F5 Tech Brief. Authentication 101

Similar documents
APM Cookbook: Single Sign On (SSO) using Kerberos

Enhancing VMware Horizon View with F5 Solutions

Archived. For more information of IBM Maximo Asset Management system see:

Deploying the BIG-IP System with CA SiteMinder

Citrix Federated Authentication Service Integration with APM

BIG-IP APM: Access Policy Manager v11. David Perodin Field Systems Engineer

Securing the Cloud. White Paper by Peter Silva

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Prompta volumus denique eam ei, mel autem

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Solutions Business Manager Web Application Security Assessment

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Load Balancing 101: Nuts and Bolts

Deploying the BIG-IP System with Oracle Hyperion Applications

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Secure Mobile Access to Corporate Applications

Complying with PCI DSS 3.0

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

Data Center Virtualization Q&A

Improving VDI with Scalable Infrastructure

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

BIG IQ Reporting for Subscription and ELA Programs

Document version: 1.0 What's inside: Products and versions tested Important:

Deploying the BIG-IP LTM with IBM QRadar Logging

The F5 Intelligent DNS Scale Reference Architecture

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Providing Security and Acceleration for Remote Users

Axway Validation Authority Suite

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Unified Application Delivery

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Large FSI DDoS Protection Reference Architecture

Offloading Remote Authentication for Servers. F5 s Advanced Client Authentication

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

DoD Common Access Card Authentication. Feature Description

BIG-IP Access Policy Manager : Visual Policy Editor. Version 12.1

The Programmable Network

Deploying a Next-Generation IPS Infrastructure

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager v with Oracle Access Manager

Unified Secure Access Beyond VPN

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Load Balancing 101: Nuts and Bolts

SOA Infrastructure Reference Architecture: Defining the Key Elements of a Successful SOA Infrastructure Deployment

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

Geolocation and Application Delivery

Deploying a Next-Generation IPS Infrastructure

BIG-IP Global Traffic Manager

O365 Solutions. Three Phase Approach. Page 1 34

F5 iapps: Moving Application Delivery Beyond the Network

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

Aventail ST2 SSL VPN New Features Guide

U.S. E-Authentication Interoperability Lab Engineer

Resource Provisioning Hardware Virtualization, Your Way

Deploying the BIG-IP LTM and APM with VMware View 4.6

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager with Oracle Access Manager

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

HP Instant Support Enterprise Edition (ISEE) Security overview

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

Configuring Smart Card Authentication to BIG IP Management Interface

One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

Converting a Cisco ACE configuration file to F5 BIG IP Format

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Deploying F5 with Citrix XenApp or XenDesktop

Outline Key Management CS 239 Computer Security February 9, 2004

Safeguarding Cardholder Account Data

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

5 OAuth Essentials for API Access Control

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

BIG-IP System: SSL Administration. Version

Global Distributed Service in the Cloud with F5 and VMware

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

SAML-Based SSO Solution

APPLICATION ACCESS MANAGEMENT (AAM)

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Distributing Applications for Disaster Planning and Availability

Security Digital Certificate Manager

The F5 Application Services Reference Architecture

IBM. Security Digital Certificate Manager. IBM i 7.1

Prompta volumus denique eam ei, mel autem

Microsoft Unified Access Gateway 2010

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

5 OAuth EssEntiAls for APi AccEss control layer7.com

Deploying the BIG-IP System v10 with Oracle s BEA WebLogic

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Deploying F5 with Microsoft Active Directory Federation Services

Cookies, Sessions, and Persistence

Overview. SSL Cryptography Overview CHAPTER 1

Automating the Data Center

BIG-IP Access Policy Manager Authentication Configuration Guide. Version 11.3

Deploying the BIG-IP System v11 with DNS Servers

Transcription:

F5 Tech Brief Authentication is a growing requirement in this new era of heightened technology security. What is authentication and how can it be implemented in your environment to meet all of your application needs? by Kevin Stewart Systems Engineer

Contents What is Authentication? 3 Certificate Revocation: Online Certificate Status Protocol 4 The Mighty HTTP Header 5 Kerberos: The Microsoft Link 6 Ultimate Power and Flexibility with irules 7 Secure Connections with BIG IP Access Policy Manager 8 Conclusion 2

