secure gate / reverse proxy - waf 1ere génération / datelec

Secure Gate

Security Team, Datelec Networks SA

Sylvain Maret, 6.1.2000

Rev: 1.0

Secure Gate ?

• Access Web Based Applications from Internet with strong

encryption and authentication

Customers Needs

• Access internal information from everywhere

• Access information with high security

• No specific client software

• Simple to use

• No dedicated station

• Cost effective solution

Solution

• Use your internet Browser (Netscape, Microsoft, etc.) to access information

But what about security ?

Web-basedInternal Resources

Firewall

Internet

InternetBrowser DMZ

What should I do?

Direct access using HTTP

Web-based Internal Resources

Firewall

Internet

InternetBrowser DMZ

Internet

HTTP Protocol

Direct access using HTTP

• Security problems:– Data transmitted in clear (easy to snoop)– Password sniffing– Replay attack– IP spoofing– Direct access to internal networks– Direct access to content server

Direct access using HTTPS (SSL)

Web-basedInternal Resources

Firewall

Internet

InternetBrowser DMZ

Internet

HTTPS Protocol

Direct access using HTTPS (SSL)

• Security problems:– Direct access to internal networks– Direct access to content server

Secure Gate Solution

Web-basedInternal Resources

Firewall

Internet

InternetBrowser

Internet

DMZ

Secure Gate

HTTPS

HTTP orHTTPS

Secure Gate in action

How does it work ?

• Based on reverse proxy technology

Server withina firewall

The proxy serverappears to be the

content server

A client computeron the Internet

sends a request tothe proxy server

FirewallCACHE

The proxy server uses a regularmapping to forward the client request

to the internal content server

You can configure the firewall router to allow a specific server on a specificport (in this case, the proxy on its assigned port) to have access through thefirewall without allowing any other machine in or out.

How does it work ?

• Based on SSL provides

– Authentication = makes sure that only the authorized individual is accessing information

– Data Integrity = checks that the information comes from the authorized source, and that it has not been modified

– Confidentiality = verifies that the information transmitted is kept secret

What is SSL ?

• SSL = Secure Socket Layer

• Ancestor of TLS

• What is TLS ?– Transport Layer Security

• Protocol that sits between TCP/IP socket and application

• Developed since 1994 by Netscape and now IETF

What can SSL do for you ?

• Secure your data transport– secure tunnel for applications

• Provide secured access to protected content– better authentication mechanisms

• Reduce the risk of spoofing attacks

Applications that use SSL

• e-commerce - orders– protects contents of forms sent to server– protects sensitive personal data

• Payments– protects credit card information

• Secure web-based intranet access– ensures secure transmission of confidential content– provides authentication

SSL protocol

Authentication Methods supported

• Basic authentication

• External authentication with firewall– Radius, LDAP, SecurID, etc.

• SSL Client authentication (X.509)– certificate store on Smart Card– certificate store on local host

Basic authentication

• Static password

• Use SSL to transmit password

• User database store on Secure Gate

• Expose to brute “force attack” or “key logging”

• For low security applications

Basic authentication in action

External authentication

• Client authentication on the firewall

• Supports radius, ldap, tacacs, etc…*

• Support strong authentication like securID, Active card, etc.*

• User created on the firewall

• For high security requirements (with strong authentication)

* On Check Point’s FireWall-1

External authentication in action

X.509 authentication

• Uses SSL client X.509 certificate

• Provides strong authentication (“something you have, something you know”)

• Requires a Certificate authority (Public or Private)

• Certificate can be stored on local host or on smart card

• For high security requirements

Certificate X.509 ?

• What is a certificate ?– Same as a passport (certifies that your are who

you claim you are)– A digital information linking a name (identity)

with a Public/Private Key Pair– Delivered by a CA (internal or external)

Create a user certificate for Mom

We need to unambiguously identify

the user

First, we need a unique Name

Next, we need a Public/Private Key Pair

for user

Ms Mom,CEO of dummy.com

Certify the user

who can attest to Mom’s identity … to

sign a “document” that contains the Name and

the Public Key

Next, we need a trusted source …

What is a certificate ?

• A signed packet of identifying attributes

• Identifying Attributes:– Subject Name (the user

being identified)– Issuer Name (trusted

source identifying user)– Validity Period– Signature– Public Key

…the same as a Credit Card ...

Serial Number: 6cb0dad0137a5fa79888f

Validity: Nov.08,1997 - Nov.08,1998

Subject / Name / OrganizationLocality = InternetOrganization = VeriSign, Inc.Organizational Unit = VeriSign Class 2 CA - Individual SubscriberOrganizational Unit = www.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 - NetscapeCommon Name = Keith H ErskineEmail Address = kerskine@ne.mediaone.netUnstructured Address = 160 Boston Rd Chelmsford

Status: Valid

Public Key: ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl

Signed By: VeriSign, Inc.: kdiowurei495729hshsg0925h309afhwe09721h481903207akndnxnzkjoaioeru10591328y5

Digital Credit Union

DCU

Andrew NashAndrew Nash

GOOD THRULAST DAY OF 06/9806/98

5867 9506 3461 19205867 9506 3461 1920

AUTHORIZEDSIGNATURE

Andrew K Nash

Validity Period

Signature

Issuer Name

Subject Name

Public Key

Credit Card attributes

SSL Client authentication

WebClient Certificate Verify

Client Certificate Request

Certificate

Client Certificate

Finish

WebServer

Client Side Authentication

X.509 authentication in action

1- Choose your Certificate

2- Enter your pin

On the browser side:

How secure is the private key ?

Local Local browser browser

StoreStore

SmartSmartCardCard

How does the How does the user get access?user get access?

Where is it stored?Where is it stored?

Smart Card

• Provides strong authentication

• Serial, PCMCIA, USB

• Requires smart card reader...

• Solution for the future

Secure Gate’s key features

• Security protocols– SSL version 2.0, 3.0– TLS version 1.0

• Ciphers and Algorithms– Key exchange: RSA– Symmetric ciphers: DES 56, 3DES 168, RC4,

RC2, IDEA 128

• Hashes: MD5, SHA-1

Secure Gate’s key features

• Fully supports Verisign Global Server IDs (128 bits for every browser)

• Supports hardware cryptographic accelerators– NCipher

Secure Gate Bundle

• Reverse proxy SSL software (Stronghold)

• Sun Ultra 10 station or better

• Solaris 2.6 secured by Datelec

• SSH server and client for management

• Backup solution

• Documentation

• Options: disk mirroring

Secure Gate Applications

• Consults Email system like Microsoft Exchange, Lotus, Netscape, etc…

• Accesses Intranet

• Accesses hosts (3270, 5250, VT, etc…) Web to hosts

• etc...

Availability

NOW Q1 2000

Questions ?

???