phion Product Guide - Info-Point-Security
phion Product Guide - Info-Point-Security
phion Product Guide - Info-Point-Security
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Web Application <strong>Security</strong><br />
≥ <strong>phion</strong> airlock <strong>Product</strong> <strong>Guide</strong> valid for release 4.1<br />
011100 01101 0011010010 10 1 10 10 10010000001101110011001010111010001100110011001010110111001100011011001010010000001110000011010000110100101101111011011100100000011011100110010101110100011001100110010101101110011000110110010100100000011100000110100001101001011011110110111001000000110111001100101011101000110<br />
010 0 0 11 0011010000110100101101 1101101 10010000001101110011001010111010001100110011001010110111001100011011001010010000001110000011010000110100101101111011011100100000011011100110010101110100011001100110010101101110011000110110010100100000011100000110100001101001
<strong>Security</strong> and<br />
Availability for your<br />
Web Applications and<br />
Web Services<br />
≥ Uncompromising <strong>Security</strong>: Protection<br />
for business information and online<br />
transactions<br />
≥ High Availability: Maximizes application<br />
availability and accessibility<br />
≥ Cost reduction: Reduced cost in Web<br />
application development, integration and<br />
operation<br />
≥ Application Acceleration: Accelerated<br />
access to Web services and extremely<br />
scalable<br />
≥ Single-Sign-On (SSO): Support for<br />
modular authentication schemes and<br />
flexible integration with Identity Access<br />
Management (IAM) solutions<br />
≥ Monitoring and Audits: Recording of<br />
benchmarking information about user<br />
behaviour and application usage
Table of<br />
contents<br />
<br />
The Callenge<br />
Open for business – Open to attack 4<br />
The Solution<br />
<strong>phion</strong> airlock Web Application <strong>Security</strong> 5<br />
WAF Module<br />
Web Application Firewall (WAF) 6<br />
Add-ons<br />
Additional Modules 8<br />
Q & A<br />
Questions & Answers 11<br />
Appendix A<br />
Ordering <strong>Info</strong>rmation 12<br />
Appendix B<br />
System Requirements 13
The<br />
Challenge<br />
Open for business – Open to attack<br />
There is an increasing utilization of the public internet for business transactions, as every new business and<br />
internet commerce model contains new security risks. Web applications and web application servers should be<br />
accessible by anybody from anywhere. Web applications can be hi-jacked or shut down quickly and the number<br />
of vulnerabilities at the application level is growing at an alarmingly fast pace. Since web servers need to<br />
connect to valuable internal resources, they represent a prime target. This certainly is an invitation to hackers<br />
to exploit them as commonly deployed network firewalls, intrusion detection and prevention systems as well<br />
as virus scanners simply cannot protect web servers adequately.<br />
In order to minimize these threats, security aware companies are facing three<br />
challenges to effectively protect their web applications:<br />
<strong>Security</strong> Challenge: How do<br />
you effectively protect Web<br />
Applications against attacks<br />
and secure their availability?<br />
Web applications continually face<br />
new attacks. Therefore it is crucial for<br />
secure business that all web services<br />
in the Internet and Intranet are secure<br />
around the clock and available with fast<br />
response times – even under the most<br />
difficult conditions, such as traffic peaks,<br />
manipulation attempts or denial-ofservice<br />
attacks.<br />
Cost Challenge: How do<br />
you reduce your costs for<br />
integration and implementation<br />
of Application <strong>Security</strong>?<br />
Continuously maintaining web applications<br />
and web services at a high security level<br />
and connecting them with surrounding<br />
systems (e.g. user directories, identity<br />
and access management solutions, antivirus<br />
gateways etc.) quickly skyrockets<br />
costs – particularly in operation. New<br />
applications require all security measures<br />
to be incorporated and updated time and<br />
again. This makes implementing a secure<br />
application environment a slow, involved<br />
and expensive process.<br />
Compliance Challenge:<br />
New security standards require<br />
clearly defined measures in<br />
Web Application <strong>Security</strong>.<br />
To date, security measures do not provide<br />
adequate protection against application<br />
level attacks. New standards such as the<br />
Payment Card Industry Data <strong>Security</strong><br />
Standard (PCI DSS) or ISO 27001 define<br />
measures to increase web application<br />
security and sectors such as the major<br />
credit card industry demand compliance.<br />
In order to meet their compliance targets,<br />
companies need to upgrade their security<br />
infrastructure accordingly.
