Frequently Asked Questions (FAQ)

Airlock FAQ

What is the Airlock Suite?

The Airlock Suite is a package solutions from Ergon Informatik (Switzerland). It deals with the issues of filtering and authentication in one complete and coordinated solution – setting standards for usability and services.

At the base of the Airlock Suite is the Airlock WAF (Web Application Firewall) for reliable protection of Internet web applications. Features include systematic control and filtering mechanisms with a variety of enhancement options.

The Airlock Suite combines Airlock WAF with Airlock Login or IAM for reliable user authentication and authorization. Airlock Login is a simplified version of IAM.

Airlock IAM is the suite’s central authentication platform, including enterprise functions. With this product, customers, partners or employees log in just once for secure access to data and applications. Airlock IAM also automates user administration.

Optimal security is not the only benefit: Using Airlock brings high usability and cost efficiency to web application security.

Airlock Suite, Ergon’s main security product, was launched on the market in 2002 and is now used by 350 customers around the globe.

Airlock Suite

This FAQ question contains copyright material from ©Ergon Informatik AG
2016/02/05, last update 2018/07/10 ©ACROSEC Inc.

What is the difference between Airlock WAF and Airlock Login or IAM?

The Airlock WAF (core) is the base of the Airlock Suite for providing WAF filtering functionalities. Further functionality can be added on the WAF core itself and/or with components running on different systems.

Using Airlock Login (and Authorization Enforcement Module) turns the WAF into a web access management solution, providing central authentication and access control functionalities upfront to all backend applications. Deploying it in a dedicated DMZ (on premise or in the cloud) is the ideal base for creating a high end security solution. The Airlock Login is a subset of the Airlock IAM package which is often not required in many cases.

The Airlock WAF is a reverse proxy solution. Compared to the analogy of a building, Airlock acts like a fortified entrance door with a security guard to enforce entry procedures. The access to the building is secured, however, the setup makes only sense if the building also has solid walls and if there are no other open doors or windows somewhere else which would circumvent the whole purpose of having a fortified front entrance.

Airlock is very effective as official security gate. Based on above analogy of a fortified entrance, the WAF Core compares to a body and luggage check point in order to prevent that dangerous goods enter the building. The Airlock Login provides additional security capabilities as it can be controlled who is allowed to access the building based on an identity check and access control list.

2016/02/05, last update 2018/07/10 ©ACROSEC Inc.

Who created the Airlock Suite?

The Airlock Suite has been created by the Swiss company Ergon Informatik AG (in short Ergon), based in Zurich.

In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank. Airlock Suite, was launched in 2002 pioneering the WAF and secure entry server market and is now expanding to be used around the globe.

2016/02/05 © ACROSEC Inc.

Who is Ergon?

The Swiss based Ergon Informatik AG (in short Ergon) is the company behind the Airlock.

Smart people – smart software: Ergon Informatik AG

Founded in 1984, Ergon Informatik AG now has a workforce of 255 and numbers among the most long-standing and successful IT service providers in Switzerland. Over 80% of Ergon’s employees are graduate software developers, and most of them have trained as IT engineers at the Swiss Federal Institute of Technology (ETH), Zurich — one of the world’s top ten universities. Ergon Informatik AG has also won multiple awards for its sustainable personnel policy. Ergon Informatik AG is a broadly diversified company that provides services to a wide variety of sectors. Ergon has exceptional expertise in various sectors such as financial services, eBanking, telecommunications and security. In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank. Airlock Suite was launched on the market in 2002 and is now used by 350 customers around the globe.

This FAQ question contains copyright material from ©Ergon Informatik AG

Where to place the Airlock components?

This depends on scenario and use case requirements.

For the web application scenario, Airlock WAF is normally placed upstream in front of these applications – which usually are placed in an inbound DMZ dedicated for web applications.

Building such a DMZ depends on the customer preferences. However, all traffic to the web applications should be routed through the Airlock WAF.

The Airlock WAF is a hardened security device, however, it still is recommended to place it behind a network firewall and open only the few ports which are required to access the WAF.

