Frequently Asked Questions (FAQ)

Airlock FAQ

The Airlock Suite deals with the issues of filtering and authentication in one complete and coordinated solution – setting standards for usability and services. Internet applications enjoy reliable protection with the Airlock Web Application Firewall (WAF). Features include systematic control and filtering mechanisms with a variety of enhancement options.

The Airlock Suite combines Airlock WAF with Airlock Login or IAM for reliable user authentication and authorization. Airlock Login is a simplified version of IAM. Optimal security is not the only benefit: Using Airlock Login delivers high usability and cost efficiency.

Airlock IAM is the suite’s central authentication platform, including enterprise functions. With this product, customers, partners or employees log in just once for secure access to data and applications. Airlock IAM also automates user administration.

Airlock Suite, Ergon’s main security product, was launched on the market in 2002 and is now used by 350 customers around the globe.

Airlock Suite

This FAQ question contains copyright material from ©Ergon Informatik AG


The Airlock WAF (core) is the base of the Airlock Suite for providing WAF filtering functionalities. Further functionality can be added on the WAF core itself and/or with components running on different systems.

Using the Airlock Login (and Authorization Enforcement Module) turns it into a Web Entry Server, providing central authentication and access control functionalities. Using it in a dedicated DMZ setup is the ideal base for a high end security solution.

The Airlock WAF is a reverse proxy solution. Compared to the analogy of a building, Airlock acts like a fortified entrance door with a security guard to enforce entry procedures. The access to the building is secured, however, the setup makes only sense if the building also has solid walls and if there are no other open doors or windows somewhere else which would circumvent the whole purpose of having a fortified front entrance.

Airlock is very effective as official security gate. Based on above analogy of a fortified entrance, the WAF Core compares to a body and luggage check point in order to prevent that dangerous goods enter the building. The Airlock Login provides additional security capabilities as it can be controlled who is allowed to access the building based on an identity check and access control list.

2016/02/05 © ACROSEC Inc.


The Airlock Suite has been created by the Swiss company Ergon Informatik AG (in short Ergon), based in Zurich.

In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank. Airlock Suite, was launched in 2002 pioneering the WAF and secure entry server market and is now expanding to be used around the globe.

2016/02/05 © ACROSEC Inc.


The Swiss based Ergon Informatik AG (in short Ergon) is the company behind the Airlock.

Smart people – smart software: Ergon Informatik AG

Founded in 1984, Ergon Informatik AG now has a workforce of 255 and numbers among the most long-standing and successful IT service providers in Switzerland. Over 80% of Ergon’s employees are graduate software developers, and most of them have trained as IT engineers at the Swiss Federal Institute of Technology (ETH), Zurich — one of the world’s top ten universities. Ergon Informatik AG has also won multiple awards for its sustainable personnel policy. Ergon Informatik AG is a broadly diversified company that provides services to a wide variety of sectors. Ergon has exceptional expertise in various sectors such as financial services, eBanking, telecommunications and security. In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank. Airlock Suite was launched on the market in 2002 and is now used by 350 customers around the globe.

This FAQ question contains copyright material from ©Ergon Informatik AG


That depends on scenario and use case details.

For the web application scenario, Airlock WAF is normally placed in front of these applications – which usually are placed in a inbound DMZ dedicated for web applications. Building the DMZ depends on the customer preferences. However, all traffic to the web applications should be routed through the Airlock WAF. The Airlock WAF is a hardened security device but it still is recommended to place it behind a firewall. The Airlock Login can be implemented on the WAF itself or on an application server behind the WAF.

A scenario with a cloud based Airlock would look slightly different in requirements and setup.

2016/02/05 © ACROSEC Inc.


Yes, definitively as Airlock can be deployed on virtual machines and provide WAF as cloud security service. This scenario would require to use https or another VPN solution for integrating the remote backend application servers.

2016/02/05 © ACROSEC Inc.


DMZ FAQ

A DMZ (demilitarized zone) is in IT a special network zone which is normally placed between other network zones of different trust level. Most frequently it is used at the perimeter boundary in order to place external facing servers, i.e. web servers. However, a DMZ can be used in many different ways, also within the internal network. It is basically purpose, configuration and its use that defines if a DMZ is a dangerous no-go area or a trusted security zone.

Furthermore, there are multiple ways how to look at such DMZ network zones. The usual and obvious way is to look at it from the technical perspective because it is a technical subject belonging to network administration and to some security specialists. It is also a topic full of pitfalls as many technical details on many components need to be considered from multiple angles. The sum of these details will make the difference between security failure and success of a DMZ environement.

2016/02/05 © ACROSEC Inc.


A dedicated DMZ is an implementation of a specific DMZ network scenario as a solution. Most DMZ implementations are dedicated in that sense, i.e. they serve a purpose and the people who designed it had a solution concept in mind for solving a problem.

