Transcription

F5 Tech BriefAuthentication 101Authentication is a growing requirement in this new era ofheightened technology security. What is authentication andhow can it be implemented in your environment to meet allof your application needs?by Kevin StewartSystems Engineer

Technical BriefAuthentication 101ContentsWhat is Authentication?3Certificate Revocation: Online Certificate Status Protocol4The Mighty HTTP Header5Kerberos: The Microsoft Link6Ultimate Power and Flexibility with iRules7Secure Connections with BIG‑IP Access Policy Manager8Conclusion2

Technical BriefAuthentication 101What Is Authentication?Authentication is the process of proving that you are who you say you are, usuallyfor the purposes of gaining access to something. In the real world, this is a relativelyeasy task, even with a really bad driver’s license photo; but in cyberspace, nothing isever that simple. As a business owner, how do you know that the person accessingyour ecommerce website is, in fact, the same person allowed to transfer funds onthe site? From organized crime, to foreign governments, to pale-skinned teenagersin their parent’s basement, there is great financial (and often personal) gain indefrauding businesses. The Internet provides a perfect haven for would-be thievesand mercenaries. It’s big, distributed, uncensored, unmanaged, and very oftenanonymous. And your website, residing on the edge of that wild frontier, is a sittingduck. If you do any business online (or anywhere for that matter) that requiresvalidation of the user’s identity, then you need authentication. Authenticationdemands that the client prove that they are who they say they are, often in a varietyof different ways: usernames and passwords, certificates, tickets, tokens, cookies,smart cards, biometrics, and so on. Authentication providers often use the word“factor” to classify each form of identity assertion. The more (different) factorsused, the more secure the authentication. Also keep in mind that authenticationis the “who you are” in access control, not the “what you can do.” The latter is aconcern of authorization, and authentication and authorization are not the same.Authentication is complex. It’s simply not good enough to check for the correctusername and password in a database. In fact, many of the OWASP Top 10 webvulnerabilities relate to insecure authentication practices. Authentication methodsare standardized but heavily interpreted. There are community standards forKerberos, smart cards, biometrics, cookies, tokens, certificates, and many others,but every vendor implements them differently. If you’ve been in the IT business longenough, you’ve no doubt run across a few dozen different ways to authenticate toapplications, and worse, have to remember a dozen or more complex passwords.As a result of the complexity required, authentication mechanisms tend to exert abig need for resources, resources that would otherwise be used by the applicationsrequiring protection. Authentication is only as strong as its weakest link. It doesn’tmatter how cool your 4-factor biometric-token-smart card-password-basedauthentication solution is, if you’re running it on Microsoft Windows 98 you mightas well turn off the lights and go home.So what’s the answer to complex, semi-proprietary, resource heavy authenticationmechanisms running on vulnerable software platforms? In a word: hardware. Youneed hardware-based SSL on a fast platform running a hardened OS, with the3

Technical BriefAuthentication 101flexibility to do just about anything you want to do with authentication. The F5 BIG‑IP Local Traffic Manager (LTM) gives you just that. In the following sections,you’ll get an idea of just some of the ways BIG‑IP LTM can offload and improve onyour complex authentication processes.Certificate Revocation: OnlineCertificate Status ProtocolFrom basic server-side SSL (the “S” in HTTPS), to full-blown smart card deployments,Public Key Infrastructure (PKI) has become a cornerstone in authenticationmethodologies, especially in the government, financial, and medical sectors. PKI isbased on a chain of trust from certificate issuer to certificate holder. In server-sidePKI, the client must rely on the server by trusting its certificate and the issuer(s) ofits certificate. In client-side PKI, the server trusts the client by validating the trustchain, and optionally the revocation status of that certificate. A certificate authority(CA) must publish a certificate revocation list (CRL) so that it can indicate revocationstatus of certificates it has issued. A CRL is a binary file—a list of revoked certificateserial numbers—and in some cases, depending on the level of activity of a particularCA, can get to be rather large. In order for a web server to validate the revocationstatus of a client certificate with a CRL, it must first download it, in whole. CRLs canbe cached locally, but a potentially large binary file must still be parsed for each andevery client certificate access request. Enter Online Certificate Status Protocol (OCSP).OCSP is a service that caches CRLs and responds to revocation status requests forsingle certificates. The server need only ask for the status of the current certificate.Not every application supports OCSP natively, however, so applications rely on thirdparty utilities installed locally to handle the requests. In any case, it’s another layer ofcomplexity that runs alongside your application, consuming valuable resources.F5 BIG‑IP LTM offloads OCSP, and the burden of software SSL encryption completelyfrom the application server (in exchange for faster hardware SSL). By offloadingthis task, you can reclaim precious resources and know that BIG‑IP LTM actsas an impenetrable fortress for all of your client certificate-based applications.Additionally, the typical configuration for an OCSP client, be it the application orthird-party tool, is to simply list all of the OCSP services available to service statusrequests. If the selected OCSP server is incapable of servicing a request, the OCSPclient must re-select another OCSP server and try again. With BIG‑IP LTM you cancreate a pool of intelligently load balanced OCSP services and apply health monitorsto ensure that your requests don’t get sent to crippled servers. Consequently, if you4

