Introduction
A core competency of the Forum Sentry API Gateway is securing APIs and Web services. There are many security features configured "out of the box" and enabled by default. Security conscious administrators will want to enhance the default security rules.
Forum Sentry is a security product first and foremost that uniquely combines cyber security with user identity and access control.
Other types of API Gateways are built for management and integration purposes, while Forum Sentry was built for Security processing. Forum Sentry is the only FIPS 140-2 certified, NDPP certified, and DoD PKI certified API Security Gateway. For an overview of Forum Sentry's API security features please visit our API Security page.
Click HERE for additional White Papers on API Security.
Forum Sentry Security Features
There are many features of Forum Sentry related to securing data. Most of the traffic/data that Forum Sentry process are for APIs, Web services, web portals, and mobile apps.
The most common data types associated with these services are SOAP, XML, REST, URL encoded parameters, HTML, and JSON. Importantly, Forum Sentry
These data types are often transferred over various network protocols supported by Forum Sentry, including: HTTP/S, FTP/S, SFTP, SMTP, and several JMS variants.
The security features in Forum Sentry include:
- TLS/SSL
- Message Encryption/Decryption
- Digital Signatures/Verification
- Intrusion Detection and Prevention (IDP Rules)
- RegEx Pattern Matching
- On-Board Anti-Virus scanning
- Identity Management and Access Control - Secure SSO (SAML, OpenID Connect, MFA)
- Schema, Query Parameter, Method, and Header Validation
Top 10 Security Recommendations
Below are the Top 10 recommendations (in no particular order) to further increase the security of your APIs using Forum Sentry:
- Use secure SSL/TLS Policies. Forum Sentry does not utilize insecure OpenSSL libraries for SSL/TLS. All network policies (HTTP, FTP, SFTP, JMS, etc..) should use SSL/TLS. Start by enabling SSL/TLS and consider adding Mutual Authentication for cert path validation, CRL checking, and mapping certs to users. Disable weak ciphers and older insecure SSL protocols (i.e. disable SSLv3). Use TLS throughout the entire transaction - for example, don't terminate HTTPS at the upstream load balancer and use HTTP inside the network. Don't use insecure load balancers for SSL termination, use Forum Sentry instead.
- Use IP ACLs whitelists/blacklists on your Sentry network listener policies and/or content policies to only allow incoming traffic from specific IP addresses or IP ranges. If a client tries to connect from an unknown IP range the connection will be rejected.
- Tighten IDP Rule Thresholds or add new IDP rules depending on your specific criteria. These rules include size and rate throttling as well as other protections from XML Denial of Service (XDoS) attacks. One of the easiest ways to prevent data loss/leakage with Forum Sentry is to set IDP size rules for response documents. For instance, if the service should never respond with anything over 100k, enforce this with an IDP rule.
- Enable the on-board ClamAV Virus and Malware Scanning to block, strip, tag, or quarantine detected viruses and malware. Sentry can also base64 decode data prior to scanning, for instance with SOAP w/attachments MTOM use cases.
- Use Pattern Match Policies to block malicious requests and prevent data leakage. With the default Pattern Match policies and through custom policies, pattern matching ensures no confidential data is leaked out with the response messages and prevents any harmful XML attacks coming into the service. This feature can be used to prevent SQL injections, cross site scripting attacks, and other common threats and OWASP Top Ten Vulnerabilities.
- Use Payload Encryption and Digital Signatures for SOAP/XML, JSON and other payloads. For example, the trading partners or vendors (clients) would encrypt and sign SOAP payloads before sending to Sentry, the request data is then decrypted / verified on Sentry. For response processing, Sentry can encrypt and sign the response data before sending it back to the client. Sentry can encrypt and/or sign many different data types including XML, JSON, query parameters, headers, and URI segments. Consider using Sentry for secure HTTP file uploads and cloud storage.
- Validate Schema for JSON and XML payloads. Consider using Schema Tightening and advanced validation options with your WSDL policies. Sentry supports XML schema validation via XSD files, JSON schema validation for RESTful APIs, and wholesale mapping from one schema to another.
- Validate HTTP Methods, Query Parameters and HTTP Headers. For instance, restrict HTTP methods based on user, scan parameter values for malicious content, ensure specific HTTP headers exist, etc.
- Enable User Identity and Access Control features in Sentry to ensure only valid users are accessing your services. There are many Access Control, Federation, SSO, and Credential Translations capabilities in Forum Sentry including SAML, OAuth, OpenID Connect, and MFA.
- Schedule Regular Deployment Reviews to check for security issues, disable weak ciphers, check for sensitive data in logs, etc. Forum Systems provides Forum Sentry Deployment Reviews at no cost for existing customers.
Testing the Security of APIs
It is strongly recommended that you perform security, vulnerability, and penetration testing of your APIs and services secured by Forum Sentry.
SOAPSonar from Crosscheck Networks is the recommended tool to perform this testing. With full support for functional and performance testing of all API types (REST, SOAP/XML, JSON, etc.) there is patented technology focused on security and vulnerability testing that you won't find with any other test tools.
SOAPSonar's Vulnerability mode runs scans against APIs and reports any potential issues with explanations of how to fix them. In addition, if you configure SSL, encryption/signatures, access control and/or WS Security features in Sentry, you can use this tool to test these features.
0 Comments