A DMZ should not be dumping ground for placing everything else that cannot be placed elsewhere. However, that happens too often – unfortunately. This is the reason why it makes sense to be more specific when using the term “DMZ”. The simple fact of attaching a label to it regarding its purpose helps to clarify usage and expectations.

A dedicated DMZ scenario should be aligned with the requirements of applications and services which are placed within – and vice versa. Security requirements and expectations of all stakeholders should match during the whole life-cyle of an implementation.

2016/02/05 © ACROSEC Inc.


“Many technical details” could be the short answer to this question. However, it makes sense to lift the discussion to following level:

  • Purpose: Usually used at boundaries (network perimeter or internal network) in order to offer gateway connectivity services between differently trusted areas. Can also be used to build trust structures within the internal network. Purpose should be documented or definied in policies.
  • Current configuration: Degree of virtualization, number of segments, connectivity on each layer, firewall rules, direction of connection establishment, protocol capabilities, available network services within a DMZ, proxies and gateways, applications and servers.
  • Actual use of it: Currently involved applications, services and data (therefore need to understand classification of involved data and services).
  • Expectation match (or degree of missmatch): Expectations of all involved stakeholders of setup and actual use should match if the intention is to maintain security or another important purpose. Maintaining consistency over the life-cycle of involved implementations requires governance oversight and thorough change management procedures across many involved components.

There are many ways how to implement a DMZ. Following details should be considered when building a DMZ:

  • Clarify the purpose of the DMZ first before choosing a particular design
  • Choose between a dual homed or single homed DMZ design
  • The number of network segments in a DMZ, e.g. external facing network, internal facing network, additional networks for dedicated purpose
  • Design how to do systems management of DMZ infrastructure and application servers, e.g. via dedicated management interfaces
  • How many switches to use (sharing hardware like switches for external and internal segments is a security risk – thanks André for this)
  • Decide which DMZ elements to virtualize and what to have physical
  • Which network or infrastructure services to implemented separately (reusing internal DNS, AD etc. is a security risk)
  • Design policies of how to use the DMZ and clarify ownership responsibilities
  • Design change management procedures and oversight responsibilities for the DMZ
  • etc.

Note: This list is not exhausting.
Note: A dual homed DMZ design has 2 firewalls (external and internal). Single homed DMZ designs have only 1 firewall (Quick and cheap approach, higher risk of exposure).

2016/02/05 © ACROSEC Inc.


Entry Server FAQ

A WAF is an application firewall dedicated for web applications.

There are several approaches how to implement a WAF. A WAF security solution is normally used for securing web applications in order to protect against attacks on the application layer. It filters requests that exploit typical application programming errors as application weaknesses or other vulnerabilities on the application platform or underlying system.

A WAF would actually not be needed in the ideal world. However, application security is difficult to achieve for various reasons. Furthermore it is difficult to achieve the same security level for all external facing web applications. A WAF is able to catch these shortcomings and lift the security level for all applications behind it.

2016/02/05 © ACROSEC Inc.


A proxy is a standalone entity doing something on behalf of someone else. In the IT world it usually is an intermediary function between a client and a server communicating over the network. Thus a proxy must provide connection capabilities. Different terms are used for covering outbound (forward proxy) and inbound scenarios (reverse proxy). However, such a distinction is usually only made for http but rarely for other protocol families, where mainly the generic word “proxy” is used as catch-all.

A further distinction needs to be made regarding the degree of which the proxy is aware of both parties (client/server). The absolute minimum is to provide services on a particular connection protocol layer. Any additional functionality on a higher protocol layer would also mean to implement at least parts of this protocol stack.

A proxy which would be able to fully simulate client, server or both would need to implement all required protocols including their behavior. Sometimes the word full proxy is also being heard of. In that sense, an Airlock WAF is a full proxy regarding awareness of all involved communication and presentation layers but with limited business logic awareness only. Such a solution can therefore be considered as infrastructure counterpart to the application.

2016/02/05 © ACROSEC Inc.


An application layer firewall is a neutral term for providing filtering capabilities on application layer (i.e. layer 5 and 6). In order to do so it must be able to understand application specialties on the session layer and content specialties on the application layer.

An application layer firewall can be implemented as a standalone entity, or as a built in functionality on the application server (e.g. as web server plugin). This functionality is also part of next generation firewalls, sometimes also under the label of deep packet inspection.

The degree of required application awareness becomes a key issue if the application layer is complex. This is the case for securing web applications. It is a lot of effort, not only because it requires a large number of protocols to be fully implemented, it might also require the understanding of correct application behavior workflows, and to catch also technology differences of some implementations e.g. of web servers or browsers of different vendors.