What Is Authentication? Authentication is the process of proving that you are who you say you are, usually for the purposes of gaining access to something. In the real world, this is a relatively easy task, even with a really bad driver s license photo; but in cyberspace, nothing is ever that simple. As a business owner, how do you know that the person accessing your ecommerce website is, in fact, the same person allowed to transfer funds on the site? From organized crime, to foreign governments, to pale-skinned teenagers in their parent s basement, there is great financial (and often personal) gain in defrauding businesses. The Internet provides a perfect haven for would-be thieves and mercenaries. It s big, distributed, uncensored, unmanaged, and very often anonymous. And your website, residing on the edge of that wild frontier, is a sitting duck. If you do any business online (or anywhere for that matter) that requires validation of the user s identity, then you need authentication. Authentication demands that the client prove that they are who they say they are, often in a variety of different ways: usernames and passwords, certificates, tickets, tokens, cookies, smart cards, biometrics, and so on. Authentication providers often use the word factor to classify each form of identity assertion. The more (different) factors used, the more secure the authentication. Also keep in mind that authentication is the who you are in access control, not the what you can do. The latter is a concern of authorization, and authentication and authorization are not the same. Authentication is complex. It s simply not good enough to check for the correct username and password in a database. In fact, many of the OWASP Top 10 web vulnerabilities relate to insecure authentication practices. Authentication methods are standardized but heavily interpreted. There are community standards for Kerberos, smart cards, biometrics, cookies, tokens, certificates, and many others, but every vendor implements them differently. If you ve been in the IT business long enough, you ve no doubt run across a few dozen different ways to authenticate to applications, and worse, have to remember a dozen or more complex passwords. As a result of the complexity required, authentication mechanisms tend to exert a big need for resources, resources that would otherwise be used by the applications requiring protection. Authentication is only as strong as its weakest link. It doesn t matter how cool your 4-factor biometric-token-smart card-password-based authentication solution is, if you re running it on Microsoft Windows 98 you might as well turn off the lights and go home. So what s the answer to complex, semi-proprietary, resource heavy authentication mechanisms running on vulnerable software platforms? In a word: hardware. You need hardware-based SSL on a fast platform running a hardened OS, with the 3

flexibility to do just about anything you want to do with authentication. The F5 BIG IP Local Traffic Manager (LTM) gives you just that. In the following sections, you ll get an idea of just some of the ways BIG IP LTM can offload and improve on your complex authentication processes. Certificate Revocation: Online Certificate Status Protocol From basic server-side SSL (the S in HTTPS), to full-blown smart card deployments, Public Key Infrastructure (PKI) has become a cornerstone in authentication methodologies, especially in the government, financial, and medical sectors. PKI is based on a chain of trust from certificate issuer to certificate holder. In server-side PKI, the client must rely on the server by trusting its certificate and the issuer(s) of its certificate. In client-side PKI, the server trusts the client by validating the trust chain, and optionally the revocation status of that certificate. A certificate authority (CA) must publish a certificate revocation list (CRL) so that it can indicate revocation status of certificates it has issued. A CRL is a binary file a list of revoked certificate serial numbers and in some cases, depending on the level of activity of a particular CA, can get to be rather large. In order for a web server to validate the revocation status of a client certificate with a CRL, it must first download it, in whole. CRLs can be cached locally, but a potentially large binary file must still be parsed for each and every client certificate access request. Enter Online Certificate Status Protocol (OCSP). OCSP is a service that caches CRLs and responds to revocation status requests for single certificates. The server need only ask for the status of the current certificate. Not every application supports OCSP natively, however, so applications rely on thirdparty utilities installed locally to handle the requests. In any case, it s another layer of complexity that runs alongside your application, consuming valuable resources. F5 BIG IP LTM offloads OCSP, and the burden of software SSL encryption completely from the application server (in exchange for faster hardware SSL). By offloading this task, you can reclaim precious resources and know that BIG IP LTM acts as an impenetrable fortress for all of your client certificate-based applications. Additionally, the typical configuration for an OCSP client, be it the application or third-party tool, is to simply list all of the OCSP services available to service status requests. If the selected OCSP server is incapable of servicing a request, the OCSP client must re-select another OCSP server and try again. With BIG IP LTM you can create a pool of intelligently load balanced OCSP services and apply health monitors to ensure that your requests don t get sent to crippled servers. Consequently, if you 4

