The Barracuda Web Application Firewall:

Enhancing CA SiteMinder Deployments

Download PDF

Introduction

Modern DMZs are being architected to enable a single point of policy enforcement and control. Data center teams need to ensure that all user traffic entering the DMZ will not cause any harm or deliver any attack to the application servers. A comprehensive application access control system should:
  • Validate that the client is known through authentication
  • Validate that the client is accessing only authorized resources
  • Track accesses to the application with session monitoring and tracking
  • Protect against rogue clients attempting identity theft and data theft
  • Once the client does not have the posture for remediation –
  • black listing, increased logging levels, forced re-authentication
  • Operationally, the system must enable flexible use of any existing AAA system, enable
  • comprehensive Single Sign-On (SSO), and be scalable to large user communities.

Simple and Versatile Solutions for Application Access Control

Barracuda Web Application Firewalls protect Internet-exposed web and web service applications from attack, while also increasing the performance and responsiveness of those applications. It consists of a suite of application security and acceleration functionality. The Barracuda Web Application Firewall provides a comprehensive Authentication Authorization and Accounting (AAA) capabilities that simplifies certificate management, authentication, authorization and single sign-on capabilities. It can be used to either implement basic authentication and authorization capabilities (including Single Sign-On) or to greatly enhance the value that an enterprise gets from implementing Enterprise-class Web Access Management and Identity Access Management solutions like CA SiteMinder.

A Low Cost Front-End Portal for Single Sign-On

Barracuda Web Application Firewalls offers a simple yet powerful single point of entry for multiapplication access. Simple Single Sign On (SSO) is enabled by combining the appliance’s authentication and authorization capabilities with Web Address Translation and Cookie Session Management features. Users experience access through a single web portal and operators don’t need to change source code, IP addressing or the server infrastructure. Authentications are logged and user credentials are forwarded in the HTTP header making integration with backend applications simple and scalable.

A Scalable Solution for Deploying CA SiteMinder

When Enterprises require powerful, fine-grained access control to application resources with a large user community, they often implement robust enterprise class SSO solutions such as CA Siteminder. Barracuda Web Application Firewalls offer full-scale integration with CA SiteMinder. The integration encompasses authentication, authorization and single sign-on capabilities in single domain and multi-domain environments, along with performance enhancements. Deploying SiteMinder using the Barracuda Web Application Firewall reduces implementation complexity and improves transactional throughput. The Barracuda Web Application Firewall serves as the single high-performance Policy Enforcement Point allowing the SiteMinder suite to focus on its role as the Policy Decision Point (PDP). Major benefits to the solution include:
  • Perform authentication/authorization functions further out in your security perimeter. The Barracuda – CA integration negates having to install CA web agents on every server, thusly reducing the management complexity.
  • Enforce Single User Session. For large deployments, multiple Barracuda Web Application Firewalls can be used to provide Single Sign On capability for a host of applications. In this setup, users can use different client machines to create multiple active sessions for a given user. Multiple Barracuda Web Application Firewalls share session state information to prevent the same user from logging in multiple times.
  • Increase the Breadth of CA SiteMinder usage. Offloading SSO to the Barracuda Web Application Firewall extends CA SiteMinder capability to applications not designed for remote access. This allows organizations to apply identity management policies to internal or legacy applications.
  • Create fault tolerant architecture. Barracuda Web Application Firewalls support multi policy server deployment via the Host Configuration Object (HCO) setting of the policy servers. In case of a failure to reach one policy server the Barracuda Web Application Firewall connects with one of the other policy servers specified in the HCO.
  • Improve Operational Efficiency: Deploying Barracuda Web Application Firewall obviates the need for installing the SiteMinder web agents on multiple Web servers that are used to serve the application. The custom integration with CA SiteMinder enables Barracuda Web Application Firewall to query user properties from the policy server and make them available to the applications using HTTP headers.
  • Reduce management overhead. With only the Barracuda Web Application Firewall accessing the SiteMinder policy server, the network setup is cleaner making the network more manageable and easier to troubleshoot.
  • Provide an integrated view. Most of the applications are developed independently. Using the extensive content rewriting capabilities of the Barracuda Web Application Firewall organizations can provide an integrated, single domain view to the external world even though the individual applications may be using multiple different domains.
  • Gain visibility. Active SiteMinder sessions are tracked on the Barracuda Web Application Firewall. This gives the administrator a point in time view of the number of active users accessing the resources protected by the Barracuda Web Application Firewall and CA SiteMinder.