A WAF is a special version of an application layer firewall because it simply would be too much to implement it on a standard firewall or similar generic security device. However, there is a trend to enrich generic security devices with simplified WAF functionality. Nevertheless, dedicated WAF solutions would not be so popular if web application security would be easy to implement and to operate.

Other reverse or forward proxies which are not http based can also be considered as application layer firewalls if they provide filtering capabilities on layer 5 or 6. However, many such proxy solutions do not provide such filtering because they are merely used as connection proxies. It always makes sense to consider filtering and connection capabilities of such proxy solutions separately.

In this sense, a networked WAF like the Airlock can also be considered as http router having WAF filtering capabilities.

2016/02/05 © ACROSEC Inc.


A reverse proxy with WAF filtering capacities and centrally managed authentication/authorization services for controlling the access to web applications.

2016/02/05 © ACROSEC Inc.


The use of a Web Entry server in an appropriately designed DMZ infrastructure, capable of supporting high requirement applications like Internet banking for Swiss banks. The separated placement of public and non-public application is an important security measure by its own. Public applications are exposed to the whole world compared to applications with identified users or customers. Strict network separation prevents that a hacked public application would be a stepping stone to other applications.

2016/02/05 © ACROSEC Inc.


How to Buy and Install Airlock FAQ

Use the Contact Form on this website or contact Acrosec sales directly (info@acrosec.jp or phone)

The purchase process usually involves:

  1. Presales consulting
  2. Testing Airlock with a free evaluation license (30 days or more, depending on evaluation needs)
  3. Product offering
  4. Purchase process consists of 3 parts:
    • Licenses
    • Software Subscription SSU contract for 1 year basic support and update
    • Local support contract (a local support partner is required, this contract part can be integrated to the SSU contract)
  5. License keys will be sent to the customer only after receipt of the amount to the Acrosec banking account
  6. Software can be activated after after importing the license key

2016/02/05 © ACROSEC Inc.


Ergon and Acrosec are offering free Airlock WAF development and integration licenses to Japanese companies and organizations. We are also extending this offer to SIer and IT service providers, as well as technical schools and universities which are interested to integrate IT Security already during application development in order to support the DevSecOps mindset.

This campaign started in February 2017. A free license can be renewed with the same conditions. The campaign has no end date (open ended). However, we reserve the right to change or terminate this campaign or conditions at any time. Licenses always remain valid until expiration.

How to apply: Please use the campaign application form. The terms of use and license conditions are also available on the application page.

The following describes the details of how to get the license and how to download and install an Airlock WAF (engineering level details)

1. Choose a suitable development or testing environment

Specification: 64 bit compatible x86 architecture, 2GHz+ CPU, 2GB+ Memory, 20GB+ HD

Attention: Airlock WAF is a security device and does not tolerate other installations on the same machine. It is bundled with its own OS which will format all drives during the installation process. Please pay attention to this point and install it only on suitable machines in a dedicated development or testing environment. You are not allowed to use this license in a production environment.

We suggest to use a virtual machine like VirtualBox or VMWare.

2. How to get a license (which is bound to the MAC address of a network adapter)

Start with this step as the license key is important and will be required later in order to activate the product.

License procedure

2a) Apply for a license key: Click here to open the application form

  • Add contact information and your affiliation to an organization and what Airlock WAF functionality you would like to use.
  • Add the MAC address as the issued license key will be bound to this MAC address. Using the MAC address of a NIC within a virtual machine is perfectly fine. In case of multiple NICs, only one MAC address is required.
  • Submit the application form and you will receive an automatic reply mail. Do not reply to this mail.

2b) If your request is granted:

  • You will receive a confirmation email from Acrosec if your request is granted.
  • Go to step 3 and create a user account in the Airlock Techzone in order to get access to the download file. You do not have to wait for the license key in 2c) as you can start installing and configuring immediately after getting access to the download area.

2c) You will receive the license key by e-mail from Acrosec in order to activate Airlock. Please allow some time for this process.

3. Download Airlock WAF and create a bootable drive from ISO

Create user account on Techzone

Create a user account in the Airlock Techzone if you don’t have one yet. Register at “sign up here” by following this link https://techzone.ergon.ch/auth/login?Location=/airlock-6.1

Please add also following context information during the registration process: “Ergon Contact: Acrosec”, “Account Reason: Free Airlock WAF Development and Integration license”.

Please pay attention that you need first to go through steps 2a) and 2b) above, otherwise the account will not be created.

Download

Download the relevant file (https://techzone.ergon.ch/airlock-6.1)

File Checksum SHA256 Comment
airlock_ISO_x64_6.1.iso c7d1aff34766aec86a4d61
ea50bd6c0f807fbf9d3cbd
c20dad4ee90a9f4cce06
ISO image for full system installations

Please note that Airlock WAF is downloaded as ISO file for the installation. Subsequent updates and upgrades are executables.

