web security infrastructure study
DESCRIPTION
Web Security Infrastructure Study. For a Multinational Life Insurance Company. Topics Current State Concerns Recommendations. Presentation by Kankan Roy. Present Web Security Infrastructure. The security is built on the following components and their replication for hi-availability: - PowerPoint PPT PresentationTRANSCRIPT
Web Security Infrastructure Study
Topics
Current State
Concerns
Recommendations
Presentation by Kankan Roy
For a Multinational Life Insurance Company
Present Web Security Infrastructure
The security is built on the following components and their replication for hi-availability:
–Cisco 11503LB Load balancer–Amber point plug-in (for transparent re-direction)–ISA 2004 for NAT, Firewall, isolation of internal network–XML firewall (XS40), WebService Gateway (XI50)–External Active directory having trust relationship with internal AD granting security principals from external domain to access resources in the internal Windows forest.
Present Web related Infrastructure
• IIS 6, Windows 2003• ASP.Net• Windows and Web Services• Datapower used as XML gateway for web services• Oracle and Oracle RAC Databases• Web Applications with individual Security Deployment• Data warehouse and Data mart: SQL Server 2000• Services from 3rd Party is provided through Web
Redirection to External Web Sites, and they access Data stores and Files via adapter. They have “Foreign Security Principal” trust to access internal Windows Server
Web Server FarmIIG, QuestarCapital.com,
Allianzlife.com, Allianzlifeadmin.comSecurities, Public, Admin
Windows 2003
IIS 6.0 ASP.NET
AWIISP21Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP24Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP25Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP20Web / Application Server
Open Deploy Receiver v 5.6OLR Invite Services
OLR Registration ServerOLR Registration Adapter
OLR Delivery Adapter
DSQWEBP01DSQWEBP02SQL Cluster
DSQWEBP01AWSQLP61VS01Data Warehouse
DB: LifeUSAWeb
Windows 2000
DB: DataWareHouse
DB: Allianz_Web
SQL Server 2000
DSQWEBP02AWSQLP60VS01
Data Mart
Windows 2000
DB:RTC_DM
DB: LiquidOffice
SQL Server 2000
Email Repository Sync
We
bT
ren
ds
Site
Re
po
rtin
g v
ia A
dm
in s
ite
AD
Acc
ou
nt
Da
ta S
ynch
ron
iza
tion
(N
igh
tly F
ee
d)
Internet
:85
htt
p
B2C DMZ B2C Secure Zone
Round Robin Load Balancing Virtual IP mapped to 6 content rules:Public IP: P01 P20 Public IP: P02 P20Public IP: P01 P21 Public IP: P02 P21Public IP: P01 P24 Public IP: P02 P24Public IP: P01 P25 Public IP: P02 P25Public IP: P01 P26 Public IP: P02 P26Public IP: P01 P27 Public IP: P02 P26
Internal Zone
CSSContentSwtichCISCO11503(Pair)
SSL Termination
OL
R E
ven
t In
vite
/ R
eg
istr
atio
n E
ma
ils v
ia S
FT
P (
XM
L f
iles)
Ilinc(IIG)
iBonus(IIG)
MotivAction(IIG)
PinPoint(IIG)
K/P Corporation
SciCom(IIG)
Akamai(IIG, Sec)
Cathedral(USA)
ITECH (USA Sec, IIG)
Investigo(Sec)
RegEd(Sec)
Foresight(USA)
Prospect Digital(Sec)
WebWinder(IIG, USA)
Internet
Contract Holder Site
Web Services Environment Diagram: ProductionPrepared By: Bovee, McMahon, KankanLast Edited: Friday, October 22, 2010
Triggers Goldmine In /Out updates to event registrations and
event creations.
:443 https
Out of Process Session State Management:Maintained for USAllianz & Securities only
In Process Session State Management:IIG only
Intersite replication every 5 minutes.(AD 2003 mode)
Cert
A41D3P01ID3
Lib:ID3LTPDTA
IBM AS/400
A4VSTP01VersatUL
Lib:USLDATA
IBM AS/400
Lib:LUPDATA
IIS 5.0
AWLNSP01smtp.AllianzLife.com
Windows 2000
SMTP Email Service
OL
R E
ven
t R
em
ind
er
Em
ails
(cu
rre
ntly
dis
ab
led
)
LegendService TypeColor
File Server
IIS 5.0
IIS 6.0
SQL Server
BizTalk Server
MSMQ 2.0
ISA Server 2004
CMS - Interwoven
Active Directory
AS/400
3rd Party Vendor
Re
g.