The Airlock Login can be implemented on the WAF itself (via Tomcat or by using the WAF as Docker host) or on an application server behind the WAF.

A scenario with a cloud based Airlock would look slightly different in requirements and setup. An important consideration is the use of https or other VPN tunnel solutions for integrating securely the downstream backend application servers to such a cloud based service.

2016/02/05, last update 2018/07/10 ©ACROSEC Inc.

Can Airlock run as cloud service?

Yes, definitively, Airlock is already used by some security service providers in Europe in order to provide WAF cloud services.

Airlock can be deployed on bare metal or on virtual machines on premise or in the cloud. Creating a WAF security cloud service to third parties with the Airlock WAF is possible, however, requires a special contract.

2016/02/05, last update 2018/07/10 ©ACROSEC Inc.

DMZ FAQ

What is a DMZ?

A DMZ (demilitarized zone) is in IT a special network zone which is normally placed between other network zones of different trust level. Most frequently it is used at the perimeter boundary in order to place external facing servers, i.e. web servers. However, a DMZ can be used in many different ways, also within the internal network. It is basically purpose, configuration and its use that defines if a DMZ is a dangerous no-go area or a trusted security zone.

Furthermore, there are multiple ways how to look at such DMZ network zones. The usual and obvious way is to look at it from the technical perspective because it is a technical subject belonging to network administration and to some security specialists. It is also a topic full of pitfalls as many technical details on many components need to be considered from multiple angles. The sum of these details will make the difference between security failure and success of a DMZ environement.

2016/02/05 © ACROSEC Inc.

What is a dedicated DMZ?

A dedicated DMZ is an implementation of a specific DMZ network scenario as a solution. Most DMZ implementations are dedicated in that sense, i.e. they serve a purpose and the people who designed it had a solution concept in mind for solving a problem.

A DMZ should not be dumping ground for placing everything else that cannot be placed elsewhere. However, that happens too often – unfortunately. This is the reason why it makes sense to be more specific when using the term “DMZ”. The simple fact of attaching a label to it regarding its purpose helps to clarify usage and expectations.

A dedicated DMZ scenario should be aligned with the requirements of applications and services which are placed within – and vice versa. Security requirements and expectations of all stakeholders should match during the whole life-cyle of an implementation.

2016/02/05 © ACROSEC Inc.

What defines the character of a DMZ?

“Many technical details” could be the short answer to this question. However, it makes sense to lift the discussion to following level:

  • Purpose: Usually used at boundaries (network perimeter or internal network) in order to offer gateway connectivity services between differently trusted areas. Can also be used to build trust structures within the internal network. Purpose should be documented or definied in policies.
  • Current configuration: Degree of virtualization, number of segments, connectivity on each layer, firewall rules, direction of connection establishment, protocol capabilities, available network services within a DMZ, proxies and gateways, applications and servers.
  • Actual use of it: Currently involved applications, services and data (therefore need to understand classification of involved data and services).
  • Expectation match (or degree of missmatch): Expectations of all involved stakeholders of setup and actual use should match if the intention is to maintain security or another important purpose. Maintaining consistency over the life-cycle of involved implementations requires governance oversight and thorough change management procedures across many involved components.
Technical implementation details of a DMZ

There are many ways how to implement a DMZ. Following details should be considered when building a DMZ:

  • Clarify the purpose of the DMZ first before choosing a particular design
  • Choose between a dual homed or single homed DMZ design
  • The number of network segments in a DMZ, e.g. external facing network, internal facing network, additional networks for dedicated purpose
  • Design how to do systems management of DMZ infrastructure and application servers, e.g. via dedicated management interfaces
  • How many switches to use (sharing hardware like switches for external and internal segments is a security risk – thanks André for this)
  • Decide which DMZ elements to virtualize and what to have physical
  • Which network or infrastructure services to implemented separately (reusing internal DNS, AD etc. is a security risk)
  • Design policies of how to use the DMZ and clarify ownership responsibilities
  • Design change management procedures and oversight responsibilities for the DMZ
  • etc.

Note: This list is not exhausting.
Note: A dual homed DMZ design has 2 firewalls (external and internal). Single homed DMZ designs have only 1 firewall (Quick and cheap approach, higher risk of exposure).

