securing legacy host access with reflection for the web denis guyonnaud
TRANSCRIPT
![Page 1: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/1.jpg)
![Page 2: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/2.jpg)
Securing Legacy Host Accesswith Reflection for the WebSecuring Legacy Host Accesswith Reflection for the Web
Denis GuyonnaudDenis Guyonnaud
![Page 3: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/3.jpg)
Security for Legacy Host Access
• Modern Multi-Layered Approaches to Security• Legacy Host Applications without Security• First-Generation Host Security:
SSL Direct to Host • Next-Generation Host Security:
Layered Security for Legacy Host Applications • Next-Generation Host Security:
Reflection® for the Web and Windows®-Based Reflection• Non-Intrusive Multi-Layered Security for Legacy Host
Applications
![Page 4: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/4.jpg)
Modern Multi-Layered Approaches to Security
Client(Web Browser)
Firewall
DMZ
Firewall
Web Servers
LDAP
SecurityAppliance
ReverseProxy
Authentication Server
![Page 5: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/5.jpg)
Modern Multi-Layered Approaches to Security
• EncryptionData is encrypted when passing through the non-secure network outside the perimeter
• Centralized identity managementAn enterprise LDAP repository manages identity information for all users
• Centralized access controlAuthentication and authorization policies are applied at the perimeter
to all traffic between clients and servers • Centralized auditing
Access to network resources is centrally monitored at the access control point
• Centralized threat monitoringIncoming and outgoing traffic is scanned at the perimeter
![Page 6: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/6.jpg)
Legacy Host Applications without Security
TerminalEmulation
Client
AuthenticationAt Host
Telnet (port 23)
![Page 7: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/7.jpg)
Legacy Host Applications without Security
• No confidentiality of data or passwordsWithout encryption, data and passwords are exposed
• Weak authenticationMany hosts are limited to case-insensitive eight-character passwords
• Decentralized authenticationHost-based authentication is often difficult to tie in to LDAP
• Decentralized access control.Access control happens only at the host, so there is no centralized control over access to enterprise resources
• Decentralized auditing.Access to hosts is monitored only by the hosts themselves
![Page 8: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/8.jpg)
First-Generation Host Security:SSL Direct-to-Host
TerminalEmulation
Client
AuthenticationAt Host
Firewall
Open Door/No Authentication
SSL/TLS
![Page 9: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/9.jpg)
First-Generation Host Security:SSL Direct-to-Host
• Data and passwords are encrypted• Weak, decentralized authentication
In most SSL deployments, authentication is still handled completely by the host
• Decentralized access controlAccess control happens only at the host
• Unauthenticated SSL traffic is passed straight to hostEncrypted SSL tunnel makes it impossible to monitor the connection
• Decentralized auditingAccess to hosts is monitored only by the hosts themselves
![Page 10: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/10.jpg)
Next-Generation Host Security:Layered Security for Legacy Host
Applications
TerminalEmulation
Client
Firewall
DMZ
Firewall
Host
LDAP
SecurityAppliance
SecurityProxy
Management Server
SSL/TLS
HTTPS
![Page 11: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/11.jpg)
Next-Generation Host Security:Layered Security for Legacy Host
Applications
• Centralized authentication• Centralized access control• Access control at perimeter• Encryption• Centralized auditing• Centralized threat monitoring at the
perimeter
![Page 12: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/12.jpg)
Next-Generation Host Security:Reflection for the Web and Windows-Based
ReflectionFirewall Firewall
Host
LDAP
SecurityAppliance
SecurityProxy
Reflection Metering Server
Reflection Management Server
SSL/TLS
![Page 13: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/13.jpg)
Next-Generation Host Security: Reflection for the Web and Windows-Based Reflection
• Reflection Management Server• Reflection Security Proxy• Reflection Metering Server• Reflection thin client
![Page 14: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/14.jpg)
Reflection Interoperates with All Common LDAP servers
• Active Directory• Novell• iPlanet/Netscape/SunOne• IBM Directory Server• IBM RACF • OpenLDAP • Other RFC 2256-compliant LDAP servers
![Page 15: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/15.jpg)
Reflection Interoperates with All Common LDAP servers
• Reflection uses non-intrusive read-only access to LDAP directories
• Access to hosts is controlled using existing LDAP user and group structure.
![Page 16: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/16.jpg)
Reflection Interoperates with Popular Portal and Web Authentication Tools
• WebSphere portal• BEA WebLogic portal• Plumtree (BEA AquaLogic) portal• SiteMinder
![Page 17: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/17.jpg)
Unique Secure Token Authorization Mechanism
• Simple SSL gateways or redirectors do not authenticate users or require authorization in order to connect to a host
• The Reflection Security Proxy requires clients to prove that they have been both authenticated and authorized to access the host
• When a user is authenticated and authorized by the Reflection Management server, they receive a secure token. Only users with this secure token can connect to the Security Proxy
![Page 18: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/18.jpg)
Broad Platform Compatibility
The Reflection Management and Metering servers can be deployed on any J2EE-compliant web application server, including:• Tomcat (default shipping installation)• IBM WebSphere• BEA WebLogic
![Page 19: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/19.jpg)
Broad Platform Compatibility
• Reflection Security Proxy can be installed on any platform that supports Java, including:
• Windows• Linux• Solaris• HP-UX• z/OS
![Page 20: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/20.jpg)
Broad Platform CompatibilityReflection for the Web thin client emulators run on any platform that supports Java, including:• OS X• Linux• Windows
![Page 21: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/21.jpg)
Broad Platform CompatibilityReflection for the Web thin client emulators support popular web browsers, including:• Internet Explorer• Mozilla FireFox• Safari• Netscape• Using all common Java clients• Sun JRE 1.6 and earlier• Microsoft 1.1 VM
![Page 22: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/22.jpg)
Non-Intrusive Multi-Layered Security for Legacy Host Applications
The Reflection security architecture offers the following advantages• Layers of security in front of your host• Non-intrusive security• Can be used with Reflection thin client emulators or Windows-based thick clients.• Both the Reflection Management Server and the
Security Proxy server are compatible with commonly used load balancers
![Page 23: Securing Legacy Host Access with Reflection for the Web Denis Guyonnaud](https://reader035.vdocuments.site/reader035/viewer/2022070323/56649dc65503460f94aba7b8/html5/thumbnails/23.jpg)