& A
tte
nd
an
ce U
pd
ate
s (V
ari
ab
le)
Windows 2003
IIS 6.0 ASP.NET
AWWFCP01Web Focus Production Server
Windows 2003
IIS 6.0 ASP.NET
AWAPPP27iBonus Web and Application Server
Active DirectoryExt.AllianzLife.com
TeamPoint Registrations / Attendance / Events
GoldMine Registrations & Attendance Events
Log files Shipped via nightly batch job
:85
htt
p
Web Trends for IIG, USA Client, Public, USA Securities
AWSDCP01DNS Name ServerWebTrends SSDC
Windows 2003
IIS 6.0 ASP.NET
GoldmineInAdapter
GoldmineOutAdapter
AXORCP01TeamPoint
Windows 2000 Server
DB: CRMLPRD
Oracle 9i
TeamPointAdapter
CSS will provide SSL termination, round robin load balancing and maintain session affinity.
ISA 2004 is implemented in stand-alonemode - no directory integration.
Session state management will move fromthe CSS (arrow point cookie) to IIS via out of process session state maintenance on SQLServer in the Secure Zone.
DSQGOLDMINEP01AWSQLP41VS01
Transfer&Exchange
SQL Server 2000
DB: IIG_Texchange
Windows 2000 Server
DB: GOLDMINE
Windows 2003
Tomcat/IIS
JSP
Open Deploy / Data Deploy 6.0.2
SecurityProfileSynchronizer
Interwoven Team Site 6.5
AWCTMP02Content Management System
Web Deploy 6.0.2
AWADCP14EXT Domain Controller
Windows 2003Active Directory Services
Windows 2003
AWADCP15EXT Domain Controller
Active Directory Services
Active DirectoryAZLIFEM.AllianzLife.com
AWADCP16AZLIFEM Domain Controller
Windows 2003Active Directory Services
Windows 2003
AWADCP17AZLIFEM Domain Controller
Active Directory Services
We
b F
ocu
s R
ep
ort
Da
ta
iBonus Data
Nig
htly
/ha
lf-h
ou
rly
Ba
tch
Pro
cess
Nightly Batch
Baseline deployments
Web Focus Production Report Requests
(redirect to iBonus Web Server from Securities)
Windows 2000
AWCCWP02Distribution point
We
bb
ase
line
s
Windows 2003
AWCVSP01CVS Repository
CVSNT Service
CVSNT Lock Service
Wa
reh
ou
se D
ata
Da
ta M
art
Da
ta
Windows 2003
AWBATP01Batch Server
ER_Agent
Windows 2003
ISA 2004 Standalone Edition
AWISAP01Web Reverse Proxy
Windows 2003
ISA 2004 Standalone Edition
AWISAP02Web Reverse Proxy
OL
R E
ven
t R
em
ind
er
Em
ails
(cu
rre
ntly
Tu
rne
d o
ff)
OL
R E
ven
t In
vite
/ R
eg
istr
atio
n E
ma
ils v
ia S
FT
P (
XM
L f
iles)
Web Service Farm
Windows 2003
AWWTRP02Web Trends 7.0 Server
VS10 Environmnet
Open VMS
ACCENT/r
Windows Server 2003
Oracle 9i RAC
OD
BC
Windows 2003
IIS 6.0 ASP.NET
AWIISP26Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP27Web / Application Server
Open Deploy Receiver v 5.6
Re
gis
tra
tion
& A
tte
nd
an
ce U
pd
ate
s
Op
en
De
plo
y &
Da
taD
ep
loy
Co
nte
nt
AD
Acc
ou
nt
Da
ta S
ynch
ron
iza
tion
(N
igh
tly F
ee
d)
AWORCP10&11
Unix?
Acord
HP?
Oracle 9i RAC
Datastaging Dataflow
PRDAUSRVS01
Windows 2000
Guido
ISAM
Nightly Batch
AWSQLP13VS01
Win2003
ODS
SQLServer
AXORCP10 & 11
AIX
TrueCompTrueProducer
server?
