IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
Hi, I was watching a demo video on how to protect applications via WebSEAL at https://www.securitylearningacademy.com/course/view.php?id=2694 and I was able to follow the demo. My question is about how do I prevent direct access to the application? For example, testuserB can directly access IBM.com without going through ISVA/WebSeal.
I know the demo was using a publicly accessible site but is there a demo or steps to protect an internal application in a similar way where you can only access the application via WebSeal/ISVA and any direct access results in first authenticating with ISVA. Really curious to understand how we can put an internal application behind reverse proxy and prevent direct access to it and any access should be via the reverse proxy after authenticating with ISVA
The answer to your question really comes down to the environment itself. In some environments you can add a firewall or routing rule to prevent network access from any other machine but WebSEAL. In other environments you would need to configure the application Web server itself to prevent access from any host other than WebSEAL. The other option is to require authentication to access the application Web server and use one of the single-sign-on capabilities of WebSEAL to authenticate to the application Web server.
I hope that this helps.
Scott A. Exton Senior Software Engineer Chief Programmer - IBM Security Verify Access IBM Master Inventor
Thank you Scott, by SSO in the third item are you talking about OIDC/SAML?
By SSO I am referring to the ability of WebSEAL to authenticate to a junctioned server. There are many different ways that it can do this, for example: LTPA cookie, JWT, BA header, forms single sign on.