Upload
sylvain-maret
View
701
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Reverse Proxy SSL and PKI
Citation preview
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate ?
Access your applications from everywhere with
strong confidentiality and authentication
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
About your need
Access internal information from everywhere
Access information with high security No specific client software Simple to use No dedicated station Cost effective solution
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Solution ?
Use your favorite browser
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Why my browser ?
Very good « footprint » Standard sofware client Free Very good level of security (with SSL) PKI enabled application
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
But how to solve security issue ?
Web-basedInternal Resources
What should I do ?
Firewall
Dmz
Browser
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Direct access with http or https ?
Firewall
Dmz
Browser
Web-basedInternal Resources
Why not ?
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Direct access drawback
Direct access using HTTP– Clear traffic (password and content snifing)
– No authentication
– No data integrity
Direct access to internal content servers– Permit attacks
– DoS
Direct access to internal networks– Permit to access other resources if server compromised
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Secure access with e-Xpert Gate
Firewall
DmzBrowser
Web-basedInternal Resources
E-Xpert Gate
SSL
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Secure access thrue e-Xpert Gate
Use SSL technology (PKI)– Provide authentication (server and client)– Provide confidentiality– Provide data integrity
No direct access to internal ressources URL content checking and blocking Permit content analysis with IDS system
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Reverse Proxy Technology
Server withina firewall
The proxy serverappears to be the
content server
A client computeron the Internet
sends a request tothe proxy server
FirewallCACHE
The proxy server uses a regularmapping to forward the client request
to the internal content server
You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.
https (SSL)
http or
https
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SSL/TLS Technology
Secure Sockets Layer TCP/IP socket encryption
Provides end-to-end protection of communications sections
Confidentiality protection via encryption
Integrity protection with MAC’s Can authenticate client (option)
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SSL/TLS Technology
The SSL protocol runs above TCP/IP The SSL protocol runs below higher-
level protocols such as HTTP or IMAP
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Applications that use SSL or TLS
e-Commerce – orders – e-Banking– protects contents of forms sent to server– protects sensitive personal data– provides authentication
Secure web-based intranet access– ensures secure transmission of confidential
content– provides authentication
Etc.
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SSL/TLS history
SSL v1 designed by Netscape in 1994 SSL v2 shipped with Navigator 1.0 and
2.0 SSL v3 latest version TLS v1 developed by IETF aka SSL
v3.1
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
About authentication ?
Your business is on the line.
But do you really know
who’s on the other end?
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Two-factor User Authentication
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
One-Factor User Authentication Drawback
Users choose weak password Easy to guess (Brute force, dictionary) Easy to use a key logger or sniffer Learn password by « Social Engineering »
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate’s Authentication method
Native RSA SecurID authentication SSL Client authentication (PKI)
– Certificate store on SmartCard or iKey– Certificate store on a file
External authentication with firewall– Radius, Tacacs, Ldap
Basic HTTP authentication*
* Method not recommended
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
RSA SecurID implementation
Dmz
Web-basedInternal Resources
E-Xpert Gate
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
RSA tokens
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
How it works ?
SeedTime
482392482392
ACE/ServerACE/ServerTokenToken
Algorithm
SeedTime
482392482392
Algorithm
Same SeedSame Seed
Same TimeSame Time
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SecurID exemple
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SSL client authentication implementation
Dmz
Web-basedInternal Resources
E-Xpert Gate
PKIarchitecture
ClientX509
Certificate
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
What is a certificate
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
X509 Authentication
Uses SSL client X.509 certificate Provides strong authentication (“something
you have, something you know”) Requires a Certificate authority (Public or
Private) Certificate can be stored on local host or on
smart card or IKey
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Client side authentication
WebClient Challenge
Client Certificate Request
Challenge answer
WebServer
Client Certificate
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
How secure is the private key ?
SmartSmartCardCard
How does the How does the user get access?user get access?
Where is it stored?Where is it stored?
LocalLocalBrowserBrowser
storestore
Private key
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
SmartCard and iKey
Provides strong authentication (protect the private key)
Serial, PCMCIA, USB Requires smart card reader...
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate Applications
Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…
Accesses Intranet applications E-Banking solution (front-end) Extranet applications with partners Etc.
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Lotus access with e-Xpert Gate
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate’s key features
Authentication method– RSA SecurID– SSL client authentication– Basic HTTP– External authentication with firewall
PKI enabled application– Support Revocation CRL– Ldap
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate’s key features
Security protocols– SSL version 2.0, 3.0– TLS version 1.0
Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,
RC2, IDEA 128
Hashes: MD5, SHA-1
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate’s key features
Fully supports Verisign Global Server IDs (128 bits for every browser)
Supports hardware cryptographic accelerators– Rainbow
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
e-Xpert Gate’s key features
Secure OS (Linux or Solaris)– FIA with Tripwire– Management with SSH server– Secure file transfer with SSH– Syslog messages
Appliance solution– IBM– Sun Microsystems
e-Xpert Solutions SA, rte de Pré-Marais 29 CH-1223 Bernex - Genève
Questions ?