Oracle 9i RAC
Dataflow
Staging Flow
XS40sAADXSP01 & 02
Web
Sev
ices
WS Invocation (CMS; Variable -Portfolio Management, Regis. Attendance Updates;…) Windows Services, DB
Adapter
Web Service
Windows 2000
AWUSRP01Distribution point
ContractManagementServicesIDMServicesOnlineSuppliesServicesOnlineRegistrationWebServicesPointWebServicesPolicyValuesServicesProducerServicesImageDisplayServicesODSUpdateServiceAgencyWebServiceBPMBigEasyWebServiceAIGServicesTransferExchangeServicesOperationalDataStoreServicesPartySearchServicesnotificationServicesHoldingSearchServices
UPS Discount
Articulate
ForeField(IIG)
Morningstar
Jobs.Allianz
Gage
Responsys
Omniture
GoogleAnalyticonBase Web Service Farm
AWIISP22IIS 6.0
Windows 2003
OnBase Web Service
AWIISP23IIS 6.0
Windows 2003
OnBase Web Service
Cre
ate
Eve
nts
& R
eg
. (V
ari
ab
le)
Broker/Dealer
XI50s – AADXP01 & 02AIG Services XML Firewall
AmberPoint Plug-In Agent
AWIISP01
AWIISP07IIS 6.0
AmberPoint Plug-In Agent
IIS 6.0
Windows 2003
AWIISP03IIS 6.0
Windows 2003
Windows 2003
AmberPoint Plug-In Agent
AWIISP02
IIS 6.0
Windows 2003
Re
g.
& A
tte
nd
an
ce U
pd
ate
s (F
ixe
d)
Cre
ate
Eve
nts
& R
eg
. (F
ixe
d)
DB: USALLIANZ_DM
DB: USALLIANZ_CMS
Security Concerns• Possible indirect Access to Internal Windows resources• Possible indirect Access by 3rd Party Partners to internal resources• Possible Direct accesses to secured web sites and Data Bases by Authenticated but
unauthorized user• No Auditing and access logging of End User Access or Information accessed• Security is not decoupled from business logic• Protected object space is not defined, nor centrally managed • Access control is not dynamically enforced• It is possible to by-pass authorization since it is implemented in deployment Script
and there is no security governance policy.• Authentication is implemented, Authorization and Access Control is partially
implemented, and Auditing is not at all implemented. • There is no governance policy to create or modify objects that need protection • Lack of Documentation of Access Control Policy (ACLP) for Objects• No explicit SSO implementation
Web Server FarmIIG, QuestarCapital.com,
Allianzlife.com, Allianzlifeadmin.comSecurities, Public, Admin
Windows 2003
IIS 6.0 ASP.NET
AWIISP21Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP24Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP25Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP20Web / Application Server
Open Deploy Receiver v 5.6OLR Invite Services
OLR Registration ServerOLR Registration Adapter
OLR Delivery Adapter
DSQWEBP01DSQWEBP02SQL Cluster
DSQWEBP01AWSQLP61VS01Data Warehouse
DB: LifeUSAWeb
Windows 2000
DB: DataWareHouse
DB: Allianz_Web
SQL Server 2000
DSQWEBP02AWSQLP60VS01
Data Mart
Windows 2000
DB:RTC_DM
DB: LiquidOffice
SQL Server 2000
OLR
Eve
nt In
vite
/ R
egis
tratio
n E
mai
ls v
ia S
FTP
(XM
L fil
es)
Ilinc(IIG)
iBonus(IIG)
MotivAction(IIG)
PinPoint(IIG)
K/P Corporation
SciCom(IIG)
Akamai(IIG, Sec)
Cathedral(USA)
ITECH (USA Sec, IIG)
Investigo(Sec)
RegEd(Sec)
Foresight(USA)
Prospect Digital(Sec)
WebWinder(IIG, USA)
Out of Process Session State Management:Maintained for USAllianz & Securities only
In Process Session State Management:IIG only
IIS 5.0
AWLNSP01smtp.AllianzLife.com
Windows 2000
SMTP Email Service
OLR
Eve
nt R
emin
der E
mai
ls (c
urre
ntly
dis
able
d)
Windows 2003
IIS 6.0 ASP.NET
AWAPPP27iBonus Web and Application Server
iBonus Data
(redirect to iBonus Web Server from Securities)
War
ehou
se D
ata
Dat
a M
art D
ata
OLR
Eve
nt R
emin
der E
mai
ls (c
urre
ntly
Tur
ned
off)
OLR
Eve
nt In
vite
/ R
egis
tratio
n E
mai
ls v
ia S
FTP
(XM
L fil
es)
Windows 2003
IIS 6.0 ASP.NET
AWIISP26Web / Application Server
Open Deploy Receiver v 5.6
Windows 2003
IIS 6.0 ASP.NET
AWIISP27Web / Application Server
Open Deploy Receiver v 5.6
Reg
istra
tion
& A
ttend
ance
Upd
ates
UPS Discount
Articulate
ForeField(IIG)
Morningstar
Jobs.Allianz
Gage
Responsys
Omniture
GoogleAnalytic
Broker/Dealer
DB: USALLIANZ_DM
DB: USALLIANZ_CMS
Internet B2C DMZ B2C Secure Zone
DIRECT ACCESS TO SECURITY ZONE BY BUSINESS SERVICE PROVIDERS
External AD based Security implementation
External AD is used for Authentication and implemented by Security Configuration Layer (Web Applications’ web.config file). Given
below is a snippet from a web application site:
Snippets from ADC
Future Web Security Roadmap• Web must play Active Vehicle for business Expansion• Focus of web Application no longer shall be Policy Centered (Type, Line of Business, or Policy
Administration)• Future Web shall have User (Type Role and Self-service) Focus where policy operation are
