Web & API Access with Nevis

An access gateway offers secure access to specific requirements by using a differentiated approach to user authentication and authorisation. An access gateway controls and limits user access to specific applications and individual resources centrally, based on the user’s authentication, authorisation and context. Centralised authorisation allows access controls to be created at application level.

Identity and Context-Aware Proxy is the Nevis concept that allows customers to connect seamlessly and enables authentication and highly differentiated authorisation for web applications, web services and APIs.

Attacks such as XSS, CSRF, injection attacks or session-stealing attempts have been at the very top of the OWASP Top 10 list for years. Strict filtering and blocking of all data traffic prevents these types of attacks now and in the future. Attacks rarely conform to standards or follow recognisable and familiar patterns. A powerful filtering and blocking engine can prevent many of these common attacks.

Powerful Request Filtering

• Secure service quality by blocking troublesome clients restricting your services.
• Define restrictions to reduce DoS attacks.
• Validations at HTTP protocol level
• Header and request-parameter filtering
• Filter and validate requests with structured formats such as: JSON, SOAP calls and XML.

Dynamic Filtering

• Source and IP geolocation
• Scenario-specific

Advanced Filtering

• Malware filtering integration (ICAP): forwarding incoming requests by ICAP
• ModSecurity integration: use the flexibility of ModSecurity to protect your web applications.
• Script creation with Lua: use a secure programming environment to implement scenario-specific protective measures or checks

Reverse proxy servers and load balancers are components in a client-server computing architecture. Both act as intermediaries in communication between the clients and servers and execute functions to boost efficiency. Although they can be implemented as dedicated, specially developed devices, modern web architectures increasingly use them as software applications that are executed on commercial hardware.

Differences:

• A reverse proxy accepts a request from a client, forwards it to a server that can fulfil it and returns the response from the server to the client.
• A load balancer distributes incoming client requests to a group of servers and returns the response from the selected server to the relevant client.

Load balancers are most often used if a web page needs multiple servers because the volume of requests is too high to be efficiently processed by a single server. The deployment of multiple servers also eliminates a single «point of failure», making the website more reliable.

Although it only makes sense to deploy a load balancer if you have several servers, it can often be useful to deploy a reverse proxy with just one web server or application server as this provides greater security, scalability and flexibility.

A policy enforcement point (PEP) is responsible for receiving authorisation requests that are sent to the policy decision point (PDP) for evaluation. A PEP can be installed anywhere in an application where data and resources require protection or where authorisations logic is applied. A PEP is only responsible for requesting and evaluating an authorisation decision and does not require an authorisations logic.