The Airlock Implementation Guide summarizes the most important steps to successfully install and integrate Airlock into a given environment. As a checklist and reference guide it helps the administrator to identify critical tasks early before the integration process. This way, all required preparations can be made and the needed information for the Airlock configuration can be gathered.
The implementation guide presents an ordered checklist for an Airlock administrator. It is recommended to be used as a reference when installing and integrating Airlock. Even for experienced administrators it is a helpful tool to make sure that all aspects of the Airlock deployment are considered. The following checklist should be verified in the listed order before installing an Airlock. Please refer to the Airlock Administrator’s Online Manual regarding configuration and installation details.
A technical description of the hardware requirements can be found in in the OnlineHelp manual chapter System and hardware requirements.
The hardware requirements depend partly on the characteristics of the Web application environment to be protected and on how many people access the application in parallel. An application that transfers huge amounts of data with very high request frequencies needs more powerful hardware than a less used standard Web application. Please contact Airlock support for a detailed hardware recommendation based on the Web environment specificaton.
Any Airlock hardware always requires at least one network interface and a CD/DVD-ROM drive to install from CD. Alternatively, Airlock can be installed from a network boot image. In that case, no CD-ROM drive is required.
Airlock automatically supports disk mirroring if two disks are installed in the system. Ergon strongly recommends taking advantage of the disk mirroring feature.
To handle more than several thousand concurrent sessions it is recommended to use multiple Airlock instances in a load-balanced network environment with a network load balancing device. One single Airlock can be scaled up to approx. 10'000 concurrent sessions on the appropriate hardware. Typically it is more efficient to implement a load balanced scenario with multiple instances that also offers failover clustering. Please contact Ergon for discussing Airlock configurations for very high traffic volumes.
If it is not intended to use SSL communications this section may be skipped. Airlock provides internal example certificates to start installing and using Airlock right away. Custom SSL server certificates should be installed on Airlock for productive usage. The custom SSL server certificate has to be obtained independent of Airlock. Airlock does not provide SSL server certificate generation tools. Please visit the SSL server certificate issuer’s Web site for information on how to create your own SSL server certificate.
Airlock is independent from application servers and protects any Web application that complies with standard Web environment requirements. To be successfully protected by Airlock, an application should comply with the following standards and best practices in Web application environments. Specifically, a Web application
There are ways to still protect Web applications with Airlock that violate some or all of these equirements. However, Airlock may not deliver full protection for those or the flexibility in the configuration may be restricted.
Please skip this section if the Airlock installation will not use the authentication enforcement mechanism to handle authenticated sessions on Airlock. There are several issues to be considered when integrating Airlock to an authentication service and using Airlock to perform the authentication enforcement. Authentication enforcement specifically involves the following tasks that need to be handled correctly depending on specific customer requirements:
The most important component involved with authentication verification is the Web based authentication service. The Web authentication service is not included in the Airlock Application Security Gateway itself. It is a special backend application that is responsible to authenticate the user by performing the needed authentication verification with the user directory. The Web authentication service performs the authentication and uses the backend control API of Airlock to modify the user’s session attributes according to the authentication result.
Airlock makes it possible to decide on the authentication method independent of the backend applications and independent of Airlock. Especially, there are different authentication services possible in parallel. Please refer to the Airlock Authentication Service Manual and the Airlock Administrator’s Online Manual for more details on the Web authentication service. The authentication service can either run on Airlock itself or within a servlet container on a backend server behind Airlock.
Best practice is to use a dedicated Authentication Service independent from the applications. We provide such an Authentication Service to Airlock customers, the Airlock Authentication Service. It supports standard authentication mechanisms such as LDAP, MSAD, RADIUS or ACE. It is easily possible to add customized authentication support to the Authentication Service for special authentication mechanisms like a customer specific TAN verification or an OCSP PKI service. It is also possible to use an existing Authentication Service of an application and integrate it with Airlock so that it uses the backend Airlock Control API.
The following questions must be answered to define the login process with Airlock:
Once the user is authenticated, the login information has to be propagated into the backend application so that the user does not need to authenticate again. There are three possibilities to propagate the user login to backend applications. Depending on the application, not all of them may be used. The list represents the recommended order of preference when integrating Airlock with backend applications:
Successfully deployed examples are:
Performing a secure logout is as important as the authentication of the user itself. The authentication service must provide a logout command that uses the backend control API of Airlock to terminate the session. There are three possibilities to enable secure logout mechanisms with Airlock:
Any additional account editing functionality such as password change needs to be provided in a corresponding Web service or by the application.
After verifying all above items the following Airlock installation preparations should be made:
Follow the instructions in the Quick Start Guide to install Airlock on the desired hardware plattform. No operating system is necessary prior to install Airlock.