Technical BriefAuthentication 101have your own OCSP services, or rely on other agencies, you can also prioritize thepool members so that the remote services aren’t used unless the primary servicesare gone—a true high availability OCSP solution.BIG-IP Local Traffic ManagerUserApplicationsOCSP Pool(Health Monitors)Local OCSPAdjacent OCSPRemote OCSPLoad balancing, monitoring, and prioritizing OCSP services.The Mighty HTTP HeaderAs simple as it seems, HTTP headers offer unparalleled power and flexibility forpassing critical information to your application. Many commercial applicationsfrom vendors like Oracle, IBM, CA, and SAP can natively accept HTTP headers forauthentication data. BIG‑IP LTM provides this flexibility. So after passing that clientcertificate through an OCSP check, BIG‑IP LTM can examine the full X.509 contentsof the certificate, pull out, parse, re-order, and rebuild any pieces of data it needsand pass those as HTTP headers. In addition, because BIG‑IP LTM is in completecontrol of this authentication data, a rogue client cannot inject their own HTTPheaders to spoof the system.BIG-IP Local Traffic ManagerHTTP HeadersUserOCSPExample Headers:Common NameSubject Alternative NameElectronic Data Interchange Personal Identifier(EDIPI) numberEmail AddressCertificate Validity DatesIssuer CAInserting authentication data into HTTP headers.5

Technical BriefAuthentication 101Kerberos: The Microsoft LinkKerberos is a complex protocol with a long, technical (and mythological) history.It’s also the de facto authentication mechanism for many Microsoft products—likeSharePoint and Outlook. In its simplest form, Kerberos creates a cryptographicsystem of mutual authentication—a system of “tickets,” where each entity (clientand server) grants ultimate authority to, and shares an encryption key with, a thirdparty: the Kerberos Key Distribution Center (KDC), commonly played by a MicrosoftActive Directory domain controller. Originally designed to support username/password-based systems, Kerberos has also been extended to support public keycryptography. In fact, in order to authenticate to most Microsoft applications usingPKI certificates, Kerberos must be involved. This is generally not a problem when theclient and server are inside the domain and both able to communicate with, and gettickets from, the KDC/domain controller.What about clients outside the domain? It’s a pretty fair statement that mostweb applications are served primarily to clients outside the server’s environment.Kerberos simply fails if the client cannot talk to the same domain controller(s).For that reason, Microsoft and others created Kerberos Protocol Transition (KPT).KPT enables non-Kerberos clients (clients unable to get Kerberos tickets from theserver’s domain controller) to pass through a service that “transitions” the client’sauthentication (whatever it may be) into a true Kerberos authentication request.The service effectively impersonates the client for all Kerberos transactions. It’s acomplicated interaction to say the least, and up until recently was only available withMicrosoft Internet Security & Acceleration (ISA) server. While ISA has an impressivefeature list, it is software running on a general purpose operating system (MicrosoftWindows Server), which means it is highly dependent on the general purposehardware platform on which it’s installed and must be hardened, patched, andmaintained frequently. Moreover, because ISA requires the entire client’s certificateto enable KPT, it must also terminate the SSL stream. Terminating SSL anywhere elsesimply breaks client certificate password-less authentication.If SSL cannot be terminated upstream by a load balancer, then load balancingpersistence becomes increasingly unreliable (source IP address is the only availableobject to persist on, and that isn’t reliable across public networks)—no persistence,no load balancing, unable to scale. BIG‑IP LTM enables Kerberos Protocol Transition.With the combination of SSL offloading, certificate revocation checks, and headerpassing as well as the ability to transition a client’s non-Kerberos requests into fulldomain Kerberos requests, BIG‑IP LTM enables your architecture to scale infinitelyand securely.6