2016/02/05 © ACROSEC Inc.

WAF FAQ

What is a WAF?

A WAF is an application firewall dedicated for web applications. There are multiple approaches how to implement a WAF depending on scenario and requirements.

A WAF security solution is normally used for securing web applications in order to protect against attacks on the application layer. It filters bad requests that exploit typical application programming errors as application weaknesses or other vulnerabilities on the application platform or underlying system.

A WAF would actually not be needed in the ideal world as secure applications would be developed in the first place. However, application security is difficult to achieve for various reasons. Furthermore it is difficult to achieve the same security level for all external facing web applications. A WAF is able to catch these shortcomings and lift the security level for all applications behind it.

Another important WAF business case is to implement virtual patching on the WAF instead of patching them in the application. This is especially important for large environments because it allows the application teams to buy precious time and schedule such application changes in an orderly way within the application development cycle. Otherwise, the teams would be constantly overflown with emergency changes every time when a new vulnerability is discovered.

2016/02/05 © ACROSEC Inc.

What is a proxy?

A proxy is a standalone entity doing something on behalf of someone else. In the IT world it usually is an intermediary function between a client and a server communicating over the network. Thus a proxy must provide connection capabilities. Different terms are used for covering outbound (forward proxy) and inbound scenarios (reverse proxy). However, such a distinction is usually only made for http but rarely for other protocol families, where mainly the generic word “proxy” is used as catch-all.

A further distinction needs to be made regarding the degree of which the proxy is aware of both parties (client/server). The absolute minimum is to provide services on a particular connection protocol layer. Any additional functionality on a higher protocol layer would also mean to implement at least parts of this protocol stack.

A proxy which would be able to fully simulate client, server or both would need to implement all required protocols including their behavior. Sometimes the word full proxy is also being heard of. In that sense, an Airlock WAF is a full proxy regarding awareness of all involved communication and presentation layers but with limited business logic awareness only. Such a solution can therefore be considered as infrastructure counterpart to the application.

2016/02/05 © ACROSEC Inc.

What is an application layer firewall?

An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to understand application specialties on the session layer and content specialties on the application layer.

An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls, sometimes also under the label of deep packet inspection.

The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also require the understanding of correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.

A WAF is a special version of an application layer firewall because it simply would be too much to implement it on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.

Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.

In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.

2016/02/05 © ACROSEC Inc.

What is a “Web Entry Server”?

A reverse proxy with WAF filtering capacities and centrally managed authentication/authorization services for controlling the access to web applications.

Such an access infrastructure might elsewhere also be known as WAM/WAF combination (WAM: Web Access Management) or application access gateway server.

The term Web Entry Server is mainly used in the German speaking part of Europe and signifies that it is the central entrance through which all web applications must be accessed.

2016/02/05 ©ACROSEC Inc.

What is a “Swiss Style Web Entry Server”?

A reverse proxy with WAF filtering capacities and centrally managed authentication/authorization services for controlling the access to web applications.

Such an access infrastructure might elsewhere also be known as WAM/WAF combination (WAM: Web Access Management) or application access gateway server.

The term “Web Entry Server” is mainly used in the German speaking part of Europe and signifies that it is the central entrance point through which all web applications must be accessed.

Such solutions originated in Swiss Banking which additionally required an appropriately designed hardened DMZ infrastructure, capable of hosting high security applications like Internet banking. The separated placement of public and non-public application is an important security measure by its own.

Public applications are exposed to the whole world compared to applications with identified users or customers. Strict network separation prevents that a hacked public application would be a stepping stone to other applications.

2016/02/05, 2018/07/10 ©ACROSEC Inc.

How to Buy and Install Airlock FAQ

How to buy Airlock products?