After installing Airlock it is recommended to configure Airlock the following way:
The most important configuration part includes setting up virtual hosts and application mappings to enable access to applications through Airlock. Airlock makes it possible to present an application through a virtual host and a virtual URL mapping completely independent of the internal network architecture. The required roles/credentials specify if a user needs to be authenticated to access the application.
An application mapping defines which URL on which virtual host is mapped to which backend host and URL. The internal network topology is not exposed to the external network. Additional virtual hosts or application mappings can be added easily in the Web based Configuration Center of Airlock.
Airlock supports name-based virtual hosts including SNI for virtual hosts using SSL. This means that several different hostnames can share the same IP address.
Be aware that not all browsers and operating systems support SNI. Therefore it is recommended using separate IP addresses for different virtual hosts using SSL.Please refer to the Administrator’s Online Manual on your Airlock for further details on configuring virtual hosts and application mappings in Airlock.
Make sure to configure the cookie protection settings according to the application requirements. As a default, all cookies are stored in the secure cookie store of Airlock. Airlock also provides encrypted cookies or plaintext cookies if desired.
Airlock provides complete cookie protection for backend applications. By default, all cookies created by an application are stored in the secure cookie store of Airlock and they are not sent to the client browser. This default setting provides the highest level of cookie protection. If the application needs certain cookies to be transferred to the client because they are valid throughout the user’s session on Airlock, those cookies can be encrypted. Please refer to the cookie settings page in the Airlock Administrator’s Online Manual for detail on passing cookies to the client browser.
Unfiltered HTTP traffic causes dangerous threats to Web applications. The HTTP protocol as well as the Web application server, its components and the business logic are too complex and versatile. A specific Web application only requires a small set of valid HTTP requests and data being sent. Many attack and manipulation methods can be successfully prevented if the HTTP traffic is filtered before it gets to the server.
In order to successfully filter the HTTP traffic, the filter rules need to be configured for each application. This section explains the filter engine and how to configure it successfully.
Airlock provides a powerful 2-stage filter engine to successfully filter invalid and malicious requests to protect the applications.
The first filter stage consists of whitelist filter rules that describe what kind of requests is valid for a specific application. A request must satisfy at least one whitelist filter rule with corresponding path pattern to pass. It is possible to increase the security of an application significantly by specifying appropriate whitelist filter rules with minimum effort. An authentication service must be accessible for anonymous users. Using the whitelist filter rules, it is possible to strictly define the acceptable authentication requests – and nothing else. In case of the authentication service which is typically a very small and simple Web application, the definition of these whitelist rules is straight forward.
The following examples illustrate what can be defined by whitelist filter rules:
Stage 1 can only be configured with knowledge of the application’s business logic to define the valid request range. It is similar to firewalls network connections are configured that are allowed between two IP addresses or networks. The Airlock filter provides more filter conditions than shown in these examples. Please refer to the Airlock Administrator’s Online Manual for detailed configuration options.
The second filter stage compares the request data against denied filter patterns. If one of the deny filter rules matches, the request is blocked.
Typical examples for blacklist filter patterns are the following:
The Airlock filter provides more filter conditions than shown in these examples. Please refer to the Airlock Administrator’s Online Manual for detailed configuration options.
Both Airlock filter stages allow defining filter patterns on various HTTP request components such as the source IP address, HTTP content type, HTTP method, HTTP Headers, URL and the parameter names and values. Regular expression based filter patterns offer the most powerful, flexible and efficient way to build such filter rules.
To successfully configure the powerful filters of Airlock, the following steps are needed for each application. Depending on the complexity of the application it may take between 20 minutes and 3 – 4 hours to configure the filters in all details. With only a small amount of work the security of the application can be significantly increased.
To operate and monitor Airlock, the log messages need to be analysed and processed on one of the alert notification channels using SMTP, Syslog or HTTP. Please refer to the Administrator’s Online Manual for the detailed description of alerting channels, log levels and message formats.
While developing filter rules, testing and integrating Airlock, it is helpful to use the log mode "Integration" on the appropriate mapping. This will produce additional log messages about the backend application behavior, state of cookie store and URLs transformed in URL Encryption and Form Protection.
To perform other troubleshooting tasks it is also possible to activate the systems root account and use low level system tools to trace the traffic from and to Airlock (e.g. using snoop, telnet, curl, netstat, route and ifconfig commands).
After having installed Airlock and applied the first and initial configuration, the next steps could be
Please contact Ergon for technical support on certain implementation details:
Ergon or one of our premium partners also offer technical consulting during an Airlock deployment project.