Proxy based assertion

From Deletionpedia.org: a home for articles deleted from Wikipedia
Jump to: navigation, search
This article was considered for deletion at Wikipedia on June 15 2016. This is a backup of Wikipedia:Proxy_based_assertion. All of its AfDs can be found at Wikipedia:Special:PrefixIndex/Wikipedia:Articles_for_deletion/Proxy_based_assertion, the first at Wikipedia:Wikipedia:Articles_for_deletion/Proxy_based_assertion. Purge

Wikipedia editors had multiple issues with this page:

Template:Prose

The topic of this article may not meet Wikipedia's general notability guideline. But, that doesn't mean someone has to… establish notability by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond its mere trivial mention. (June 2016)
DPv2 loves original research.

Primary sources Template:No footnotes oooh, orphan In computer security, proxy based assertion (PBA) is a secure method of using a single entry point for a proxy server to pass assertionTemplate:Disambiguation needed data for access control and authorization using the headers to other systems. It's designed to allow internal systems to receive assertion details (e.g. user, role, customer ID) without the need to decrypt or verifyTemplate:Disambiguation needed a digital signature, or to contact a different systemTemplate:Clarify to verify a token. This method is used for legacy systems, environments (old and new) running more than one operating system or areas where changes to applications or web applications are not possible or expensive.

Requirements

  1. All inbound traffic MUST go via the assertion proxy as the only entry point into the data center/systems using assertion data.
  2. Access MUST be protected by a firewall to prevent ANY access to the systems not via the proxy and as such direct access of any entity should not be allowed if bypassing the assertion proxy.
  3. The proxy must be a bastian host, fully patched and updated at all times, fully hardened, must only be used for this purpose.
  4. A WAF is suggested as an additional protection layer before the proxy.
  5. Communications should be securely encrypted in motion.
  6. All systems should be secure per the OWASP top 10 and other security publications and recommendations.

Mechanism

Unauthenticated user

  1. User reach's proxy requesting a protected resource/any resource (depending on solution needs)
  2. Proxy authenticates user in a secure manner (internally or using other system intended for that purpose)
  3. Proxy creates a secure cookie on the users browser
  4. Proxy removes ALL headers
  5. Proxy injectes assertion headers (e.g. user, user role, user IP)
  6. Proxy forwards to the target system
  7. Target system parses assertion headers and implicitly trusts them, having verified the packet source IP is from the proxy

Authenticated user

  1. User reach's proxy requesting a protected resource/any resource (depending on solution needs)
  2. Proxy parses received cookie in header
  3. Proxy verifies cookie and session validity
  4. Proxy removes ALL headers
  5. Proxy injectes assertion headers (e.g. user, user role, user IP)
  6. Proxy forwards to the target system
  7. Target system parses assertion headers and implicitly trusts them, having verified the packet source IP is from the proxy

References

External links