ISO files can not be executed directly and need to be prepared (which depends on your preferred install media DVD, USB etc.). This requires making your media bootable before starting the installation. This is the same process as creating a bootable media for installing a Linux OS or similar.

4. Installation and activation with the license key

Installation

Start the installation process from the bootable drive of your choice. It is similar to installing a Linux OS.

Pay attention that you choose an interface with suitable IP address which is accessible afterwards with your browser and that you define user account and password which you can remember. You will need IP address and user account afterwards to logon to the Airlock Admin GUI (Configuration Center).

Activation

Access the Admin GUI from your browser (after finishing the installation) by typing in the IP address for the Admin GUI and login to the Configuration Center with your user name and password which you created during the installation process.

Go to “Setup Setup” > “License” and copy-paste the license key into the appropriate form and activate the Airlock.

Start configuring; Airlock will tell you if you make a mistake. Use the context help button on the Airlock for configuration hints or go to Airlock Techzone for additional documents with more configuration details: https://techzone.ergon.ch

Some useful configuration links can be found on the Acrosec FAQ page.

2017/2/9 © ACROSEC Inc.


How to apply: Please use the contact form.

The following describes the details of how to get the license and how to download and install an Airlock WAF (engineering level details)

1. Choose a suitable test environment

Specification: 64 bit compatible x86 architecture, 2GHz+ CPU, 2GB+ Memory, 20GB+ HD

Attention: Airlock WAF is a security device and does not tolerate other installations on the same machine. It is bundled with its own OS which will format all drives during the installation process. Please pay close attention to this point and install it only on suitable machines in a dedicated development or testing environment. You are not allowed to use this license in a production environment.

We suggest to use a virtual machine like VirtualBox or VMWare.

2. How to get a license (which is bound to the MAC address of a network adapter)

It is advisable to start here as the license key is important and will be required later in order to activate the product.

Procedure

2a) Please use the contact form or send an email with some additional background information to info@acrosec.jp in order to request a license key. The evaluation license will be valid for 30 days or more (e.g. 4 months), which depends on your evaluation needs and background.

Please add the MAC address as the issued license key will be bound to it. Using the MAC address of a NIC within a virtual machine is perfectly fine. In case of multiple NICs, only one MAC address is required.

2b) If your request is granted: Go to step 3 and create a user account in the Airlock Techzone in order to get access to the download file.

2c) You will receive the license key by e-mail from Acrosec. Please allow some time for this process. However, product activation is the last step and you can already start installing after you got access to the download area.

3. Download Airlock WAF and create a bootable drive from ISO

Create first a user account in the Airlock Techzone. Register at “sign up here” by following this link https://techzone.ergon.ch/auth/login?Location=/airlock-6.1)。

Please add also following context information during the registration process: “Ergon Contact: Acrosec”, “Account Reason: Free Trial Airlock WAF”.

Download the relevant file (https://techzone.ergon.ch/airlock-6.1)

Download content

File Checksum SHA256 Comment
airlock_ISO_x64_6.1.iso c7d1aff34766aec86a4d61
ea50bd6c0f807fbf9d3cbd
c20dad4ee90a9f4cce06
ISO image for full system installations

Please note that Airlock WAF is downloaded as ISO file.

ISO files can usually not be executed directly and need to be prepared on your preferred install media (DVD, USB etc.). This requires making the media bootable before starting the installation. This is the same process as creating a bootable media for installing a Linux OS etc.

4. Installation and activation with the license key

Start the installation process from the bootable drive. It is similar to installing a Linux OS. Pay attention that you choose a suitable IP address for the Admin GUI (which is accessible with your browser).

Access the Admin GUI from your browser after the installation is finished. Copy-paste the license key in the appropriate menu and activate the Airlock. Start the configuration process. Use the help button on the Airlock or additional supporting documents on the Airlock Techzone for configuring Airlock: https://techzone.ergon.ch.

2017/1/12 © ACROSEC Inc.


This page collects some useful links on the Airlock Techzone for downloading, installing and configuring Airlock WAF.

Downloading Airlock WAF

Installing and configuring Airlock WAF

Configuring Airlock specialities – high security without black list or signatures

Security in Airlock

Web application delivery related (reverse proxy)

2017/1/28 © ACROSEC Inc.


The Airlock Techzone is the main information hub to access information, and support about Airlock.

https://techzone.ergon.ch/content

Many useful documents are directly accessible, some will require  a user account.

The Techzone is organized in themes. However, it is more efficient to use the Techzone search function to find and retrieve what you are looking for.

2017/1/28 © ACROSEC Inc.