have your own OCSP services, or rely on other agencies, you can also prioritize the pool members so that the remote services aren t used unless the primary services are gone a true high availability OCSP solution. BIG-IP Local Traffic Manager User OCSP Pool (Health Monitors) Applications Local OCSP Adjacent OCSP Remote OCSP Load balancing, monitoring, and prioritizing OCSP services. The Mighty HTTP Header As simple as it seems, HTTP headers offer unparalleled power and flexibility for passing critical information to your application. Many commercial applications from vendors like Oracle, IBM, CA, and SAP can natively accept HTTP headers for authentication data. BIG IP LTM provides this flexibility. So after passing that client certificate through an OCSP check, BIG IP LTM can examine the full X.509 contents of the certificate, pull out, parse, re-order, and rebuild any pieces of data it needs and pass those as HTTP headers. In addition, because BIG IP LTM is in complete control of this authentication data, a rogue client cannot inject their own HTTP headers to spoof the system. BIG-IP Local Traffic Manager HTTP Headers User OCSP Example Headers: Common Name Subject Alternative Name Electronic Data Interchange Personal Identifier (EDIPI) number Email Address Certificate Validity Dates Issuer CA Inserting authentication data into HTTP headers. 5

Kerberos: The Microsoft Link Kerberos is a complex protocol with a long, technical (and mythological) history. It s also the de facto authentication mechanism for many Microsoft products like SharePoint and Outlook. In its simplest form, Kerberos creates a cryptographic system of mutual authentication a system of tickets, where each entity (client and server) grants ultimate authority to, and shares an encryption key with, a thirdparty: the Kerberos Key Distribution Center (KDC), commonly played by a Microsoft Active Directory domain controller. Originally designed to support username/ password-based systems, Kerberos has also been extended to support public key cryptography. In fact, in order to authenticate to most Microsoft applications using PKI certificates, Kerberos must be involved. This is generally not a problem when the client and server are inside the domain and both able to communicate with, and get tickets from, the KDC/domain controller. What about clients outside the domain? It s a pretty fair statement that most web applications are served primarily to clients outside the server s environment. Kerberos simply fails if the client cannot talk to the same domain controller(s). For that reason, Microsoft and others created Kerberos Protocol Transition (KPT). KPT enables non-kerberos clients (clients unable to get Kerberos tickets from the server s domain controller) to pass through a service that transitions the client s authentication (whatever it may be) into a true Kerberos authentication request. The service effectively impersonates the client for all Kerberos transactions. It s a complicated interaction to say the least, and up until recently was only available with Microsoft Internet Security & Acceleration (ISA) server. While ISA has an impressive feature list, it is software running on a general purpose operating system (Microsoft Windows Server), which means it is highly dependent on the general purpose hardware platform on which it s installed and must be hardened, patched, and maintained frequently. Moreover, because ISA requires the entire client s certificate to enable KPT, it must also terminate the SSL stream. Terminating SSL anywhere else simply breaks client certificate password-less authentication. If SSL cannot be terminated upstream by a load balancer, then load balancing persistence becomes increasingly unreliable (source IP address is the only available object to persist on, and that isn t reliable across public networks) no persistence, no load balancing, unable to scale. BIG IP LTM enables Kerberos Protocol Transition. With the combination of SSL offloading, certificate revocation checks, and header passing as well as the ability to transition a client s non-kerberos requests into full domain Kerberos requests, BIG IP LTM enables your architecture to scale infinitely and securely. 6