intuitive implicit and automated.• User Operations shall be serviced by Business Services, Management Services, Administration
Services, Request Services• Implement shall require security guide lines for Information Access Control to private user
information• Security Policy must be explicit and de-coupled from Service Code• Security Assertion should be made before Service invocation• Service level audit and access record should be available to pin point responsibility in the event
of security breach• Users should be able to manage their own profile, Access, Account, Associates and Policies
without customer service assistance. Self Enrollment for new user.• Business should be de-coupled from Infrastructure• Infrastructure should be inter-operable and distributed, open and accommodative of emerging
Technology• Centralized Policy Administration System to manage all line of business• User Access device can be any – desk top/laptop browser, mobile, hand-held, Voice activated or
cellular devices• Sarbanese-Oxley Act 2002 - http://www.soxlaw.com/index.htm
Abstract Model For Role Based Access Control (RABC)
Current AD based RABC identifies Web Directories as only Target using Web.Config
Protected Objects Space Needing Access Permission
• Web Sites• Web Services• Partners Services• Providers Services or Web Sites• Applications• Programs• Policies• Users• Consumers• Producers• Transactions• Statements• Queues• Infrastructure• Hierarchy of Objects based on Ownership relation• Private Information encapsulated in Objects
Access Control Enforcement Point
• Reverse Proxy Single Sign On• Federated SSO for 3rd party service providers• Single Point Authentication and Authorization system for all User
Devices – Mobile, Handheld, Phone, Desktop, Messaging Device• B2B Service• Messaging Service• Proxy Services to Business Service• Web Service Security• Enterprise Service Bus• Gateway ESB• Application Invocation• Information Security for View generation service• Information security for Data Object Access Service
Recommended Security Zone
Access Control system
Protected Object Space is a Centrally Managed Database
• Object Definitions • Access Control List Policies for Objects • Associated Object Policies – Privacy, Auditing,
Access Time/Accessor Log etc.• Associated Authorization Rule (for
External/Internal Rules Engine to Access Manager) that asserts access to protected object
• Pre or Post Processing/Filtration/transformation Requirement for inbound/outbound Message
Access Authorization Database
Authentication Mechanism
Web Security Server uses Access Manager User Registry to Create Access Manager User Credential used for the duration of the session
Device Interface for Authentication Mechanism can be any as per the user device interface (Form, Inter-active Voice/Phone, text Message)
Adapting/Migrating (Multiple) ADS User Registry
For Access management
Authentication and Federation
• Authorization Manager should be able to authenticate user from any kind of user Communication device and create a Session for a User irrespective of users’ device
• External Authentication Manager should be able to recognize User Credential when redirected to the external site and should be able to create a session and vice versa
• External User/application may not be granted Trust to access internal Resources such as DB using any kind of Adapter or web service.
ESB Functionalities• Routing• Mediation• Confidentiality• Protocol Transformation• Logging, Auditing, Authorization• Enforce Access Control• Flow Management• Throttling – Queue length – number of simultaneous flows• Correlation of in-bound flows to out-bound flows• Proxy for virtualization and versioning• Notification• Alert• Activity monitoring and Aggregate Reporting via Dashboard
Enterprise Integration
Transitioning: Present To Future[Concern: Data Synchronization During Transition]
• Reverse Proxy server should act as Gateway to Old and New implementation transparent to any user.
• Operation Data Store during Transition must remain in Sync. Active Active Data Sharing/Replication Bridge should be in Place.
• All DB Access may be channeled through ESB for New so that Data Replications of New to Old can be incorporated easily and securely
High Availability Zero Downtime
• Physical Replication of total infrastructure (Active Passive fail over)
• RAID – replication of Storage • Cloud space and Grid Storage – virtual storage –
Internet hosted application• RAC DBMS• Web Clusters• Replication of Critical databases and
Directories/Registers• Queue Clusters• End Point Virtualization, Versioning and Governance
using Registry and repository
QUESTIONS?