F5 GOV Round Table - Securing Application Access
5 likes1,539 views
This document discusses how the F5 BIG-IP Access Policy Manager (APM) can be used to manage user access and applications. It provides examples of how APM can simplify VDI, enhance web access management, streamline Exchange, and consolidate app authentication through single sign-on. It also describes how APM can provide load balancing, access control, and reporting for Active Directory Federation Services and SAML federation.
F5 GOV Round Table - Securing Application Access
- 1. CONFIDENTIAL MANAGING USER ACCESS Tzoori Tamam tzoori@f5.com
- 2. BIG-IP Local Traffic Manager + Access Policy Manager Directory SharePoint OWA Cloud Web servers App 1 App n APP OS APP OS APP OS APP OS Hosted virtual desktop Users ENABLE SIMPLIFIED APPLICATION ACCESS with BIG-IP Access Policy Manager (APM)
- 3. BIG-IP® APM features: • Centralizes single sign-on and access control services • Full proxy L4 – L7 access control at BIG-IP speeds • Adds endpoint inspection to the access policy • Visual Policy Editor (VPE) provides policy-based access control • VPE Rules—programmatic interface for custom access policies • Supports IPv6 BIG-IP® APM ROI benefits: • Scales to 100K users on a single device • Consolidates auth. infrastructure • Simplifies remote, web and application access control *AAA = Authentication, authorization and accounting (or auditing) BIG-IP Access Policy Manager (APM) Unified access and control for BIG-IP
- 4. Control Access of Endpoints Ensure strong endpoint security Users BIG-IP APM • Antivirus software version and updates • Software firewall status • Machine certificate validation Allow, deny or remediate users based on endpoint attributes such as: Invoke protected workspace for unmanaged devices: • Restrict USB access • Cache cleaner leaves no trace • Ensure no malware enters corporate network Web
- 5. Dynamic End-User Webtop • Customizable and localizable list of resources • Adjusts to mobile devices • Toolbar, help and disconnect buttons
- 6. INTERNET INTERNAL LAN VLAN2 INTERNAL LAN VLAN1 Mobile users Branch office users Wireless users LAN users BIG-IP LTM +APM BIG-IP LTM VE +APM -OR- Virtual desktops VDI VDI VDI VDI Hypervisor AUTO-CONNECT TO THE VPN Always connected application access
- 7. BIG-IP Edge Client Web-delivered and standalone client • Mac, Windows, Linux • iPhone, iPad, iTouch • Android • Endpoint inspection • Full SSL VPN • Per-user flexible policy Enable mobility • Smart connection roaming • Uninterrupted application sessions Accelerate access • Adaptive compression • Client-side cache • Client-side QoS
- 10. F5 Networks, Confidential Local and remote users L-DNS Geo-location services BIG-IP Global Traffic Manager Monitoring vs. iQuery BIG-IP LTM+APMData center BIG-IP LTM+APMData center BIG-IP LTM+APMData center Global Traffic Manager improves VDI performance • Xen App/Desktop users sent to best data center • Continuous monitoring of entire infrastructure including network & application health • Automatic failover during outages • Persistence prevents broken sessions SINGLE NAMESPACE FOR GLOBAL AVAILABILITY Use case
- 12. Create policy Corporate domain Latest AV software Current O/S Administrator User = HR HR AAA server • Proxy the web applications to provide authentication, authorization, endpo int inspection, and more – all typing into Layer 4-7 ACLS through F5’s Visual Policy Editor ENHANCING WEB ACCESS MANAGEMENT Use case 8 3 2 8 4 9
- 13. Users Web servers App 1 App 2 App 3 WAM proxy • Endpoint inspection • Scaling and high availability for the application and OAM directory • Web application security • Web application acceleration • Enterprise class architecture LTM = Local Traffic Manager ASM = Application Security Manager WA= WebAccelerator OAM = Oracle Access Manager BIG-IP LTM APM Endpoint security checks + ASM or WA Oracle access mgr. Additional BIG-IP benefits RICHER APPLICATION DELIVERY Virtualization HA,LB Virtualization (HA, LB for directories)
- 17. • Dramatically reduce infrastructure costs; increase productivity • Provides seamless access to all web resources • Integrated with common applications Use case CONSOLIDATING APP AUTHENTICATION (SSO) AAA server Corporate managed device Latest AV software Expense report app Finance Salesforce.com User = Finance
- 18. What is the problem? • Users authenticate to their enterprise, but more and more resources are hosted elsewhere…. • How do we maintain control of those credentials, policies and their lifecycle?
- 19. What is SAML? • Security Assertion Markup Language • Solid standard current version 2.0 (March 2005) • Strong commercial and open source support • An XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider (iDP) and a service provider (SP).”
