Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 110
  • Last Modified:

Internet Security

We have a security product that authenticates our users and allows access to our website within the rights presented by our web application.  This product has protected virtual folders on our web servers and unless the individual has the right to access our web application it prevents them for accessing our site.

I will try this one more time before I give up on this.  I have asked it two times and each time it somehow got put into the community forum and the administrator killed it.  Don't think I like the new format too well.  At any rate, here is my question again.

Our application security then only provides the user with access that the application indicates they can have.  So the first tool is a security gateway.

This product is no longer supported and we would like to develop an internal product that essentially will do the same thing.  Validate the user has rights to our website and then pass the user to our application.

I am finding it difficult to identify a product that will do this or the ability to utilize a microsoft product to do this.

Does anyone know a tool to do this or is available for hire to help with this project?
0
sfletcher1959
Asked:
sfletcher1959
  • 2
  • 2
2 Solutions
 
Sean JacksonInformation Security AnalystCommented:
My response to the initial question was this -- you're looking at access control, which can be tied to a database of users, and a programmer can make an authorization script that will validate a user, then check against the database to check what pages that user has access to.  An administrator can get to the admin page, users cannot.  Users can get to their profile page, administrators cannot (should not).
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
Sounds like you were using the Forefront TMG
I understand that F5 are pushing their Big-IP appliance as a replacement for this, if that is the case.
The problem with developing your own will be integration with Active Directory and understanding the policies; again I'm making an assumption that is what you are using.
Essentially you want to issue a Kerberos ticket for the session.
I'm currently working with F5 to test it as a replacement for my 50+ TMGs.... it's a lot more complex a device.
Good luck.
0
 
sfletcher1959Author Commented:
Thanks for the response.  We were not using Forefront MG, we were using another product.  Basically we would use this product to provide a user with a user ID and PW.  This ID would indicated what rights and roles the individual user had.  The product was not a MS product.  It did however use SQL as the database for user profiles.

We have several secure web applications.  If a user attempted to access our secure website, it would prompt then to login in.  Similar to logging in to any banking app or store app.

As an example if I log into my bank, it prompts me for a user ID and PW.  If correctly authenticated, it allows me to see my bank balance.

If I then capture the URL that is in my browser and pointing to my statement page and open a completely new browser, paste the URL it again prompts me to enter my ID and PW.  It knows that in that new browser session, I haven't authenticated.

Our app works the same way.  If you attempt to access our site, it will prompt you for an ID and PW.  Once authenticated you can browse any area within that site.

So the tool that we currently are running only runs in a 32 bit environment, so we have been limited to using Windows 2003 Servers.  Obviously this can't continue.  So I need another tool that will do the same this for a 64 bit environment.

Again, this is not using MS or AD to manage these credentials.
0
 
Gareth Tomlinson CISSPNetwork and Security ManagerCommented:
OK, I can see now what you are doing.
I'm afraid I'm not a developer, which I am guuessing is what you are looking for; it might be worth trying the infossec forums to see if anyone can help you there.
0
 
sfletcher1959Author Commented:
In looking at different webpages, I think what we are really looking for is called a Web Portal.  So looking for a recommendation for a security Web Portal or Web Gateway.
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now