So I have always loved Application Delivery Controller (ADC) traffic scripting capacities. My discovery of ADCs fundamentally changed the way that architected data centres. This is even more evident when you have the inevitable requirement to protect a Common Off The Shelf (COTS) applications. Often with COTS apps, code change are not possible and you are at the application vendors mercy to implement changes to their product for you. I have seen many instances where the client had a usage requirement that while valid for their use case, was not a use case the vendor wanted to support for a variety of reasons.
What this leads to is a situation where critical applications can be held up from being released because the deployment does not meet the customer's security requirements for things like cookie handling. I have seen this hold up multi-million dollar Virtual Desktop Infrastructure (VDI) deployments as well as cripple ERM / ERP systems where the inability to provide controls around cookie based SSO rendered system open to abuse.
A common method I have invoked in these use cases is the concept of tagging a cookie before it is sent to a browser so that we can ensure it has come back from the same place we issued it to:Essentially, we can "LoJack" the cookies that have been issued by the server to prevent their mis-use.
The basic concept is that for a given cookie that the server relies on to ensure a user is authenticated, we will do the following:
What this allows for is a check on the cookies submitted by a client. For any given HTTP request, we will do the following:
While this solution is not perfect for every situation - Large proxy farms that do not provide client persistence might trip it up for example - it is a crystal clear demonstration of where the ADC can again save the day...
The Traffic Script is available from the Code Samples section of the Riverbed Communities site on the link below:
©2015 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.
My Library Connect:
Riverbed delivers the most complete platform for Location-Independent Computing, turning location and distance into a competitive advantage. The Riverbed Application Performance Platform™ allows IT to have the flexibility to host applications and data in the most optimal locations while ensuring applications perform as expected, data is always available when needed, and performance issues are detected and fixed before end users notice. At more than $1 billion in annual revenue, Riverbed has 25,000+ customers, including 97% of both the Fortune 100 and the Forbes Global 100.