A WAF as secure reverse proxy is the perfect place for offering value added security services to all applications behind it. Typical examples of value added services are Identity management, user authentication, access control, handling of security sessions and data content filtering for e.g. to virus infections or data leakage.
The Web Entry scenario is very flexible and supports a vast range of enterprise solutions:
|
Creating such business scenarios requires an underlying central security infrastructure. Products like the Airlock Suite supports setup and operation of such scenarios. Doing it not on enterprise level means to have an application centric approach only: IT Security would be a struggle in a large and heterogeneous enterprise IT and furthermore difficult to implement for many developers who are not security specialists.
Security framework at the boundary for creating added value
Leveraging the security infrastructure of a WAF based secure reverse proxy creates a unique breed of security framework that can be reused by all applications behind the WAF, effectively reducing development cost, time to market and at the same time propping up the security level. This is known as Swiss style Web Entry Server approach starting in 1997 with the first Internet banking application in Switzerland from Credit-Suisse (Crealogix & Ergon).
This security approach has been refined over the years by a couple of Web Entry Server vendors emerging in Switzerland around the year 2000 – well before the term WAF became mainstream some years later. The Airlock Suite from Ergon bases on this heritage as frontrunner.
Many firms with sensitive applications like Swiss banks combine a secure reverse proxy like WAF with an appropriately designed DMZ network and Identity management solutions. Such a design bundle is not only focused on security, but also on fostering reuse and integration.
The cornerstones of a typical Web Entry infrastructure scenario might look like this:
|
Such a blueprint like security design is likely to be fully implemented only in large companies. However, it is perfectly possible to implement only parts and consider the rest as potential for future roadmaps. The key element is always the secure reverse proxy which is an excellent starting point even in small companies. The first step could be as simple as adding WAF which is versatile enough in front of the applications and gradually build up Web Entry Server functionality by moving authentication functionality or other security features away from the application layer.
Centrally managed authentication services of the Web Entry infrastructure creates a domain based SSO experience for all users. Cross-domain SSO technologies, e.g. SAML or OAuth 2.0, is not required for this integration approach, however, it is also available on the Airlock for extending the range of business use cases. The Airlock approach, Identity management and support for authentication standards is a solid enabler for integration of enterprise IT.
The separation between public and non-public application is an important security measure by its own. Public applications are exposed to the whole world compared to applications with identified users or customers. The strict network separation prevents that a hacked public application would be a stepping stone to other applications.
A secure reverse proxy setup based on the Airlock Suite is covering all these inbound scenarios. However, there is also a WAF outbound story (forward proxy) which is worth to be told.
2016/02/05 © ACROSEC Inc.