Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Sunday, December 31, 2023

Securing Intranet Applications: Bypassing Public API Gateway Limitations

 

In the realm of secure intranet applications, protecting sensitive data while ensuring easy access for authorized users is paramount. Traditional setups often rely on public API gateways, which can expose internal services to unnecessary risks. Here, we explore an innovative approach: using OpenResty as an external load balancer within a DMZ, integrated with a custom authentication system (FAMS). This architecture not only enhances security but also offers greater control over internal traffic management.

Why Move Away from Public API Gateways?

Public API gateways are designed for wide accessibility, which can be a double-edged sword for intranet applications. They expose endpoints to the public internet, increasing the attack surface. Furthermore, their generic nature might not align well with specific internal security protocols.

The OpenResty Advantage in a DMZ

OpenResty, an enhanced version of the Nginx web server, offers a powerful platform for building a more controlled and secure network architecture. Deployed as an external load balancer in a DMZ, it acts as a gatekeeper, ensuring only authorized traffic reaches the internal network. This setup significantly reduces exposure to external threats.

Key Benefits:

  • Custom Traffic Management: Tailor traffic routing and load balancing to fit the unique needs of your intranet environment.
  • Enhanced Security: With OpenResty in the DMZ, exposure to external threats is minimized, as it handles all incoming traffic and requests.
  • Flexibility and Scalability: OpenResty's modular architecture allows for easy scalability and adaptability to changing security requirements.

Integrating FAMS for Authentication

FAMS, our custom authentication system, plays a critical role in this architecture. By integrating FAMS with OpenResty, we establish a robust authentication process for all incoming requests.

How it Works:

  • Authentication at the Entry Point: OpenResty intercepts all incoming requests. It then leverages FAMS to authenticate and authorize these requests before allowing access to internal services.
  • Seamless User Experience: Users interact with the intranet applications as usual, but with an added layer of security. The authentication process is transparent and efficient.

Overcoming Public API Gateway Limitations

This OpenResty and FAMS-based solution effectively addresses the limitations of public API gateways in several ways:

  • Reduced Public Exposure: By situating the load balancing and authentication mechanisms in a DMZ, the internal network remains isolated from direct public access.
  • Tailored Security: Unlike a one-size-fits-all public API gateway, this setup allows for customized security measures that align precisely with internal policies.
  • Control Over Traffic: Direct control over routing and load balancing ensures that only legitimate, authenticated requests are processed.

Conclusion

For organizations seeking to bolster the security of their intranet applications, transitioning from a public API gateway to an OpenResty and FAMS-based architecture offers a compelling solution. This approach not only enhances security but also provides greater control and flexibility, ensuring that internal applications remain both accessible and protected.

at No comments:
Labels: , , ,

Thursday, September 7, 2023

Two-Tier Authentication in Microservices Architecture

 

Microservices are decoupled, self-contained units, which makes security pivotal. Two-tier authentication can offer an extra layer of protection. By integrating both AWS Cognito (for cloud-based authentication) and FAMS (an on-premises solution), we can create a robust authentication mechanism for such architectures.

It's a clear separation of concerns, with FAMS focusing on user identity and Cognito securing your API. This is a valid and robust approach, particularly if you want to leverage Cognito's capabilities for managing API access without intertwining it with FAMS.

Two-Tier Authentication in Microservices

Microservices often communicate through APIs. The two tiers in this setup are:

On-Premises Authentication (e.g., FAMS): Before accessing cloud-based microservices, authentication through on-prem systems like FAMS ensures that the initial user or service is validated.

Cloud-Based Authentication (e.g., AWS Cognito): After the initial validation, Cognito facilitates the subsequent authentication steps, providing tokens that are required to access microservices' endpoints.

Benefits of Using AWS Cognito with FAMS

·        Seamless Integration: AWS Cognito integrates well with AWS services and can work in tandem with FAMS for initial authentication.

·        Token-based security: After initial authentication with FAMS, Cognito handles token-based authentication for cloud resources.

·        Flexibility: Offers the ability to switch between different authentication providers.

Sequence Flow in a Microservices Environment

 



Conclusion

Two-tier authentication using both FAMS and AWS Cognito offers a comprehensive authentication strategy for microservices, bridging on-premises systems and cloud architectures. It ensures that microservices are only accessed by authenticated clients and services, upholding the principles of security and integrity.

at No comments:
Labels: , , , , , ,

Sunday, September 25, 2022

Application Dynamic Assessment Security testing - Tool Evaluation

Dynamic Application Security Testing (DAST) is a procedure that actively investigates running applications with penetration tests to detect possible security vulnerabilities. 

To address this growing security threat, businesses are increasingly deploying dynamic application security testing (DAST) tools as part of a more security-forward approach to web application development. DAST tools provide insight into how your web applications behave while they are in production, enabling your business to address potential vulnerabilities before a hacker uses them to stage an attack. As your web applications evolve, DAST solutions continue to scan them so that your business can promptly identify and remediate emerging issues before they develop into serious risks.

we have evaluated a few tools in 2021 against open source vulnerable applications to determine a tool that can be integrated with release pipelines and can be seamlessly integrated into SDLC.

These commercial tools could identify a very tiny subset of known vulnerabilities. It cannot replace manual pen testing but can complement pen testers.    The below tables provide a high-level evaluation summary of the tools shortlisted

















Vulnerabilities detected by these tools 



at No comments:
Labels: , ,
Subscribe to: Posts (Atom)

Claim Based Authorization

  1.      Claim Based Authorization ·         Token Validation: As requests come into the Ocelot API Gateway, the first step is to validat...