For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Authorization is the New Black for Infosec

Authentication is not enough. Authorization is a must for all integrated services – whether infrastructure components, applications, or management frameworks. If you’ve gone through the proce...
Published Oct 20, 2010
Version 1.0
applications
architecture
availability
cloud
design
dev
devops
dynamic infrastructure
iControl
infrastructure
Lori_MacVittie1's avatar
Lori_MacVittie1
Icon for Nimbostratus rankNimbostratus
Oct 21, 2010
Juan,

 

 

Can you expand APM? Do you mean F5 BIG-IP Access Policy Manager or some other solution?

 

 

And by F5 do you mean APM or ASM (Application Security Manager) or just plain old BIG-IP LTM? And are you wondering about authorization for F5 devices or for web applications? The latter we can do in a number of ways - applying context-aware policies to URIs can be accomplished by APM, ASM, and LTM + iRules) and for internal resources, FirePass can play along.

 

 

For the former we'd use the same tools (ASM, APM, or LTM+iRules) to constrain access to iControl by examining the SOAP envelope and headers to find out what API call is being made and then applying the proper authorization policies.

 

 

Lori