So I have always loved Application Delivery Controller (ADC) traffic scripting capacities. My discovery of ADCs fundamentally changed the way that architected data centres. This is even more evident when you have the inevitable requirement to protect a Common Off The Shelf (COTS) applications. Often with COTS apps, code change are not possible and you are at the application vendors mercy to implement changes to their product for you. I have seen many instances where the client had a usage requirement that while valid for their use case, was not a use case the vendor wanted to support for a variety of reasons.
What this leads to is a situation where critical applications can be held up from being released because the deployment does not meet the customer's security requirements for things like cookie handling. I have seen this hold up multi-million dollar Virtual Desktop Infrastructure (VDI) deployments as well as cripple ERM / ERP systems where the inability to provide controls around cookie based SSO rendered system open to abuse.
A common method I have invoked in these use cases is the concept of tagging a cookie before it is sent to a browser so that we can ensure it has come back from the same place we issued it to: Essentially, we can "LoJack" the cookies that have been issued by the server to prevent their mis-use.
The basic concept is that for a given cookie that the server relies on to ensure a user is authenticated, we will do the following:
- Intercept the cookie as it is issued from the server;
- Concatenate the original cookie with the client's IP address;
- Encrypt the new IP/Cookie; then
- Send it on to the customer.
What this allows for is a check on the cookies submitted by a client. For any given HTTP request, we will do the following:
- Intercept the cookies sent by the browser;
- Find and decrypt the tagged cookie;
- Check that the IP address embedded in the encrypted cookie matches the IP address the cookie has just been sent from; and
- Allow us to either send the request with the original "good" cookie if the IP address matches - or - strip the submitted cookie of the IP address does not match.
While this solution is not perfect for every situation - Large proxy farms that do not provide client persistence might trip it up for example - it is a crystal clear demonstration of where the ADC can again save the day...
The Traffic Script is available from the Code Samples section of the Riverbed Communities site on the link below: