Co-authored by Ramkumar Panchanatham
It is important for an organization to secure their network resources, and control who accesses resources. But as organizations grow and need to provide access for a greater number of partner users, the more vigilant they need to be with access control. One common method that companies use for access control is IP whitelisting.
When it comes to a Banking Organization, ensuring security is of utmost importance. Though IP whitelisting can be a great security feature, customer still look for additional security features at the Application level. One such requirement could be accepting the incoming connections based on the source IP addresses.
One simple solution to handle incoming connections based on IP addresses is to use the IP Filtering at the Inbound Secure Proxy Netmap level but that allows any users sending requests from that IP address to be accepted.
Let us consider a scenario where a partner is sending files over SFTP protocol to IBM Sterling B2B Integrator where we have IBM Sterling Secure Proxy in the DMZ zone receiving the incoming requests once the connection get past firewall. Requirement here is to perform User Authentication and verifying the Incoming IP address against that user to either accept or reject the connection. To cater this requirement, solution provided in this blog includes the below IBM Sterling MFT products,
- IBM Sterling Secure Proxy (SSP)
- IBM Sterling File Gateway (SFG) / IBM Sterling B2B Integrator (B2Bi)
- IBM Sterling External Authentication Server (SEAS) &
- LDAP - Active Directory
With the solution proposed below, an organization can accept incoming connections from the specified IP address and specified user. So, it provides a mechanism where it allows connections to be accepted for a specified user and IP.
LDAP User Configuration
Create a LDAP entry for the Partner User who will be connecting over SFTP protocol to send files.
- uid - the field that contains technical user username
- userPassword - the field that contains the password
- registeredAddress - the field that contains the IP address of the incoming user
SEAS Authentication Definition Configuration
Create an Authentication Definition in SEAS by providing,
- Authentication Name
- LDAP details in Authentication Profile (Protocol, Host, Port & LDAP Principle)
- LDAP Attribute Query Definition Properties
- Select globally defined connection option and choose the LDAP Profile created
- Select "Specify query parameters" option in Query Specification section
- In the Query Parameters section provide the Base DN, Return Atributes (DN & IP Address)
- For the match attributes make the following entries,
- Save your configuration