Use the Contact Form on this website or contact Acrosec sales directly (info@acrosec.jp or phone)

The purchase process usually involves:

  1. Presales consulting
  2. Testing Airlock with a free evaluation license (30 days or more, depending on evaluation needs)
  3. Product offering
  4. Purchase process consists of 3 parts:
    • Licenses
    • Software Subscription SSU contract for 1 year basic support and update
    • Local support contract (a local support partner is required, this contract part can be integrated to the SSU contract)
  5. License keys will be sent to the customer only after receipt of the amount to the Acrosec banking account
  6. Software can be activated after after importing the license key

2016/02/05 © ACROSEC Inc.

Free evaluation license – download and installation

How to apply: Please use the contact form.

The following describes the details of how to get the license and how to download and install an Airlock WAF (engineering level details)

1. Choose a suitable test environment

Specification: 64 bit compatible x86 architecture, 2GHz+ CPU, 2GB+ Memory, 20GB+ HD

Attention: Airlock WAF is a security device and does not tolerate other installations on the same machine. It is bundled with its own OS which will format all drives during the installation process. Please pay close attention to this point and install it only on suitable machines in a dedicated development or testing environment. You are not allowed to use this license in a production environment.

We suggest to use a virtual machine like VirtualBox or VMWare. If you plan to use the Airlock WAF as Docker host make sure that your environment supports nested virtualization.

2. How to get a license (which is bound to the MAC address of a network adapter)

It is advisable to start here as the license key is important and will be required later in order to activate the product.

Procedure

2a) Please use the contact form or send an email with some additional background information to info@acrosec.jp in order to request a license key. The evaluation license will be valid for 30 days or more (e.g. 4 months), which depends on your evaluation needs and background.

Please add the MAC address as the issued license key will be bound to it. Using the MAC address of a NIC within a virtual machine is perfectly fine. In case of multiple NICs, only one MAC address is required.

2b) If your request is granted: Go to step 3 and create a user account in the Airlock Techzone in order to get access to the download file.

2c) You will receive the license key by e-mail from Acrosec. Please allow some time for this process. However, product activation is the last step and you can already start installing after you got access to the download area.

3. Download Airlock WAF and create a bootable drive from ISO

Create a user account in the Airlock Techzone if you don’t have one yet. Register at “sign up here” by following this link https://techzone.ergon.ch/auth/login?Location=/airlock-waf-7.0

Please add also following context information during the registration process: “Ergon Contact: Acrosec”, “Account Reason: Free Trial Airlock WAF”.

Download

Download the installation DVD image from the Techzone page (https://techzone.ergon.ch/airlock-waf-7.0). If you see below information then you are on the right page.

File Checksum SHA256 Comment
airlock_ISO_x64_7.0.iso b8e4c7db875392963a012
ecaae4357d23c88e4278af
b233bd5c3f8d22902ec2a 		ISO image for full system installations

Please note that Airlock WAF is downloaded as ISO file for the installation. Subsequent updates and upgrades are executables.

ISO files can usually not be executed directly and need to be prepared on your preferred install media (DVD, USB etc.). This requires making the media bootable before starting the installation. This is the same process as creating a bootable media for installing a Linux OS etc.

4. Installation and activation with the license key

Start the installation process from the bootable drive. It is similar to installing a Linux OS. Pay attention that you choose a suitable IP address for the Admin GUI (which is accessible with your browser).

Access the Admin GUI from your browser after the installation is finished. Copy-paste the license key in the appropriate menu and activate the Airlock. Start the configuration process. Use the help button on the Airlock or additional supporting documents on the Airlock Techzone for configuring Airlock: https://techzone.ergon.ch.

2017/1/12 © ACROSEC Inc.

What is the Airlock Techzone?

The Airlock Techzone is the main information hub to access information, and support about Airlock.

https://techzone.ergon.ch/content

Many useful documents are directly accessible, some will require  a user account.

The Techzone is organized in themes. However, it is more efficient to use the Techzone search function to find and retrieve what you are looking for.

2017/1/28 © ACROSEC Inc.

Installing and configuring Airlock WAF

This page collects some useful links on the Airlock Techzone for downloading, installing and configuring Airlock WAF.

Downloading Airlock WAF

Installing and configuring Airlock WAF

Configuring Airlock specialities – high security without black list or signatures

Security in Airlock

Web application delivery related (reverse proxy)

2017/1/28 © ACROSEC Inc.