Thanks to <strong>phion</strong> airlock, companies can successfully make use of<br />
the Internet’s diverse opportunities without limiting the security<br />
and availability of their web applications and web services. Phion<br />
airlock is the only software-based, high security Web Application<br />
Firewall (WAF) on the market covering the entire spectrum of<br />
protection and optimization techniques for web environments<br />
of arbitrary complexity. With its high security architecture and<br />
physical independence from application servers, <strong>phion</strong> airlock<br />
completely shields web applications in the trusted network from<br />
any unauthorized access and malicious attacks.<br />
<strong>phion</strong> airlock<br />
Web Application <strong>Security</strong><br />
The<br />
Solution<br />
<br />
Overview<br />
<strong>phion</strong> airlock is a software appliance based on a secure<br />
reverse proxy technology with optional Single-Sign-On (SSO)<br />
authentication and access control capabilities. Its main purpose<br />
is to reduce the exposure of web applications while at the same<br />
time maximizing service uptime and responsiveness. By deploying<br />
<strong>phion</strong> airlock in front of the web server, any company can offer<br />
a transparent, secure and always-on connection to their web<br />
applications, while lowering costs of application integration,<br />
deployment and maintenance.<br />
In order to provide all relevant aspects of web application<br />
protection and guarantee maximum performance, <strong>phion</strong> airlock is<br />
based on a highly-efficient modular security architecture. The core<br />
component is the comprehensive Web Application Firewall (WAF)<br />
module which forms the foundation of any airlock system, onto<br />
which optional security and reporting modules can be added. As a<br />
natural extension to the WAF functionality, <strong>phion</strong> airlock optionally<br />
offers strong and uniform user authentication and authorization<br />
features, a SSL VPN remote access module and a convenient<br />
Portal Application module as shown in the building block overview<br />
below:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Feature Overview<br />
Web Application<br />
Protection<br />
Application Acceleration<br />
and Data Compression<br />
Sophisticated content<br />
switching and content<br />
rewriting options<br />
Interface to external<br />
filter services such as<br />
Anti-Malware-Detection<br />
Systems<br />
SOAP/XML Validation of<br />
Web services<br />
Powerful log analysis<br />
and automated reports &<br />
statistics<br />
Single-Sign-On<br />
and Access<br />
Control<br />
WAF<br />
Module<br />
ICAP<br />
Module<br />
SOAP/XML<br />
Module<br />
4 - - -<br />
4 - - -<br />
4 - - -<br />
- 4 - -<br />
- - 4 -<br />
- - - 4<br />
Authentication<br />
Enforcement<br />
Module<br />
Authentication<br />
Service<br />
Module<br />
Application<br />
Portal<br />
Module<br />
4 4 - -<br />
Web Portal - - 4 -<br />
Graphical<br />
Reporting<br />
Module<br />
SSL VPN<br />
Service<br />
Module<br />
<br />
Secure TCP Port<br />
Forwarding<br />
- - - 4<br />
Note: For system requirements please check Appendix B<br />
Target Market<br />
Any organization that is looking for an ‘easy to implement’ and<br />
cost saving enterprise class solution to protect its web servers<br />
and web applications and/or has to comply with the Payment Card<br />
Industry Data <strong>Security</strong> Standard (PCI DSS).
