users are forwarded to the destination server. Destination servers are protected without agents and no content resides in the DMZ

The figure below illustrates this type of deployment.


Policy Server


Firewall Firewall DMZ

NetegritySiteMinder

Secure Proxy Server

Agent



11

Combining the Two Approaches

Generally speaking, agent-based deployments are best suited for distributed access control while proxy-based deployments work best for centralized access control. Many enterprises have a mix of applications and/or user communities with differing security requirements. In such cases, a combined agent/proxy deployment may be the best choice.

Let’s look at an example. In this case, the enterprise has applications that can be accessed by outside users (Extranet) as well as users within the enterprise (Intranet). The Intranet users have direct access to the destination servers. One of the servers behind the firewall contains sensitive information that requires an additional layer of protection even for internal users.

All extranet requests are filtered through the SiteMinder Secure Proxy Server, which is located in the DMZ between the clients and backend content servers. The destination server with the higher security requirement also has a SiteMinder Agent which provides local access control to resources on that machine. Sessions established by the SiteMinder Secure Proxy Server are recognized by the SiteMinder Agent on the backend server, maintaining single sign-on whether users access the enterprise from the Extranet or the Intranet.

This model allows very flexible, but secure, access to backend resources. The enterprise can provide differing levels of security and a mixture of coarse and fine-grained access control. The SiteMinder Secure Proxy Server can be administered by corporate IT personnel according to corporate access policies while the destination server with the SiteMinder Agent can be administered by the group that is responsible for that application.

IntranetHTTP/ HTTPSTraffic

Agent


Firewall Firewall Firewall DMZ


Policy Server

NetegritySiteMinder

Secure Proxy Server

Agent



12


13

Summary The SiteMinder Secure Proxy Server is a self-contained reverse proxy solution that seamlessly integrates with your infrastructure to provide SiteMinder access control and entitlement management while serving as a secure gateway to your enterprise’s backend resources. It provides a central access management point for controlling HTTP and HTTPS request to backend content servers. The SiteMinder Secure Proxy Server provides single sign-on as a standalone component and in conjunction with SiteMinder Agents. Multiple session schemes are supported including cookies, SSL session ID, device ID, IP address, and URL re-writing. Proxy rules control the flow of requests to destination servers evaluating specific parts of the request including URI, query string, host name, and HTTP headers.

The Netegrity SiteMinder Secure Proxy Server provides a number of key benefits. By providing centralized security, non-authenticated users are prevented from entering the DMZ and the corporate network topology is hidden from external users. Cookie-less session management and an in-memory session store provide a platform for building wireless access solutions. Having a single point of entry allows access management by a central IT organization and lowers administrative costs.

Netegrity offers state of the art solutions for both agent-based and proxy-based solutions. While there is some overlap, agent-based deployments are generally best suited for distributed access control where applications require fine-grained authorization and where administration needs to be delegated to organizations within the enterprise. Proxy-based solutions are generally used when centralized security policy is required or multiple session management schemes are used. Many enterprises have a mix of applications and user communities with differing security requirements. In this case, a combined agent/proxy approach may be the best choice.

For more information on Netegrity SiteMinder and other Netegrity products and services, please visit http://www.netegrity.com.

Copyright © 2003 Netegrity, Inc. All Rights Reserved.

Trademarks

Netegrity, and SiteMinder are registered trademarks of Netegrity, Inc. All other brand or product names are service marks, trademarks or registered trademarks of their respective owners.

The statements in this white paper that relate to future plans, events or performances are forward-looking statements. Actual results, events and performances may differ.

http://www.netegrity.com/

Documents

der Secure Proxy Server