Technical BriefAuthentication 101Domain ControllersBIG-IPLocal Traffic ManagerNon-KerberosclientKPT Process:1. Client requests access to SharePoint viaBIG-IP LTM and presents certificate.2. BIG-IP LTM validates certificate and generatesan authentication service request (AS REQ) tothe domain on behalf of the client.Kerberosauthentication3. Domain returns a Ticket Granting Ticket(TGT in AS REP) to BIG-IP LTM (acting asthe tsOCSPOutlookWindowsSharePointServices4. BIG-IP LTM generates a Ticket GrantingService request (TGS REQ) to the domainfor application access, passing the TGT.5. Domain returns a service ticket for therequested application (TGS REP).6. BIG-IP LTM generates an applicationrequest (AP REQ) to the application,passing the service ticket.7. Application returns its authenticator(AP REP), optionally, and the requested content.Kerberos protocol transition on BIG‑IP LTM.Ultimate Power and Flexibilitywith iRulesF5 iRules scripting language is a patented F5 “network programming” environment.Based on industry standard Tool Control Language (TCL), iRules provide a simple,event-driven, scripting solution for all layer 4 to layer 7 data through BIG‑IP LTM. Thismeans you can programmatically read, write, and modify any data, for any protocol, inany direction. Want to redirect clients to HTTPS when they type HTTP in the browser?Or redirect clients to a different URL when they make specific requests? What if youneed to inject, modify, or remove HTTP headers or cookies between the client andserver? How about scrubbing social security and credit card numbers from outbounddata to the client? All of these can be handled, easily, with iRules.Most of the authenticationmechanisms are available right fromthe administration utility. Additionalcode assistance can be found onF5’s developer community, DevCentral,which offers hundreds of workingcode samples and a user community ofmore than 60,000 IT professionals.In addition, all of the authentication capabilities discussed thus far are accessiblevia iRules, and provide a virtual playground of possibilities. Take the results of anOCSP request, the contents of the client certificate, and perhaps an LDAP call, andpush that data out as HTTP headers for both authentication and authorizationinformation. Make application routing decisions based on the issuer or type of clientcertificate (smart card or software certificate). Access a database of credentials(or some identity management provider) and transparently post those credentialsto a login form. Turn an application with weak, single-factor authentication intoa secure multi-factor titan. Create an entire single sign-on environment acrossmultiple applications, regardless of their individual implementations. Mix and matchany of these ideas and others to create complex, rich, and secure authenticationmechanisms for all of your applications.7

Technical BriefAuthentication 101LDAP/ADHTTP HeadersBIG-IP Local Traffic ManagerSingle Sign-OnClientCertificateForm thentication possibilities with BIG-IP LTM and iRules.Other authentication capabilities in BIG‑IP LTM include the ability to query anLDAP or Active Directory for username/password or certificate-base credentials.BIG‑IP LTM also includes native support for RADIUS, TACACS , and CRLDP(certificate revocation list distribution point) and KCD (Kerberos constraineddelegation). KCD is similar to KPT except that the clients and servers are insidethe domain. BIG‑IP LTM acts a Kerberos proxy/forwarder when load balancingis required inside a network. In addition, with BIG‑IP LTM, you can create a richand secure single sign-on environment for all of your applications. Leveraging theflexibility of iRules and the built-in authentication capabilities of BIG-IP LTM, you caneasily create a rich and secure enterprise client certificate single sign-on solution.Secure Connections withBIG‑IP Access Policy ManagerThe F5 BIG‑IP Access Policy Manager (APM) provides users with securedconnections to BIG‑IP LTM virtual servers, specific web applications, or the entirecorporate network. By leveraging standard web browsers and security technology,BIG‑IP APM enables your corporation or organization to provide users access tovarious internal resources easily and cost-effectively, with no special software orconfiguration on the user’s system. BIG‑IP APM features and capabilities include: Standard browser support Enhanced privacy protection with RC4, Triple DES, and AES encryption Network access (an SSL VPN capability) Web application access (network access constrained to specific webapplications)8

Technical BriefAuthentication 101 lient endpoint security (client firewall, antivirus, registry/file settings,Cand more) Full session auditing High availability and scalability A state-of-the-art visual policy editor Enhanced authentication capabilitiesBIG‑IP APM can perform authentication, authorization, and accounting (AAA), usingstandard AAA methods, including LDAP directories, Microsoft Active Directory andWindows domain servers, RADIUS servers, and HTTP authentication. BIG‑IP APMalso supports native RSA SecurID authentication, signed client digital certificates toauthenticate devices, and native Oracle Access Manager (OAM) client/proxy functions.The BIG‑IP APM visual policy editor.ConclusionYour applications are critical to your business. Authentication and security are asimportant as performance and scalability. With BIG‑IP LTM, you can offload andconsolidate your authentication mechanisms and remove the complexity andheavy burden from already overloaded servers, improving application performanceand security.F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119F5 Networks, Inc.Corporate [email protected] [email protected] Networks .comF5 NetworksJapan [email protected] 2010 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and iRules are trademarks or registered trademarks of F5Networks, Inc. in the U.S. and in certain other countries.CS06-00011 0510