WAF<br />
Module<br />
Web ApplicationFirewall (WAF)<br />
<strong>phion</strong> airlock’s secure system architecture is based on a strict<br />
zone separation and multi-level filtering. Every web access request<br />
passes the WAF which then verifies and validates it before<br />
transferring it to the next filter layer, and finally to the application<br />
server. Illegal requests are eliminated at every filter level.<br />
White List and Black List Filter<br />
A request only passes to the next layer if at least one rule of the<br />
white list (i.e. path length, variable formatting, HTTP methods,<br />
etc.) fits and no rule of the black list (identification of SQL<br />
injection, XSS, request splitting, etc.) fits. It is not possible for<br />
requests to circumvent the predefined sequence of multiple<br />
validation and screening/verification processes. The intelligent<br />
URL encryption approach adapts itself to the business logic<br />
and provides strong protection without the need to maintain<br />
thousands of signatures and filter rules. <strong>phion</strong> airlock’s filter<br />
engine therefore provides real dynamic white list functions. After<br />
having completed the white and black list filtering, <strong>phion</strong> airlock<br />
executes several additional security filter layers to effectively<br />
prevent web attacks:<br />
‰ Protocol Validation and Rebuilding<br />
‰ Character Encoding and Unicode Verification<br />
‰ Smart Form Protection<br />
‰ Response Rewriting<br />
‰ Response Content Filter<br />
‰ Response URL Encryption<br />
Application Acceleration, Load Balancing<br />
and Data Compression<br />
The performance and availability of web applications is increased<br />
as critical security functions and performance-relevant tasks (e.g.<br />
SSL termination, or data compression) are offloaded for efficiency<br />
and scalability to the WAF. Thus web applications and web servers<br />
can focus on their ‘primary business’.<br />
Total Cookie Protection and<br />
Application Data Exchange<br />
Cookies are not sent automatically to the connecting client’s<br />
browser by default, but are held in the WAF’s cookie store. <strong>phion</strong><br />
airlock only transfers an encrypted session cookie, which is<br />
valid only while the session is active, to the client. In order to<br />
save persistent information on a client, <strong>phion</strong> airlock offers the<br />
possibility to save encrypted cookies on the client. These cookies<br />
are resistant against manipulation as they are always validated<br />
against a signature. If cookie information should be changed (e.g.<br />
by JAVA script) passthrough cookies can be defined and sent on to<br />
the client as plain text. Application data can be exchanged safely<br />
between back-end applications by making use of the <strong>phion</strong> airlock<br />
cookie store. The transferred data does not touch the browser and<br />
therefore cannot be be stolen or hi-jacked.
WAF<br />
Module<br />
<br />
Seamless environment integration<br />
and easy administration<br />
The <strong>phion</strong> WAF module can easily be integrated into the DMZ<br />
without the need to relocate existing systems or change the<br />
network infrastructure. Additionally, a cost-saving consolidation of<br />
the DMZ infrastructure is facilitated.<br />
Purpose<br />
Operating system software requirements<br />
Combined white and black list filters on<br />
different levels<br />
Cryptographic URL encryption 4<br />
HTML form protection 4<br />
Systematic protocol termination and<br />
rebuilding<br />
Positive security model without<br />
complicated rule management<br />
Secure session tracking with session<br />
anomaly detection<br />
Web Application Firewall Module<br />
Effective Web application protection<br />
None. The WAF Module includes<br />
all necessary operating system<br />
components<br />
4<br />
4<br />
4<br />
4<br />
Provides effective Protection against<br />
‰ Cross Site Scripting (XSS)<br />
‰ Cross Site Request Forgery (CSRF)<br />
‰ SQL-Injection<br />
‰ Denial of Service<br />
‰ Forceful Browsing<br />
‰ HTTP Response Splitting<br />
‰ Session Hijacking<br />
‰ Session Riding<br />
‰ Session Fixation<br />
‰ Cookie Poisoning<br />
‰ Buffer Overflowing<br />
‰ Phishing Protection<br />
‰ Identity Theft<br />
‰ Content Type Masquerading<br />
‰ Unicode Hacking<br />
Complete Cookie Protection<br />
Cookies are not transferred to the browser<br />
and are held in <strong>phion</strong> airlock<br />
Encrypted Session Cookies are send to the<br />
browser<br />
4<br />
4<br />
Licensing:<br />
The WAF module is licensed to protect a given number of<br />
applications. An application is defined as a combination of a<br />
IP address and a TCP port. The minimum number of licensed<br />
applications is two.<br />
Application Delivery Acceleration<br />
SSL termination and offloading 4 1<br />
Application level load balancing 4<br />
Failover clustering 4<br />
Real-time data compression 4<br />
1<br />
Optionally with cryptocard acceleration. <strong>phion</strong> airlock 4.1 supports nCipher nFast Ultra SSL Offload<br />
and Safenet Luna SA cryptoengines.
