Symantec Access Management

  • 1.  SPS to backend communication security

    Posted May 19, 2016 03:46 PM

    We are building SPS in our enterprise and are looking at various means to secure SPS to Application communication.  Since the solution is for internal apps only so we dont have any firewall between SPS and Appservers.

     

    Is setting SSL between SPS and AppServer enough to secure communication or would client cert authentcation need to be configured.  What are the various approaces that others have followed. Can someone please shed some light on this . What we want to avoid is a direct access to the application if someone gets hold of the servers and mimics the headers that siteminder sends to the App.

     

    Thanks



  • 2.  Re: SPS to backend communication security

    Broadcom Employee
    Posted May 23, 2016 07:19 AM

    Hello

    One possibility you may want to consider is to enable mutual cert authentication between SPS and backend.



  • 3.  Re: SPS to backend communication security

    Posted May 31, 2016 11:30 AM

    Thanks Miguel, we were looking into cert authentication.



  • 4.  Re: SPS to backend communication security

    Posted May 27, 2016 03:02 PM

    Normal ol' SSL alone, without mutual auth, isn't sufficient since that's simply covering the transport layer encryption. Anyone could still inject a header and the application would simply take it and go about its business....The SSL in that situation would only ensure the traffic was encrypted between the client and server but does nothing to authenticate the client request itself to ensure it should even accept it.

     

    Miguel mentioned mutual cert auth, which would work. Another could be IPSec with cert/kerberos auth (not shared secret!!!) for integrity and block all direct access; if it's Windows servers, setting up IPSec is easy peasy...Linux is doable too.

     

    Or Web Agent on the downstream app server to sanitize headers, but that kind of defeats purpose of SPS right ?

     

    For some of my proxy setups, I've just used IPSec between the systems. Any request coming into the application server would be rejected as the only trusted systems would be the proxy systems over an IPSec tunnel. There's some overhead with that but for the most part not bad; and with automatic cert renewals it is fairly hands off in terms of operations once it is setup.



  • 5.  Re: SPS to backend communication security

    Posted May 31, 2016 11:31 AM

    Thanks CBertagnolli, IPSec would be interesting option to look at .