Sentry administrators may have questions about where Sentry resides within an enterprise network.
The Forum Sentry API Security Gateway is an in-line Layer 4-7 protocol break content intermediary. All transactions are terminated and re-initiated, similar to a reverse proxy deployment.
For production environments, Forum Systems recommends multiple ACTIVE Sentry instances be deployed behind the network load balancer. The load balancer is responsible for the high availability and failover for the APIs and services deployed through Sentry. The load balancer should be configured with a content layer health check that monitors the Sentry instances and policies.
Note that Sentry has load balancing capabilities built in for high availability / failover for the remote servers it is forwarding traffic to.
With multiple active Sentry instances in production, the Sentry configurations need to be identical (except for the listening IPs). To keep the Sentry policies in sync, use the Global Device Management features which allow centralized policy management.
For more information on Global Device Management click HERE.
For more information on monitoring strategies click HERE.
DMZ or Internal Network or Both?
Complex enterprise architectures will differ greatly from organization to organization. This information is to be used as a guideline only and may not be applicable to all deployments.
Whether Forum Sentry is deployed in the DMZ, in the internal network, or with multiple tiers depends on several factors.
1. Are the clients accessing the APIs and services deployed through Sentry internal or external?
When securing internet facing APIs and services Sentry is typically deployed in a DMZ. Alternatively, multiple Sentry tiers are used with Sentry instances in both the DMZ and internal network and the firewalls only allow traffic from the external Sentry to the internal Sentry.
2. Is Sentry processing inbound traffic (originates from external networks) or outbound traffic (originates from internal clients) or both?
The same Sentry instance can be used to process bi-directional synchronous traffic (think SOAP request from outside, returns SOAP response from inside) as well as inbound and outbound flows. An example of an outbound flow is using Sentry to secure and enable SSO for an external Salesforce API.
3. Are the application servers that Sentry is routing inbound traffic to located in the internal network or DMZ?
If the app servers are already in the DMZ, Sentry would also be deployed in the DMZ. If the app servers are in the internal network, multiple tiers of Sentry instances may be recommended.
4. Where do the peripheral systems (i.e. LDAP, Active Directory, Database, SiteMinder, SIEM, Log Server, etc.) that Sentry may need to communicate with reside?
Many Sentry use cases will require communication with other internal systems. For instance, many SSO schemes may require Sentry communicate with an LDAP or Active Directory to validate user credentials. Where these systems are currently deployed and the access allows to them may dictate where Sentry is deployed. Or again, there may be multiple tiers of Sentry instances.
5. What is the desired network topology mode?
The Forum Sentry Gateway (both hardware and virtual) can be configured to use up to 3 network interfaces (MGMT, WAN, and LAN). MGMT is typically used for out-of-band management of the Sentry instance on a dedicated MGMT subnet. External traffic is typically processed by the WAN interface and then optionally forwarded to the internal network via the LAN interface. This is "inline dual IP" mode. Another common option is "one port" mode which uses MGMT for management and the WAN port for all runtime traffic. The configuration is flexible to meet the requirements of many deployments.
Note that with the Sentry software instances, all networking is configured on the host OS.
For more information on Sentry network topology modes click HERE.
There are several factors to consider when deciding where to place Forum Sentry within the environment. The individual use case requirements, specifically as they pertain to security, typically dictate where the Sentry gateways are deployed in the network. Using multiple tiers of Sentry interfaces is a common option to ensure secure access from an external or DMZ network into an internal network.
The attached document outlines some common topology options and includes example flows and network diagrams. Please consult Forum Systems Support for recommendations for your specific deployment.