- 20. What is SAML? Now in English • Its ‘Internet/Web’ SSO • Eliminates Need for Multiple Passwords/Password Databases in Multiple Locations • Enables Enterprise in the ‘Cloud’
- 21. SAML – SSO Redirect Post
- 22. • Dramatically reduce infrastructure costs; increase productivity • Provides seamless access to all web resources • Integrated with common applications Use case CONSOLIDATING APP AUTHENTICATION (SSO) AAA server Corporate managed device Latest AV software Expense report app Finance User = Finance
- 23. Load Balancing AD FS Infrastructure with BIG-IP Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Per i met er Net wor k AD FS Pr oxy Far m Cor por at e User s • Local Traffic Manager • Intelligent traffic management • Advanced L7 health monitoring – (Ensures the AD FS service is responding) • Cookie-based persistence
- 24. Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Load Balancing AD FS with Local Traffic Manager Per i met er Net wor k AD FS Pr oxy Far m
- 25. Publishing AD FS with Access Policy Manager Cor por at e Net wor k AD FS Far m Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne Load Balancing AD FS with Local Traffic Manager Replacing the AD FS Proxy farm with APM provides: • Enhanced Security • Variety of authentication methods • Client endpoint inspection • Multi-factor authentication • Improved User Experience • SSO across on-premise and cloud-based applications • Single-URL access for hybrid deployments • Simplified Architecture • Removes the AD FS proxy farm layer as well as the need to load balance the proxy farm
- 26. Federating with Access Policy Manager and SAML • Available with version 11.3, APM includes full SAML support • Ability to act as IDP, (Identity Provider) for access to external claims-based resources including Office 365 • Act as service provider, (SP) to facilitate federated access to on-premise applications • Streamlined architecture, (no need for the AD FS architecture) • Simplified iApp deployment Cor por at e Net wor k Act i ve Di r ect or y Cor por at e User s Of f i ce 365 Shar ePoi nt Onl i ne Exchange Onl i ne Lync Onl i ne
- 28. Detailed Reporting BIG-IP APM For example, who accessed app or network and when?
- 29. Sample Detailed Report Gain a deeper understanding: • All sessions with geo-location • Local time • Virtual IP • Assigned IP • ACLs • Applications and OSs • Browsers • All sessions • Customize reports • Export for distribution
- 30. Access and Application Analytics Stats grouped by application and user Provides: • Business intelligence • ROI reporting • Capacity planning • Troubleshooting • Performance Stats collected • Client IPs • Client geographic • User agent • User sessions • Client-side latency • Server latency • Throughput • Response codes • Methods • URLs Views • Virtual server • Pool member • Response codes • URL • HTTP methods
- 31. CONFIDENTIAL F5 MOBILE APP MANAGER OVERVIEW
- 34. • AppTunnel Termination • AD/LDAP Tie-in • User provisioning • VPE agent for MAM Query APM-MAM Integration Existing APM functionality Delivered at GA F5 AppTunnel in wrapper F5 branded applications Legend Enterprise premises AppTunnel • Device notifications • Device provisioning • AppStore/App management • Basic MDM • User self-service portal • Endpoint Insp. (Sideband) • Provisioning/identity info
- 39. tzoori@f5.com
Editor's Notes
- #3: BIG-IP APM = AAA control on BIG-IP Integrates with AAA servers—including Active Directory, LDAP, RADIUS, and Native RSA SecurID
- #4: Add-On Module for BIG-IP Family (For new BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.)Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.)APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP)Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area).VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.).Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).Authentication and AuthorizationFlexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting).Access ControlHigh-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
- #5: Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).
- #13: Web Access Management – BIG-IP proxies the customer’s web applications and provides authentication, authorization, endpoint inspection, and more – all typing into Layer 4-7 ACLS through F5’s easy-to-use Visual Policy Editor.
- #16: Exchange / Active Sync – The application Access solution helps secure Exchange deployment across Active Sync / Mobile, Outlook Web Access and Outlook Anywhere. In addition to access control and security, F5 can aid in disaster recover, Exchange 2007 to 2010 migration and provide single namespace capabilities. Secures Active Sync / Mobile, OWA and Outlook AnywhereAssists in disaster recovery and Exchange 2007 to 2010 migrationMigrate over time Authenticate usersSingle URL accessManaged accessAfter migrationScale to 60K usersNo cross-CAS overhead High availabilityExpanded bullets:Solution allows organizations to migrate over-time while BIG-IP APM authenticated users in the DMZ to ensure there are no unknown users accessing the system.Organizations can distribute a single URL and depending on user or group – BIG-IP APM will direct the user to the appropriate server for Exchange iteration (OWA / ActiveSync or Outlook Anywhere)This give users direct access to email without updating bookmarks or settingsOranizations can alsom manage email access for all devices from all locations and any network.
- #18: Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications
- #23: Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications
- #35: Supports users worldwide Secure IPsec site to site tunnelsFast apps to Edge Client usersVirtual and standalone deploymentsAPM v11 on Edge Gateway surpasses VPN feature parity IPSec (iSessions) site to site (gateway to gateway) extending layer 3 networks vs. initial IPSec (client to site) where normally SSL VPN is a replacementApp Tunnels: new and improved Easily configurable Dynamic WebtopFlash patching