securing legacy host access with reflection for the web denis guyonnaud
TRANSCRIPT
Securing Legacy Host Accesswith Reflection for the WebSecuring Legacy Host Accesswith Reflection for the Web
Denis GuyonnaudDenis Guyonnaud
Security for Legacy Host Access
• Modern Multi-Layered Approaches to Security• Legacy Host Applications without Security• First-Generation Host Security:
SSL Direct to Host • Next-Generation Host Security:
Layered Security for Legacy Host Applications • Next-Generation Host Security:
Reflection® for the Web and Windows®-Based Reflection• Non-Intrusive Multi-Layered Security for Legacy Host
Applications
Modern Multi-Layered Approaches to Security
Client(Web Browser)
Firewall
DMZ
Firewall
Web Servers
LDAP
SecurityAppliance
ReverseProxy
Authentication Server
Modern Multi-Layered Approaches to Security
• EncryptionData is encrypted when passing through the non-secure network outside the perimeter
• Centralized identity managementAn enterprise LDAP repository manages identity information for all users
• Centralized access controlAuthentication and authorization policies are applied at the perimeter
to all traffic between clients and servers • Centralized auditing
Access to network resources is centrally monitored at the access control point
• Centralized threat monitoringIncoming and outgoing traffic is scanned at the perimeter
Legacy Host Applications without Security
TerminalEmulation
Client
AuthenticationAt Host
Telnet (port 23)
Legacy Host Applications without Security
• No confidentiality of data or passwordsWithout encryption, data and passwords are exposed
• Weak authenticationMany hosts are limited to case-insensitive eight-character passwords
• Decentralized authenticationHost-based authentication is often difficult to tie in to LDAP
• Decentralized access control.Access control happens only at the host, so there is no centralized control over access to enterprise resources
• Decentralized auditing.Access to hosts is monitored only by the hosts themselves
First-Generation Host Security:SSL Direct-to-Host
TerminalEmulation
Client
AuthenticationAt Host
Firewall
Open Door/No Authentication
SSL/TLS
First-Generation Host Security:SSL Direct-to-Host
• Data and passwords are encrypted• Weak, decentralized authentication
In most SSL deployments, authentication is still handled completely by the host
• Decentralized access controlAccess control happens only at the host
• Unauthenticated SSL traffic is passed straight to hostEncrypted SSL tunnel makes it impossible to monitor the connection
• Decentralized auditingAccess to hosts is monitored only by the hosts themselves
Next-Generation Host Security:Layered Security for Legacy Host
Applications
TerminalEmulation
Client
Firewall
DMZ
Firewall
Host
LDAP
SecurityAppliance
SecurityProxy
Management Server
SSL/TLS
HTTPS
Next-Generation Host Security:Layered Security for Legacy Host
Applications
• Centralized authentication• Centralized access control• Access control at perimeter• Encryption• Centralized auditing• Centralized threat monitoring at the
perimeter
Next-Generation Host Security:Reflection for the Web and Windows-Based
ReflectionFirewall Firewall
Host
LDAP
SecurityAppliance
SecurityProxy
Reflection Metering Server
Reflection Management Server
SSL/TLS
Next-Generation Host Security: Reflection for the Web and Windows-Based Reflection
• Reflection Management Server• Reflection Security Proxy• Reflection Metering Server• Reflection thin client
Reflection Interoperates with All Common LDAP servers
• Active Directory• Novell• iPlanet/Netscape/SunOne• IBM Directory Server• IBM RACF • OpenLDAP • Other RFC 2256-compliant LDAP servers
Reflection Interoperates with All Common LDAP servers
• Reflection uses non-intrusive read-only access to LDAP directories
• Access to hosts is controlled using existing LDAP user and group structure.
Reflection Interoperates with Popular Portal and Web Authentication Tools
• WebSphere portal• BEA WebLogic portal• Plumtree (BEA AquaLogic) portal• SiteMinder
Unique Secure Token Authorization Mechanism
• Simple SSL gateways or redirectors do not authenticate users or require authorization in order to connect to a host
• The Reflection Security Proxy requires clients to prove that they have been both authenticated and authorized to access the host
• When a user is authenticated and authorized by the Reflection Management server, they receive a secure token. Only users with this secure token can connect to the Security Proxy
Broad Platform Compatibility
The Reflection Management and Metering servers can be deployed on any J2EE-compliant web application server, including:• Tomcat (default shipping installation)• IBM WebSphere• BEA WebLogic
Broad Platform Compatibility
• Reflection Security Proxy can be installed on any platform that supports Java, including:
• Windows• Linux• Solaris• HP-UX• z/OS
Broad Platform CompatibilityReflection for the Web thin client emulators run on any platform that supports Java, including:• OS X• Linux• Windows
Broad Platform CompatibilityReflection for the Web thin client emulators support popular web browsers, including:• Internet Explorer• Mozilla FireFox• Safari• Netscape• Using all common Java clients• Sun JRE 1.6 and earlier• Microsoft 1.1 VM
Non-Intrusive Multi-Layered Security for Legacy Host Applications
The Reflection security architecture offers the following advantages• Layers of security in front of your host• Non-intrusive security• Can be used with Reflection thin client emulators or Windows-based thick clients.• Both the Reflection Management Server and the
Security Proxy server are compatible with commonly used load balancers