Add-Ons<br />
Additional Modules<br />
ICAP Module<br />
External content filtering and proxy services (e.g. anti-virus,<br />
anti-malware, IDS/IPS or Data Leakage Protection software) can<br />
be integrated via the standardized ICAP interface. Thus servers<br />
and clients can be protected simultaneously by monitoring all data<br />
transfers to and from the web servers (uploads and downloads) for<br />
dangerous or illicit content. The co-operation of external filtering<br />
services via the standardized ICAP interface, provides an optimally<br />
combined usage of the participating systems.<br />
Graphical Reporting Module<br />
<strong>phion</strong> airlock’s Graphical Reporting Module consistently provides<br />
critical information on request structures, security setups,<br />
violations of filter rules and much more. By using diagrams,<br />
interesting time periods can be rapidly and efficiently identified<br />
and selected for evaluation. Automated reports serve a statistical<br />
purpose and regularly provide key figures and important<br />
performance data on load, functionality of the system and your<br />
entire web environment.<br />
ICAP Module<br />
Graphical Reporting Module<br />
Purpose<br />
Integration of external security proxy<br />
services<br />
Purpose<br />
Complete assessment of protected<br />
Web applications and Web servers<br />
Operating system software<br />
requirements<br />
Combined usage of security proxy<br />
services<br />
Standardized integration 4<br />
SOAP/XML Validator Module<br />
WAF Module<br />
With the optional validation module, <strong>phion</strong> airlock offers a further<br />
layer of protocol validation which provides systematic monitoring,<br />
filtering and validation of SOAP/XML web service data traffic.<br />
This ensures that defined interfaces between the services are<br />
preserved and servers cannot be attacked.<br />
4<br />
Operating system software requirements<br />
Automated reports and statistics 4<br />
Central log analysis with search functions 4<br />
Uniform displaying of log notifications 4<br />
Zoom function for easy selection of relevant<br />
sections<br />
Consolidation of specific events into alert<br />
notifications<br />
Traceability through unique request IDs 4<br />
Seamless connection to external monitoring<br />
systems<br />
WAF Module<br />
4<br />
4<br />
4<br />
SOAP/XML Validator Module<br />
Purpose<br />
Operating system software<br />
requirements<br />
Instant protection against SOAP/XML<br />
attacks<br />
Validation for SOAP/XML Web services<br />
WAF Module<br />
4
Add-Ons<br />
<br />
Authentication Enforcement Module<br />
Only authenticated and authorized connections are permitted<br />
to the relevant application servers. Thus the number of possible<br />
attacks is reduced substantially, and the applications are<br />
relieved. All common authentication methods against external<br />
metadirectories (LDAP, MSAD, Radius, RSA ACE, etc.) and SQL<br />
databases are supported by <strong>phion</strong> airlock, and can be used<br />
simultaneously for different requests. It also provides full<br />
support for client certificates. Phion airlock may even connect to<br />
proprietary authentication servers via a publicly available Control-<br />
API. Additionally, the Authentication Enforcement module allows<br />
for the implementation of a Single-Sign-On (SSO) for multiple<br />
backend web applications. The option to implement role-based<br />
access is also provided by the airlock Authentication Enforcement<br />
module.<br />
Purpose<br />
Operating system software requirements WAF Module *<br />
Directory and Authentication support 4<br />
Single-Sign-On (SSO) 4<br />
Integration with existing directories, IAM<br />
and PKI solutions<br />
Role based access control 4<br />
Flexible connection to any authentication<br />
software via Control-API<br />
Authentication Enforcement Module<br />
Strong User Authentication to ensure<br />
maximum security<br />
4<br />
4<br />
Authentication Service Module<br />
The <strong>phion</strong> airlock Authentication Service Module allows<br />
for flexible and customizable integration of multiple backend<br />
