Internet Security

Posted on 2014-08-05
Last Modified: 2014-09-09
We have a security product that authenticates our users and allows access to our website within the rights presented by our web application.  This product has protected virtual folders on our web servers and unless the individual has the right to access our web application it prevents them for accessing our site.

I will try this one more time before I give up on this.  I have asked it two times and each time it somehow got put into the community forum and the administrator killed it.  Don't think I like the new format too well.  At any rate, here is my question again.

Our application security then only provides the user with access that the application indicates they can have.  So the first tool is a security gateway.

This product is no longer supported and we would like to develop an internal product that essentially will do the same thing.  Validate the user has rights to our website and then pass the user to our application.

I am finding it difficult to identify a product that will do this or the ability to utilize a microsoft product to do this.

Does anyone know a tool to do this or is available for hire to help with this project?
Question by:sfletcher1959
    LVL 5

    Accepted Solution

    My response to the initial question was this -- you're looking at access control, which can be tied to a database of users, and a programmer can make an authorization script that will validate a user, then check against the database to check what pages that user has access to.  An administrator can get to the admin page, users cannot.  Users can get to their profile page, administrators cannot (should not).
    LVL 5

    Assisted Solution

    by:Gareth Tomlinson CISSP
    Sounds like you were using the Forefront TMG
    I understand that F5 are pushing their Big-IP appliance as a replacement for this, if that is the case.
    The problem with developing your own will be integration with Active Directory and understanding the policies; again I'm making an assumption that is what you are using.
    Essentially you want to issue a Kerberos ticket for the session.
    I'm currently working with F5 to test it as a replacement for my 50+ TMGs.... it's a lot more complex a device.
    Good luck.

    Author Comment

    Thanks for the response.  We were not using Forefront MG, we were using another product.  Basically we would use this product to provide a user with a user ID and PW.  This ID would indicated what rights and roles the individual user had.  The product was not a MS product.  It did however use SQL as the database for user profiles.

    We have several secure web applications.  If a user attempted to access our secure website, it would prompt then to login in.  Similar to logging in to any banking app or store app.

    As an example if I log into my bank, it prompts me for a user ID and PW.  If correctly authenticated, it allows me to see my bank balance.

    If I then capture the URL that is in my browser and pointing to my statement page and open a completely new browser, paste the URL it again prompts me to enter my ID and PW.  It knows that in that new browser session, I haven't authenticated.

    Our app works the same way.  If you attempt to access our site, it will prompt you for an ID and PW.  Once authenticated you can browse any area within that site.

    So the tool that we currently are running only runs in a 32 bit environment, so we have been limited to using Windows 2003 Servers.  Obviously this can't continue.  So I need another tool that will do the same this for a 64 bit environment.

    Again, this is not using MS or AD to manage these credentials.
    LVL 5

    Expert Comment

    by:Gareth Tomlinson CISSP
    OK, I can see now what you are doing.
    I'm afraid I'm not a developer, which I am guuessing is what you are looking for; it might be worth trying the infossec forums to see if anyone can help you there.

    Author Comment

    In looking at different webpages, I think what we are really looking for is called a Web Portal.  So looking for a recommendation for a security Web Portal or Web Gateway.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Foreword (May 2015) This web page has appeared at Google.  It's definitely worth considering! How to Know You are Making a Difference at EE In August, 2013, one …
    Thoughout my experience working on eCommerce web applications I have seen applications succumbing to increased user demand and throughput. With increased loads the response times started to spike, which leads to user frustration and lost sales. I ha…
    Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…
    Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now