e-Xpert Gate / Reverse Proxy - WAF 1ere génération

e-Xpert Gate

e-Xpert Solutions [email protected]

2 mars 2001

e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève

e-Xpert Gate ?

Access your applications from everywhere with

strong confidentiality and authentication


About your need

Access internal information from everywhere

Access information with high security No specific client software Simple to use No dedicated station Cost effective solution


Solution ?

Use your favorite browser


Why my browser ?

Very good « footprint » Standard sofware client Free Very good level of security (with SSL) PKI enabled application


But how to solve security issue ?

Web-basedInternal Resources

What should I do ?

Firewall

Dmz

Browser


Direct access with http or https ?

Firewall

Dmz

Browser


Why not ?


Direct access drawback

Direct access using HTTP– Clear traffic (password and content snifing)

– No authentication

– No data integrity

Direct access to internal content servers– Permit attacks

– DoS

Direct access to internal networks– Permit to access other resources if server compromised


Secure access with e-Xpert Gate

Firewall

DmzBrowser


E-Xpert Gate

SSL


Secure access thrue e-Xpert Gate

Use SSL technology (PKI)– Provide authentication (server and client)– Provide confidentiality– Provide data integrity

No direct access to internal ressources URL content checking and blocking Permit content analysis with IDS system


Reverse Proxy Technology

Server withina firewall

The proxy serverappears to be the

content server

A client computeron the Internet

sends a request tothe proxy server

FirewallCACHE

The proxy server uses a regularmapping to forward the client request

to the internal content server

You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.

https (SSL)

http or

https


SSL/TLS Technology

Secure Sockets Layer TCP/IP socket encryption

Provides end-to-end protection of communications sections

Confidentiality protection via encryption

Integrity protection with MAC’s Can authenticate client (option)


SSL/TLS Technology

The SSL protocol runs above TCP/IP The SSL protocol runs below higher-

level protocols such as HTTP or IMAP


Applications that use SSL or TLS

e-Commerce – orders – e-Banking– protects contents of forms sent to server– protects sensitive personal data– provides authentication

Secure web-based intranet access– ensures secure transmission of confidential

content– provides authentication

Etc.


SSL/TLS history

SSL v1 designed by Netscape in 1994 SSL v2 shipped with Navigator 1.0 and

2.0 SSL v3 latest version TLS v1 developed by IETF aka SSL

v3.1


About authentication ?

Your business is on the line.

But do you really know

who’s on the other end?


Two-factor User Authentication


One-Factor User Authentication Drawback

Users choose weak password Easy to guess (Brute force, dictionary) Easy to use a key logger or sniffer Learn password by « Social Engineering »


e-Xpert Gate’s Authentication method

Native RSA SecurID authentication SSL Client authentication (PKI)

– Certificate store on SmartCard or iKey– Certificate store on a file

External authentication with firewall– Radius, Tacacs, Ldap

Basic HTTP authentication*

* Method not recommended


RSA SecurID implementation

Dmz


E-Xpert Gate


RSA tokens


How it works ?

SeedTime

482392482392

ACE/ServerACE/ServerTokenToken

Algorithm

SeedTime

482392482392

Algorithm

Same SeedSame Seed

Same TimeSame Time


SecurID exemple


SSL client authentication implementation

Dmz


E-Xpert Gate

PKIarchitecture

ClientX509

Certificate


What is a certificate


X509 Authentication

Uses SSL client X.509 certificate Provides strong authentication (“something

you have, something you know”) Requires a Certificate authority (Public or

Private) Certificate can be stored on local host or on

smart card or IKey


Client side authentication

WebClient Challenge

Client Certificate Request

Challenge answer

WebServer

Client Certificate


How secure is the private key ?

SmartSmartCardCard

How does the How does the user get access?user get access?

Where is it stored?Where is it stored?

LocalLocalBrowserBrowser

storestore

Private key


SmartCard and iKey

Provides strong authentication (protect the private key)

Serial, PCMCIA, USB Requires smart card reader...


e-Xpert Gate Applications

Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…

Accesses Intranet applications E-Banking solution (front-end) Extranet applications with partners Etc.


Lotus access with e-Xpert Gate


e-Xpert Gate’s key features

Authentication method– RSA SecurID– SSL client authentication– Basic HTTP– External authentication with firewall

PKI enabled application– Support Revocation CRL– Ldap



Security protocols– SSL version 2.0, 3.0– TLS version 1.0

Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,

RC2, IDEA 128

Hashes: MD5, SHA-1



Fully supports Verisign Global Server IDs (128 bits for every browser)

Supports hardware cryptographic accelerators– Rainbow



Secure OS (Linux or Solaris)– FIA with Tripwire– Management with SSH server– Secure file transfer with SSH– Syslog messages

Appliance solution– IBM– Sun Microsystems


Questions ?