authentication databases and directories and links the data<br />
with the <strong>phion</strong> airlock Authentication Enforcement Module<br />
via Control-API. The service module supports the following<br />
authentication methods as building blocks:<br />
‰ User-ID + password<br />
‰ Multifactor authentication (e.g. one-time passwords)<br />
‰ PKI/X.509 client certificates (soft and hard tokens).<br />
Purpose<br />
Operating system software requirements<br />
Highly customizable access control<br />
by integrating multiple user directory<br />
authentication servers<br />
Supports LDAP, Open LDAP, MSAD, Novell<br />
eDirectory, Radius, RSA/ACE, SQL-Server,<br />
MySQL, Oracle<br />
Authentication Service Module<br />
Customizable integration of multiple<br />
authentication databases and<br />
directories<br />
WAF Module<br />
Authentication Enforcement Module<br />
4<br />
4<br />
* The Authentication Enforcement Module requires a WAF module licensed for at least two<br />
applications as the authentication service and the user directory count as one application each.
10<br />
Add-Ons<br />
Application Portal Module<br />
The <strong>phion</strong> airlock Application Portal Module is a flexible and<br />
easy to maintain portal application. Its purpose is to provide the<br />
user with an overview of the available applications on one page.<br />
By simply clicking on an entry in the list, the user is forwarded to<br />
the selected application. The module may be configured to display<br />
applications depending on the credentials of the logged in user.<br />
SSL VPN Service Module<br />
<strong>phion</strong> airlock’s SSL VPN Service Module allows secure remote<br />
access from any internet browser and can be integrated into<br />
existing user directories. The applet shows the current status of<br />
the connection at any time. The design may be adapted easily to<br />
an individual company corporate identity.<br />
Portal Application Module<br />
SSL VPN Service Module<br />
Purpose<br />
Application overview and<br />
management<br />
Purpose<br />
Secure remote access from Internet<br />
browsers<br />
Operating system software requirements<br />
WAF Module<br />
Operating system software requirements<br />
WAF Module<br />
Role-based list of application links 4<br />
Quick start with default icon for each<br />
mapping<br />
Custom icon for each application 4<br />
Show/Hide icons depending on role and<br />
permission<br />
Order and group icons 4<br />
Logout / Back Frame 4<br />
Customizable Style (jsp + css) 4<br />
Authentication<br />
Enforcement Module<br />
4<br />
4<br />
Secure TCP Port Forwarding 4<br />
Authentication Enforcement Module
Q & A<br />
Questions and Answers 11<br />
Q: What can <strong>phion</strong> airlock do for me?<br />
A: <strong>phion</strong> airlock offers 360° 24-7 protection for your web<br />
applications and web services.<br />
Q: Why is it necessary to protect web applications and web<br />
services<br />
A: Web servers and web applications can be easily hacked<br />
(even undetected). This may lead to severe losses of money and<br />
credibility. Additionally, introducing <strong>phion</strong> airlock as strategic web<br />
application security solution reduces operational costs and timeto-market<br />
for new web applications and web services.<br />
Q: Why is it not enough to implement a firewall?<br />
A: Having access to an application means inevitably that the<br />
firewall is open. An attacker may attack any component behind it<br />
and they can usually access the backend unhindered. A firewall<br />
allows or blocks packets to and from the network. It directs the<br />
traffic, but does not test its content. Think of <strong>phion</strong> airlock as a<br />
‘digital bouncer’ who not only checks IDs but also the ‘pocket<br />
contents’ of incoming requests.<br />
Q: What exactly is PCI DSS?<br />
A: PCI DSS (Payment Card Industry Data <strong>Security</strong> Standard)<br />
has been created to provide a common data security standard<br />
across all payment brands. All merchants, financial institutions<br />
and processors who process, transmit or store credit cardholder<br />
data, have to comply with the standard. Non-compliance will lead<br />
