Quick Start
This part will present basic scenario of an "inline with load balancer" application hardening. The application that would be hardened is irrelevant, however it is important to notice that out of the box the application is only configured to accept username and password. We will use Secfense Broker to harden it with FIDO2 compliant multi factor authentication.
Network part is already configured, and Secfense Broker is put behind the load balancer representing following scenario:
Navigate to the application to verify whether the network works properly. If the application is proxied by Secfense Broker, but no application representation is configured you should see a white page with Secfense logo instead of your usual application view.
In order to configure Application Representation in Secfense Broker you will need following information:
- Domain name of the application – the application needs to have its own domain name. IP address will not suffice
- Default upstream URL – for inline configuration this would be the application server(s) IP address.
- Inbound port – TCP port on which Secfense Broker would listen for the traffic (usually 443 or 80) along with information whether the traffic is encrypted. If the application is supposed to use a non-standard port this procedure needs to be employed.
- Outbound port – TCP port on which Secfense Broker would send the traffic to backend along with information whether the traffic is encrypted
- Proxy Network – in a load balancer scenario this would be the source IP of the packet leaving the load balancer (outbound interface). It can also be added as a Network with a CIDR mask.
To add new application in Secfense Broker go to Applications and click "Create new application". Input the following data:
- Name – a name of your choice that will uniquely describe the application
- Domain name – exact domain name without protocol declaration or URI
- Upstream URL – IP of the server where Secfense Broker would send the traffic. If DNS is present in the network you can click "resolve" to auto fill this field (make sure a proper resolution was created)
For standard set up this configuration would suffice. If you are aware of any non standard ports, encryption or other features that might influence the traffic please refer to the detailed configuration guide.
The representation of your application will appear in the list of applications. At this point Secfense Broker is aware the application, intercepts traffic to it, but since it has no instruction on how to handle authentication it does not alter the traffic in any way and acts as a simple reverse proxy. Navigate to the protected application to verify that. Nothing out of ordinary should appear – let's change that.
Once you clicked the representation of the application you can verify the Basic settings and proceed with configuration. For the purpose of this presentation, we will stick to basics.
In the "2nd factor" section set the options that fit your scope on. We will use FIDO2/Webauthn and SF Authenticator. If those are not an option TOTP code will always be a safe bet, as they are using an open standard that needs no further configuration. We leave user enrollment policy as "Soft". More on enrollment policies can be read here.
Now, for the most important part. Secfense Broker employs a sophisticated learning engine which allows for automated configuration of most web-based applications (those rare cases, where automation is not enough will be covered later in this guide). In order to start the learning process, set the Learning Mode option to on and refresh the browser window/tab with the protected application.
Once you see the "Secfense learning mode" bar in the bottom of the screen you can be sure the configuration you've made so far is correct, and Secfense Broker is ready to learn the login patterns of the application.
To complete the learning process, we use a fake "probe" user. By default, it is inituser but it can be changed in the advanced settings (for example, when form validation is employed on the login page, and the user must be in an email format). Use this username and some random string for password and try to log in to the application. Obviously, the attempt will not succeed, but it will provide valuable information to Secfense Broker engine.
Go back to Secfense Broker GUI and click Refresh in the "Authentication patterns" section. A pattern candidate, represented by its Path and Request type should appear.
Click "Apply" to enable this pattern and turn the Learning mode off.
Once everything is done and the pattern is applied the section should look like this:
After these steps the application is protected by Secfense User Authentication Broker, and the next time you will log in to it you will be asked to enroll in MFA: