What is a “Swiss Style Web Entry Server”?

A WAF as secure reverse proxy is the perfect place for offering value added security services to all applications behind it. Typical examples of value added services are Identity management, user authentication, access control, handling of security sessions and data content filtering for e.g. to virus infections or data leakage.

The Web Entry scenario is very flexible and supports a vast range of enterprise solutions:

  1. Secure web application portals for e-commerce
  2. Secure Internet banking web applications
  3. Secure web application portals
  4. SSO user authentication by simply bundling applications and services to SSO trust level domains
  5. Integrating with external trust domains with cross-domain SSO technologies
  6. VPN based portal to the enterprise Intranet for employees
  7. VPN based business partner portals to enterprise Intranet services
  8. Cloud based Web Entry security as a service

Creating such business scenarios requires an underlying central security infrastructure. Products like the Airlock Suite supports setup and operation of such scenarios. Doing it not on enterprise level means to have an application centric approach only: IT Security would be a struggle in a large and heterogeneous enterprise IT and furthermore difficult to implement for many developers who are not security specialists.

Security framework at the boundary for creating added value

Leveraging the security infrastructure of a WAF based secure reverse proxy creates a unique breed of security framework that can be reused by all applications behind the WAF, effectively reducing development cost, time to market and at the same time propping up the security level. This is known as Swiss style Web Entry Server approach starting in 1997 with the first Internet banking application in Switzerland from Credit-Suisse (Crealogix & Ergon).

This security approach has been refined over the years by a couple of Web Entry Server vendors emerging in Switzerland around the year 2000 – well before the term WAF became mainstream some years later. The Airlock Suite from Ergon bases on this heritage as frontrunner.

Many firms with sensitive applications like Swiss banks combine a secure reverse proxy like WAF with an appropriately designed DMZ network and Identity management solutions. Such a design bundle is not only focused on security, but also on fostering reuse and integration. Web Entry Server, WAF based security infrastructure

The cornerstones of a typical Web Entry infrastructure scenario might look like this:

  1. Centrally managed authentication services by the Web Entry login
  2. Web Entry server as hardened security device for enabling to define trust zones behind
  3. Dedicated DMZ network zones as trust implementation on network layer
  4. All access to applications has to pass through the Web Entry server as security gateway – no exception
  5. Applications and services are grouped (i.e. data content, capabilities, trust level) and placed in a corresponding network zone
  6. Public applications are completely separated from authenticated applications
  7. Non-public applications use SSO trust level domains on the Web Entry infrastructure
  8. Application access decision happens by the login authentication service
  9. Access control enforcement to all URL resources is controlled centrally by the Web Entry Server
  10. All security relevant cookies are created, managed and protected by the Web Entry, application layer cookies are not used for security purposes
  11. Session Hijacking attacks are detected and existing sessions are shutdown
  12. Application layer attacks are prevented with advanced WAF filtering functionalities
  13. Applications and services in the DMZ do connect back to the internal enterprise network – except for well-defined cases for trusted applications
  14. Databases in the DMZ are copies only and do not contain sensitive customer data
  15. High availability failover scenarios are realized with a Web Entry server farm and load balancers
  16. DoS/DDoS is being taken care of with contracts with external service providers
  17. IDS/IPS sensors are placed on the inner side of the DMZ so that a security operations center is not overwhelmed with false information and can focus on the relevant alarms

Such a blueprint like security design is likely to be fully implemented only in large companies. However, it is perfectly possible to implement only parts and consider the rest as potential for future roadmaps. The key element is always the secure reverse proxy which is an excellent starting point even in small companies. The first step could be as simple as adding WAF which is versatile enough in front of the applications and gradually build up Web Entry Server functionality by moving authentication functionality or other security features away from the application layer.

Centrally managed authentication services of the Web Entry infrastructure creates a domain based SSO experience for all users. Cross-domain SSO technologies, e.g. SAML or OAuth 2.0, is not required for this integration approach, however, it is also available on the Airlock for extending the range of business use cases. The Airlock approach, Identity management and support for authentication standards is a solid enabler for integration of enterprise IT.

The separation between public and non-public application is an important security measure by its own. Public applications are exposed to the whole world compared to applications with identified users or customers. The strict network separation prevents that a hacked public application would be a stepping stone to other applications.

A secure reverse proxy setup based on the Airlock Suite is covering all these inbound scenarios. However, there is also a WAF outbound story (forward proxy) which is worth to be told.

2016/02/05 © ACROSEC Inc.