Non-Kerberos client Client Certificate BIG-IP Local Traffic Manager OCSP Kerberos authentication Kerberos application requests Domain Controllers Windows SharePoint Services Outlook KPT Process: 1. Client requests access to SharePoint via BIG-IP LTM and presents certificate. 2. BIG-IP LTM validates certificate and generates an authentication service request (AS_REQ) to the domain on behalf of the client. 3. Domain returns a Ticket Granting Ticket (TGT in AS_REP) to BIG-IP LTM (acting as the client). 4. BIG-IP LTM generates a Ticket Granting Service request (TGS_REQ) to the domain for application access, passing the TGT. 5. Domain returns a service ticket for the requested application (TGS_REP). 6. BIG-IP LTM generates an application request (AP_REQ) to the application, passing the service ticket. 7. Application returns its authenticator (AP_REP), optionally, and the requested content. Kerberos protocol transition on BIG IP LTM. Ultimate Power and Flexibility with irules F5 irules scripting language is a patented F5 network programming environment. Based on industry standard Tool Control Language (TCL), irules provide a simple, event-driven, scripting solution for all layer 4 to layer 7 data through BIG IP LTM. This means you can programmatically read, write, and modify any data, for any protocol, in any direction. Want to redirect clients to HTTPS when they type HTTP in the browser? Or redirect clients to a different URL when they make specific requests? What if you need to inject, modify, or remove HTTP headers or cookies between the client and server? How about scrubbing social security and credit card numbers from outbound data to the client? All of these can be handled, easily, with irules. Most of the authentication mechanisms are available right from the administration utility. Additional code assistance can be found on F5 s developer community, DevCentral, which offers hundreds of working code samples and a user community of more than 60,000 IT professionals. In addition, all of the authentication capabilities discussed thus far are accessible via irules, and provide a virtual playground of possibilities. Take the results of an OCSP request, the contents of the client certificate, and perhaps an LDAP call, and push that data out as HTTP headers for both authentication and authorization information. Make application routing decisions based on the issuer or type of client certificate (smart card or software certificate). Access a database of credentials (or some identity management provider) and transparently post those credentials to a login form. Turn an application with weak, single-factor authentication into a secure multi-factor titan. Create an entire single sign-on environment across multiple applications, regardless of their individual implementations. Mix and match any of these ideas and others to create complex, rich, and secure authentication mechanisms for all of your applications. 7

LDAP/AD BIG-IP Local Traffic Manager HTTP Headers Single Sign-On Client Certificate Form POST mymail OCSP Credential Database Reverse DNS Lookup Authentication possibilities with BIG-IP LTM and irules. Other authentication capabilities in BIG IP LTM include the ability to query an LDAP or Active Directory for username/password or certificate-base credentials. BIG IP LTM also includes native support for RADIUS, TACACS+, and CRLDP (certificate revocation list distribution point) and KCD (Kerberos constrained delegation). KCD is similar to KPT except that the clients and servers are inside the domain. BIG IP LTM acts a Kerberos proxy/forwarder when load balancing is required inside a network. In addition, with BIG IP LTM, you can create a rich and secure single sign-on environment for all of your applications. Leveraging the flexibility of irules and the built-in authentication capabilities of BIG-IP LTM, you can easily create a rich and secure enterprise client certificate single sign-on solution. Secure Connections with BIG IP Access Policy Manager The F5 BIG IP Access Policy Manager (APM) provides users with secured connections to BIG IP LTM virtual servers, specific web applications, or the entire corporate network. By leveraging standard web browsers and security technology, BIG IP APM enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on the user s system. BIG IP APM features and capabilities include: Standard browser support Enhanced privacy protection with RC4, Triple DES, and AES encryption Network access (an SSL VPN capability) Web application access (network access constrained to specific web applications) 8

Client endpoint security (client firewall, antivirus, registry/file settings, and more) Full session auditing High availability and scalability A state-of-the-art visual policy editor Enhanced authentication capabilities BIG IP APM can perform authentication, authorization, and accounting (AAA), using standard AAA methods, including LDAP directories, Microsoft Active Directory and Windows domain servers, RADIUS servers, and HTTP authentication. BIG IP APM also supports native RSA SecurID authentication, signed client digital certificates to authenticate devices, and native Oracle Access Manager (OAM) client/proxy functions. The BIG IP APM visual policy editor. Conclusion Your applications are critical to your business. Authentication and security are as important as performance and scalability. With BIG IP LTM, you can offload and consolidate your authentication mechanisms and remove the complexity and heavy burden from already overloaded servers, improving application performance and security. F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com F5 Networks, Inc. Corporate Headquarters info@f5.com F5 Networks Asia-Pacific apacinfo@f5.com F5 Networks Ltd. Europe/Middle-East/Africa emeainfo@f5.com F5 Networks Japan K.K. f5j-info@f5.com 2010 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and irules are trademarks or registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. CS06-00011 0510

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback