securing legacy host access with reflection for the web denis guyonnaud

23

Upload: abraham-bond

Post on 24-Dec-2015

215 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud
Page 2: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Securing Legacy Host Accesswith Reflection for the WebSecuring Legacy Host Accesswith Reflection for the Web

Denis GuyonnaudDenis Guyonnaud

Page 3: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Security for Legacy Host Access

• Modern Multi-Layered Approaches to Security• Legacy Host Applications without Security• First-Generation Host Security:

SSL Direct to Host • Next-Generation Host Security:

Layered Security for Legacy Host Applications • Next-Generation Host Security:

Reflection® for the Web and Windows®-Based Reflection• Non-Intrusive Multi-Layered Security for Legacy Host

Applications

Page 4: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Modern Multi-Layered Approaches to Security

Client(Web Browser)

Firewall

DMZ

Firewall

Web Servers

LDAP

SecurityAppliance

ReverseProxy

Authentication Server

Page 5: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Modern Multi-Layered Approaches to Security

• EncryptionData is encrypted when passing through the non-secure network outside the perimeter

• Centralized identity managementAn enterprise LDAP repository manages identity information for all users

• Centralized access controlAuthentication and authorization policies are applied at the perimeter

to all traffic between clients and servers • Centralized auditing

Access to network resources is centrally monitored at the access control point

• Centralized threat monitoringIncoming and outgoing traffic is scanned at the perimeter

Page 6: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Legacy Host Applications without Security

TerminalEmulation

Client

AuthenticationAt Host

Telnet (port 23)

Page 7: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Legacy Host Applications without Security

• No confidentiality of data or passwordsWithout encryption, data and passwords are exposed

• Weak authenticationMany hosts are limited to case-insensitive eight-character passwords

• Decentralized authenticationHost-based authentication is often difficult to tie in to LDAP

• Decentralized access control.Access control happens only at the host, so there is no centralized control over access to enterprise resources

• Decentralized auditing.Access to hosts is monitored only by the hosts themselves

Page 8: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

First-Generation Host Security:SSL Direct-to-Host

TerminalEmulation

Client

AuthenticationAt Host

Firewall

Open Door/No Authentication

SSL/TLS

Page 9: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

First-Generation Host Security:SSL Direct-to-Host

• Data and passwords are encrypted• Weak, decentralized authentication

In most SSL deployments, authentication is still handled completely by the host

• Decentralized access controlAccess control happens only at the host

• Unauthenticated SSL traffic is passed straight to hostEncrypted SSL tunnel makes it impossible to monitor the connection

• Decentralized auditingAccess to hosts is monitored only by the hosts themselves

Page 10: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Next-Generation Host Security:Layered Security for Legacy Host

Applications

TerminalEmulation

Client

Firewall

DMZ

Firewall

Host

LDAP

SecurityAppliance

SecurityProxy

Management Server

SSL/TLS

HTTPS

Page 11: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Next-Generation Host Security:Layered Security for Legacy Host

Applications

• Centralized authentication• Centralized access control• Access control at perimeter• Encryption• Centralized auditing• Centralized threat monitoring at the

perimeter

Page 12: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Next-Generation Host Security:Reflection for the Web and Windows-Based

ReflectionFirewall Firewall

Host

LDAP

SecurityAppliance

SecurityProxy

Reflection Metering Server

Reflection Management Server

SSL/TLS

Page 13: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Next-Generation Host Security: Reflection for the Web and Windows-Based Reflection

• Reflection Management Server• Reflection Security Proxy• Reflection Metering Server• Reflection thin client

Page 14: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Reflection Interoperates with All Common LDAP servers

• Active Directory• Novell• iPlanet/Netscape/SunOne• IBM Directory Server• IBM RACF • OpenLDAP • Other RFC 2256-compliant LDAP servers

Page 15: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Reflection Interoperates with All Common LDAP servers

• Reflection uses non-intrusive read-only access to LDAP directories

• Access to hosts is controlled using existing LDAP user and group structure.

Page 16: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Reflection Interoperates with Popular Portal and Web Authentication Tools

• WebSphere portal• BEA WebLogic portal• Plumtree (BEA AquaLogic) portal• SiteMinder

Page 17: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Unique Secure Token Authorization Mechanism

• Simple SSL gateways or redirectors do not authenticate users or require authorization in order to connect to a host

• The Reflection Security Proxy requires clients to prove that they have been both authenticated and authorized to access the host

• When a user is authenticated and authorized by the Reflection Management server, they receive a secure token. Only users with this secure token can connect to the Security Proxy

Page 18: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Broad Platform Compatibility

The Reflection Management and Metering servers can be deployed on any J2EE-compliant web application server, including:• Tomcat (default shipping installation)• IBM WebSphere• BEA WebLogic

Page 19: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Broad Platform Compatibility

• Reflection Security Proxy can be installed on any platform that supports Java, including:

• Windows• Linux• Solaris• HP-UX• z/OS

Page 20: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Broad Platform CompatibilityReflection for the Web thin client emulators run on any platform that supports Java, including:• OS X• Linux• Windows

Page 21: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Broad Platform CompatibilityReflection for the Web thin client emulators support popular web browsers, including:• Internet Explorer• Mozilla FireFox• Safari• Netscape• Using all common Java clients• Sun JRE 1.6 and earlier• Microsoft 1.1 VM

Page 22: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud

Non-Intrusive Multi-Layered Security for Legacy Host Applications

The Reflection security architecture offers the following advantages• Layers of security in front of your host• Non-intrusive security• Can be used with Reflection thin client emulators or Windows-based thick clients.• Both the Reflection Management Server and the

Security Proxy server are compatible with commonly used load balancers

Page 23: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud