Alteon Web Based Management Application Guide

Security

Web Application Security

Web Application Security includes diverse methods and techniques that protect Web applications
from internal and external threats. Alteon Web Application Security capabilities include:
• AppWall—The Alteon integrated AppWall capability secures Web applications and enables PCI
compliance through mitigation of Web application security threats and vulnerabilities. It
prevents data theft, manipulation of sensitive corporate data, and protects customer
information. AppWall incorporates scalable intrusion detection and prevention systems that work
seamlessly to detect threats, generate events, and block both internal and external attacks
against critical corporate data without impacting day-to-day operations.
• Authentication—The integrated Authentication gateway capability reduces operational costs
by providing centralized and simplified identity and access management infrastructure, by
offloading the user authentication process, and by simplifying the identity and access
management infrastructure. The module can be used independently of, or together with, the
AppWall capability to create role-based policies.

Web Application Security Provisioning

AppWall and Authentication capabilities are supported only on Alteon operating in virtualized mode
(ADC-VX). To provision these capabilities on a vADC, perform the following steps:
• Install the appropriate licenses on the Alteon platform (separate licenses for AppWall and
Authentication).
• Define the appropriate capacity limit on the vADC for AppWall throughput and/or Authentication
user.
• Allocate a minimum of two capacity units (CUs) on the vADC for Web Application Security .

For more information regarding configuration and operation of AppWall and Authentication, see the
AppWall for Alteon NG User Guide.

SSL Inspection
Most web applications used for private, commercial, or business purposes encrypt the transactions
based on the SSL/HTTPS protocol to ensure the privacy of data transfer between the user and
server.
SSL solves the privacy problem and secures the communication of sensitive information in and out
of the enterprise, but it created a new blind spot in the visibility of traffic that goes in and out of the
enterprise. SSL has also become a vehicle to carry malicious programs into the enterprise IT
infrastructure and allows sensitive information to leak out of the enterprise unnoticed. Even private
emails or innocent collaboration tools have become a security hazard as malicious programs can
cross through the enterprise's anti-virus solution unchecked, hidden in the SSL connection
established between the two ends.
Organizations subjected to industry and government regulations have strict rules on accessing
sensitive information and require all traffic in the datacenter to be visible. This requirement
contradicts the inherent need to keep data transmission encrypted to ensure privacy.
Alteon offers one unified solution that uniquely addresses all challenges and requirements.
Alteon can be implemented as a bump in the wire, overseeing all traffic to and from the Internet.
Based on its advanced Layer 4 to Layer 7 classification capabilities, Alteon seamlessly intercepts and
terminates SSL sessions as if it was a server, and opens a new SSL session on its other side, on
behalf of the end-user, towards the original destination server. In between, Alteon's advanced
transparent traffic steering capabilities forwards the decrypted traffic to deep packet inspection
(DPI) security solutions, such as firewalls, anti-malware, and data leakage protection, providing full
visibility into the content of both SSL encrypted and clear text sessions.

658 Document ID: RDWR-ALOS-V3050_WBMAG1602

 Alteon Web Based Management Application Guide
Security

Figure 85: The SSL Inspection Solution

How SSL Inspection Works

The figure below illustrates the traffic flow for the SSL Inspection solution.

Figure 86: SSL Inspection Traffic Flow

As illustrated, the traffic flow for the SSL Inspection solution is as follows:
1. A client initiates an HTTPS request (SSL Hello) to a secured Web site.
2. Alteon intercepts the request and initiates an SSL connection to the destination server. During
the SSL handshake, the server passes its certificate to Alteon.
3. Alteon quickly generates a server certificate identical to the remote server's certificate, signs it
with the configured CA certificate and passes it to the client This solves the problem of
performing registry changes on the client's PC and also presents the exact server certificate's
details to the client. The new certificate includes all the relevant information from the original
certificate including the common fields:
— Serial number
— Valid from
— Valid to
— Subject
— Subject alternative name extension (if exists)
— Issuer alternative name extension (if exists)

Document ID: RDWR-ALOS-V3050_WBMAG1602 659

Alteon Web Based Management Application Guide
Security

The original Issuer field is passed in a Netscape comment extension in the new certificate, as it
is not part of the new certificate when validated by the browser. The new certificate is created
with a new Issuer field, which is changed to the common name of the CA certificate imported/
created on Alteon for this purpose.
4. After completing the SSL handshake with the client, Alteon decrypts the client's request and
sends the HTTP request to the security device (antivirus, DLP, etc.) to be inspected.
5. The security device scans the HTTP traffic and if the result is OK, sends the traffic to the
Internet.
Note: The same traffic can be inspected by multiple security devices, in a serial manner.
6. Alteon intercepts the request sent by the security device (the last in line in case of multiple
devices) and initiates an encrypted request to the remote site as per the destination address
requested by the client in the original request. The source IP address of the request is either the
client's or its own, depending on the configuration.
7. The returning traffic follows the same flow but in the opposite direction.
During the SSL handshake with the remote server, Alteon authenticates the server and verifies that
the server's public certificate is signed by a known and recognized CA authority. For this, a list of
trusted CA certificates must be imported into Alteon. Alteon also verifies the certificate's expiration
date and validity.
During the SSL handshake, Alteon presents a newly created certificate to the client in place of the
original server. This means that, in effect, the client receives a certificate that has been issued by
Alteon, as opposed to the original issuer. Because of this, a security warning pop-up message
displays to the client. The message usually states the following:
An authentication problem occurred while trying to connect to the remote Web site. The problem is
one of the following:
• The security certificate was issued by a company you have not chosen to trust.
• The security certificate date is not valid
• The common name on the security certificate is invalid or does not match the name of the site.

Configuring SSL Inspection

Configuring SSL Inspection consists of the following steps:
• Installing SSL Inspection License, page 660
• Defining SSL Inspection Certificates and Keys, page 660
• Configuring SSL Inspection Flow, page 661

Installing SSL Inspection License

To use SSL Inspection, you must purchase an additional software license and install the license
string. Contact Radware Technical Support to acquire this software licenses.

Note: In VX mode SSL Limit must be defined on the vADC on which you want to activate SSL
Inspection.

Defining SSL Inspection Certificates and Keys

The following certificate and keys are required on the Alteon device to perform SSL Inspection:
• CA certificate and key used to sign the server certificates generated on-the-fly by Alteon.
• The key that will be used together with the generated server certificate to establish SSL
connection to the client.

660 Document ID: RDWR-ALOS-V3050_WBMAG1602

 Alteon Web Based Management Application Guide
Security

To define the SSL Inspection certificates and keys

1. Select Configuration > Application Delivery > SSL > Certificate Repository.
2. Import or generate Certificate & Key. This should be a CA certificate.
3. Import or generate the encryption key for client-side SSL.
4. Select Configuration > Application Delivery > SSL > SSL Inspection.
5. Select the encryption key imported or generated in step 3 for the Key parameter.
6. Select the certificate imported or generated in step 2 for the Signing CA Certificate parameter.
7. Click Submit.

Configuring SSL Inspection Flow

The SSL Inspection flow requires the following elements:
• A Redirect filter that performs the front-end part of the SSL flow and redirects the clear-text
traffic to a security device. This filter must be activated on the client port.
• An Allow filter that performs the back-end part of the SSL flow. This filter must be activated on
the security device port.

Notes
• Currently, a single pair of front-end and back-end SSL policies can be configured for SSL
Inspection.
• To perform Layer 7 decisions on the decrypted traffic you must use AppShape++.

To configure the SSL Inspection flow

1. Configure the first filter.
a. Select Configuration > Application Delivery > Filters.

b. In the Filters table, click to add an entry. The relevant Add tab opens.
c. Select Enable Filter.
d. In the Filter ID field, type an identifier for the filter. The valid range is 1 to 2048.
e. In the Action field, select Redirect from the drop-down list.

f. In the Group ID field, select the appropriate group ID from the drop-down list, or click
to add a new group.
In this example, we use the following values:

Filter ID Action
10 Redirect

g. Select the Match Settings tab.

