AnsweredAssumed Answered

How to Prohibit Bypassing Web Agent

Question asked by Jim-Lundell-3M on May 4, 2018
Latest reply on May 7, 2018 by Ujwol Shrestha

Hi,

 

I see three possible ways that might be used to ensure a web agent is never bypassed; thus, ensure a user cannot spoof headers at an app server.

 

I'm looking for wisdom/experience on each of these -- or possibly other methods I've not thought of.

 

1) IP Restriction

 

Pro: Simple to configure on IIS, etc.

Cons:  Can break production applications when new web servers/app servers are introduced.  Also, some apps like JBoss want to restrict app access always -- but allow direct access for admins.

 

 

2)  Client Certs

 

 

3) OFC -- encrypt responses consumed by applications

 

Pros: Get around hassles with IP Restriction and cert management.  Unless a "hacker" knew the strong session key, there's no way to spoof headers/cookies.

Cons: Custom code?  But our thinking is we could easily abstract this for our developers since CA provides most of what is needed.

 

 

 

Thoughts/Experiences?

 

Cheers,

Jim

Outcomes