to restrictions, fines and additional fees. Phion airlock significantly<br />
helps companies comply with the strict security standard.<br />
Q: Am I affected by PCI DSS?<br />
A: PCI compliance is required for any business that accepts<br />
payment cards for online payment or stores credit card data, even<br />
if the quantity of transactions is just one.<br />
Q: Why is it not enough to deploy an Intrusion Prevention/<br />
Detection System on top of the firewall?<br />
A: Normally, these systems are signature-based (similar to virus<br />
scanners) and blind to encrypted traffic (HTTPS). An attacker may<br />
pass all checks unnoticed over an encoded connection. The data<br />
stream can not be checked.<br />
Q: How can <strong>phion</strong> airlock help to protect web applications<br />
and web services?<br />
A: <strong>phion</strong> airlock combines multilevel filtering with authentication<br />
enforcement when attacks have shifted from the network layer<br />
to the application layer. Usually, the web application is used as a<br />
link to the backend network. It is here where valuable data, which<br />
may be stolen or forged, is saved. Every request has to pass<br />
the WAF and is verified and validated before being transferred<br />
to the application server. Phion airlock also helps to increase<br />
the performance of web servers. Critical security functions and<br />
performance-related tasks are efficiently offloaded on the WAF.<br />
The web servers are relieved accordingly, leading to shorter<br />
response times and higher availability.<br />
Moreover you can make sure that with its strong authentication<br />
service, <strong>phion</strong> airlock allows only authenticated users to access<br />
the backend network.<br />
More information about PCI DSS and the security requirements<br />
can be found here: http://www.pcisecuritystandards.org
12<br />
Appendix A<br />
Ordering <strong>Info</strong>rmation<br />
<strong>phion</strong> airlock is delivered on a single, bootable CD-ROM and<br />
includes all necessary operating system components. Software<br />
modules are activated with <strong>phion</strong> airlock license keys. <strong>phion</strong><br />
airlock licenses are node-locked and apply to a single <strong>phion</strong> airlock<br />
server. The licenses scale according to the software modules used<br />
and to usage parameters (max. number of applications and max.<br />
number of concurrent users). An application in reference to the<br />
license is the combination of a backend IP address and used port.<br />
Thus, the number of applications is defined as the sum of used<br />
ports per IP address.<br />
The software license fee for all modules of the first <strong>phion</strong> airlock<br />
servers is called First <strong>phion</strong> airlock Software License Fee. The<br />
Total Software License Fee includes the license fee for the first<br />
<strong>phion</strong> airlock plus all High Availability and Test <strong>phion</strong> airlocks.<br />
The one-time Software License Fee provides the right to use the<br />
<strong>phion</strong> airlock software and requires a separate annual Software<br />
Subscription and Support Fee.<br />
How to calculate the license dimension<br />
‰<br />
Number of applications<br />
An application in reference to the license is the combination<br />
of a backend IP address and used port. Thus, the number<br />
of applications is defined as the sum of used ports per IP<br />
address. See the following examples and the general formula<br />
below.<br />
‰ Example:<br />
• 1 backend IP address with used ports 80 and 8080 --><br />
1 IP * 2 ports = 2 license relevant applications<br />
• 2 backend IP addresses, on one IP are used two ports,<br />
80 und 8080, on the other IP is used just the port 80 --><br />
(1 IP * 2 ports) + (1 IP * 1 port) = 3 license relevant<br />
applications<br />
• 3 backend IP addresses, on one IP are used port 80, 8080<br />
and 8081, on the second are used port 80 and 443 and on<br />
the third are used the ports 9080, 9081, 9082 and 9083 --><br />
(1 IP * 3 ports) + (1 IP * 2 ports) + (1 IP * 4 ports) = 3+2+4 =<br />
9 license relevant applications<br />
• 2 backend IP addresses, on both IP’s are user 80 and 81 --><br />
(1 IP * 2 ports) + (1 IP * 2 ports) =<br />
4 license relevant applications
Appendix A<br />
13<br />
<strong>Product</strong><br />
<strong>phion</strong> airlock WAF Module<br />
Max. Number of Applications: 1, 2, 4, 8, 16, 32, unlimited<br />
Order Number<br />
AL-CORE-1...32...UL<br />
Please note that the number of applications is defined as the number of backend applications addressed by <strong>phion</strong> airlock. A backend application is defined as the<br />
combination of an IP address and the port number.<br />
<strong>phion</strong> airlock ICAP Module<br />
This module requires the Web Application Firewall Module.<br />
AL-ICAP<br />
<strong>phion</strong> airlock SOAP/XML Validator Module<br />
The SOAP/XML Validator Module includes the ICAP Module and requires the Web<br />
Application Firewall Module.<br />
AL-SOAP-XML<br />
<strong>phion</strong> airlock Graphical Reporting Module<br />
This module requires the Web Application Firewall Module.<br />
AL-GR<br />
<strong>phion</strong> airlock Authentication Enforcement Module<br />
Max. Number of Concurrent Sessions: 10, 100, 500, 1.000, 2.000, 5.000, 10.000<br />
AL-AE-10, AL-AE-100, AL-AE-500, AL-AE-1000, AL-AE-2000, AL-AE-5000, AL-AE-10000<br />
Please note that the number of authenticated concurrent sessions is defined as the number of authenticated sessions managed by <strong>phion</strong> airlock at any given time. The<br />
authentication enforcement module requires the Web application firewall module licensed for at least two applications as the authentication service/user directory counts as<br />
on application.<br />
<strong>phion</strong> airlock Authentication Service Module<br />
This module requires the Web Application Firewall Module and the Authentication<br />
Enforcement Modules.<br />
AL-AS<br />
<strong>phion</strong> airlock Portal Application Module<br />
This module requires the Web Application Firewall and the Authentication<br />
Enforcement Modules.<br />
AL-PA<br />
<strong>phion</strong> airlock SSL VPN Service Module<br />
This module requires the Web Application Firewall and<br />
Authentication Enforcement Modules<br />
AL-SSL-VPN
14<br />
Appendix B<br />
System Requirements<br />
Virtual Environments:<br />
<strong>phion</strong> airlock supports various virtual environments such as<br />
VMware –workstation, -server and –ESX. It is recommended to use<br />
a VMware server or ESX-Server. Virtual environments are suitable<br />
for evaluation and demo situations and laboratory operations<br />
tests. For performance tests we recommend using dedicated<br />
hardware.<br />
Hardware<br />
The choice of the correct hardware is dependent on the<br />
applications to be protected and the configuration of <strong>phion</strong><br />
airlock. The following factors have direct influence on the system<br />
performance:<br />
‰ Number of simultaneous requests<br />
‰<br />
Number of functions used in <strong>phion</strong> airlock (content rewriting,<br />
URL encryption, number and type of filter pattern, etc.)<br />
‰ Size and number of documents in an application<br />
‰ Number of links inside the application<br />
These are the recommended hardware profiles for<br />
<strong>phion</strong> airlock 4.1:<br />
x86 (Intel/AMD)<br />
Profile<br />
Small<br />
(up to 500 concurrent sessions)<br />
Medium<br />
(up to 1.000 concurrent sessions)<br />
Large<br />
(up to 2.000 concurrent sessions)<br />
Sun SPARC<br />
Profile<br />
Large<br />
(up to 2.000 concurrent sessions)<br />
Requirements<br />
1 Single-Core CPU > 2.5 GHz<br />
[Pentium 4, Xeon, Athlon] or ><br />
2 GHz [Opteron, Xeon/Core2]<br />
4 GB RAM<br />
80 GB Hard Disk 10K RPM<br />
DVD-ROM Drive<br />
1 Dual-Core CPU > 2.2 GHz<br />
[Opteron, Xeon/Core2]<br />
6 GB RAM<br />
2 x 80 GB HDD<br />
DVD-ROM Drive<br />
2 Quad-Core CPUs > 2.4 GHz<br />
[Opteron, Xeon/Core2]<br />
12 GB RAM<br />
2 x 160 GB HDD 10K RPM<br />
DVD-ROM Drive<br />
Requirements<br />
Sun Fire T2000<br />
1.2 GHz/8 Cores<br />
12 GB RAM<br />
2 x 146 GB HDD 10K RPM<br />
DVD-ROM Drive<br />
<strong>phion</strong> does not recommend using SPARC processors older than<br />
UltraSPARC T1 (like UltraSPARC III or IV).