• In the Protocol field, select TCP from the drop-down list.
• In the Application field, select HTTP from the drop-down list.
• In the IP Address/Network field, type the IP address to use in the Source column.
• In the Mask/Prefix field, type the subnet mask to use in the Source column.

Document ID: RDWR-ALOS-V3050_WBMAG1602 661

Alteon Web Based Management Application Guide
Security

• In the Application Port/Range Start field, type 443 in the Destination column.
In this example, we use the following values:

Protocol Application Application Port/Range Start

TCP HTTP 443

h. Select the Action Settings tab.

• In the Delayed Bind field, select Forceproxy in the drop-down list.
• In the Real Server Port field, type 80 (or any port that the security device listens on).
• In the Return to Last Hop field, select Enable in the drop-down list.
• In the Reverse Session field, select Enable in the drop-down list.
In this example, we use the following values:

Delayed Bind Real Server Port Return to Last Hop Reverse Session
Forceproxy 80 Enable Enable

i. Select the SSL tab.

• In the SSL Inspection field, select Enable in the drop-down list.
• In the SSL Policy field, click to add a new SSL policy. The relevant Add tab displays.
• Select Enable SSL Policy.
• In the Policy ID field, type the identifier for the policy. The maximum characters allows
is 32.
• Click Submit. You return to the Add New Filter tab.
j. Click Submit.
2. Configure the second filter.
a. Select Configuration > Application Delivery > Filters.

b. In the Filters table, click to add an entry. The relevant Add tab opens.
c. Select Enable Filter.
d. In the Filter ID field, type an identifier for the filter. The valid range is 1 to 2048.
e. In the Action field, select Redirect from the drop-down list.

f. In the Group ID field, select the appropriate group ID from the drop-down list, or click
to add a new group.
In this example, we use the following values:

Filter ID Action
20 Redirect

g. Select the Match Settings tab.

• In the Protocol field, select TCP from the drop-down list.
• In the Application field, select HTTP from the drop-down list.
• In the IP Address/Network field, type the IP address to use in the Source column.
• In the Mask/Prefix field, type the subnet mask to use in the Source column.
• In the Application Port/Range Start field, type 443 in the Destination column.
In this example, we use the following values:

Protocol Application Application Port/Range Start

TCP HTTP 443

662 Document ID: RDWR-ALOS-V3050_WBMAG1602

 Alteon Web Based Management Application Guide
Security

h. Select the Action Settings tab.

• In the Delayed Bind field, select Forceproxy in the drop-down list.
• In the Real Server Port field, type 80 (or any port that the security device listens on).
• In the Return to Last Hop field, select Enable in the drop-down list.
• In the Reverse Session field, select Enable in the drop-down list.
In this example, we use the following values:

Delayed Bind Real Server Port Return to Last Hop Reverse Session
Forceproxy 80 Enable Enable

i. Select the SSL tab.

• In the SSL Inspection field, select Enable in the drop-down list.
• In the SSL Policy field, click to add a new SSL policy. The relevant Add tab displays.
• Select Enable SSL Policy.
• In the Policy ID field, type the identifier for the policy. The maximum characters allows
is 32.
• Select the Frontend SSL tab.
• In the Frontend SSL Encryption field, select Disable from the drop-down list.
• Select the Backend SSL tab.
• In the Backend SSL Encryption field, select Enable from the drop-down list.
• In the Backend SSL Cipher, select a cipher from the drop-down list.
• Click Submit. You will return to the Add New Filter tab.
In this example, we use the following values:

Policy ID Frontend SSL Backen SSL Backend SSL Cipher

Encryption Encryption
2 Disable Enable (select)

j. Click Submit.
3. Configure port processing to use the configured filters.
a. Select Configuration > Application Delivery > Port Processing.

b. In the Port Processing table, select an entry and click , or double-click the entry you want
to edit. The relevant Edit tab displays.
c. Select Filter/Outbound LLB.
d. Select the rule ID and use the arrows to move the rule ID between the Available and
Selected lists.
e. Click Submit.
f. Repeat until all filters are configured for each port.
In this example, we use the following values:

Port Selected (Rule ID)

1 10
2 20

Document ID: RDWR-ALOS-V3050_WBMAG1602 663