So I have always loved Application Delivery Controller (ADC) traffic scripting capacities. My discovery of ADCs fundamentally changed the way that architected data centres. This is even more evident when you have the inevitable requirement to protect a Common Off The Shelf (COTS) applications. Often with COTS apps, code change are not possible and you are at the application vendors mercy to implement changes to their product for you. I have seen many instances where the client had a usage requirement that while valid for their use case, was not a use case the vendor wanted to support for a variety of reasons.
What this leads to is a situation where critical applications can be held up from being released because the deployment does not meet the customer's security requirements for things like cookie handling. I have seen this hold up multi-million dollar Virtual Desktop Infrastructure (VDI) deployments as well as cripple ERM / ERP systems where the inability to provide controls around cookie based SSO rendered system open to abuse.
A common method I have invoked in these use cases is the concept of tagging a cookie before it is sent to a browser so that we can ensure it has come back from the same place we issued it to:Essentially, we can "LoJack" the cookies that have been issued by the server to prevent their mis-use.
The basic concept is that for a given cookie that the server relies on to ensure a user is authenticated, we will do the following:
What this allows for is a check on the cookies submitted by a client. For any given HTTP request, we will do the following:
While this solution is not perfect for every situation - Large proxy farms that do not provide client persistence might trip it up for example - it is a crystal clear demonstration of where the ADC can again save the day...
The Traffic Script is available from the Code Samples section of the Riverbed Communities site on the link below:
©2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.
Riverbed. WAN optimization for your network: Application acceleration, WAN bandwidth optimization, and IT consolidation. Riverbed is the IT performance company. WAN optimization solutions from Riverbed liberate businesses from common IT constraints by increasing application performance, enabling consolidation, and providing enterprise-wide network and application visibility – all while eliminating the need to increase bandwidth, storage or servers. Thousands of companies trust Riverbed to deliver greater productivity and cost savings by making their IT infrastructure faster, less expensive and more responsive. Riverbed solutions are also available as managed services through select providers.