Appendix B<br />
15<br />
Notes<br />
‰ The actual performance and the average CPU usage very much<br />
depend on the web application(s), the protocols (http/https) and<br />
the enabled <strong>phion</strong> airlock features. For example, enabling URL<br />
encryption or content rewriting normally doubles the CPU load.<br />
‰ The performance numbers contained in the profiles above are<br />
based on a number of constraints. The most important are:<br />
• Average application response time: 200ms<br />
• 15 HTTPS requests per minute and user<br />
• Active <strong>phion</strong> airlock features:<br />
> HTTPS on Virtual Host, HTML Rewriting,<br />
General Response Rewriting<br />
‰ SSL accelerator cards are only recommended for high volume<br />
traffic sites (> 500 https Requests/s). For low to medium volume<br />
traffic systems, <strong>phion</strong> recommends to buy a faster CPU (or<br />
multicore CPU) for the same money.<br />
‰ With recent hardware, <strong>phion</strong> airlock is able to answer up to<br />
7000 https requests/second, which corresponds to a network<br />
traffic of almost 1 GBit/s!<br />
‰ The suitability of the hardware should be tested with a load test<br />
Hardware RAID Controllers<br />
Using the built-in Soft-RAID of <strong>phion</strong> airlock has the following<br />
advantages:<br />
‰<br />
‰<br />
‰<br />
‰<br />
There is no advantage to use a hardware RAID controller<br />
for <strong>phion</strong> airlock.<br />
<strong>phion</strong> recommends to use software RAID instead.<br />
Disk mirroring (RAID 1) for redundant logs<br />
and configuration data<br />
Integrated disk monitoring (automatic logging/alerting in case<br />
of disk failure)<br />
Standard Installation (no additional third party drivers needed)<br />
Performance similar to HW-RAID<br />
System compatibility<br />
<strong>phion</strong> airlock 4.1 is based on Sun Solaris 10 Update 3 (11/06). It<br />
should therefore run on every system that is compatible with this<br />
particular Solaris release.<br />
Sun Hardware Compatibility List<br />
Sun provides a large list of compatible systems in their Hardware<br />
Compatibility List (http://www.sun.com/bigadmin/hcl/). Please<br />
search the list for your preferred system and check for available<br />
drivers and patches. Please note that some systems are very<br />
similar to others which are not listed on the HCL but still would<br />
work fine.
<strong>phion</strong> AG<br />
Eduard-Bodem-Gasse 1<br />
6020 Innsbruck<br />
Austria<br />
Phone: +43 (0)508 100<br />
Fax: +43 (0)508 100 20<br />
Email: office@<strong>phion</strong>.com<br />
www.<strong>phion</strong>.com<br />
000110100001101001011011110110111001000000110111 011 01010 1010 0110011001100101011011100110001101100101001000000111000001101000011010010110111101101110010000001101110011001010111010001100110011001010110111001100011011001010010000<br />
000110100001101001011011110110111001000000110111001100101011101000110011001100101011011100110001101100101001000000111000001101000011010010110111101101110010000001101110011001010111010001100110011001010110111001100011011001010