Forum Discussion

didros's avatar
didros
Icon for Altostratus rankAltostratus
Sep 11, 2020

User authentication for non-http traffic

Hello,

I’m an IAM architect, not BigIP expert, and I’m wondering if BigIP LTM/APM has the capabilities to support the use case described below.

It’s about non-HTTP protocol, more precisely DICOM protocol. So all the nice token based solutions, stateless security enforcement that I'm used to with HTTP do not work here.

 

We want to control network access between DICOM client application running on workstations (managed windows 10 running Edge Client) and the DICOM servers. Access control should be based on both workstation security controls (authentication, security posture) and end user authentication. If successful, network access should be allowed. Whether user authentication had to happen upfront, before starting the DICOM client, or just in time when TCP connection is initiated is interesting to know, as well as user experience. User authentication is to be integrated with an IdP, based on standard federation protocols (OIDC or SAML). Once traffic is allowed, security session must be monitored and closed in case of inactivity or client application termination / logout.

 

Thanks for reading so far!

Any feedback, ideas, clue on how to achieve that if possible will be appreciated.

3 Replies

  • For non-HTTP protocols like DICOM, you might consider using a combination of BIG-IP APM’s capabilities for network access control, such as establishing a VPN tunnel and applying access policies based on user authentication and device posture. BIG-IP APM can integrate with Identity Providers (IdPs) using standard federation protocols like SAML, which could align with your requirement for end-user authentication. Regarding the user experience and the timing of authentication, BIG-IP APM allows for pre-authentication before application start or just-in-time authentication when a TCP connection is initiated. This flexibility can help you design a solution that meets your specific needs for user interaction and security enforcement.

  • You’re absolutely right. BIG-IP Access Policy Manager (APM) offers a robust set of features for secure network access control, especially for non-HTTP protocols like DICOM. Its ability to establish VPN tunnels and enforce access policies based on user authentication and device posture is particularly useful. Integration with Identity Providers using SAML is a standard approach for ensuring that end-users are authenticated in a secure and consistent manner. Discover Autodesk AutoCAD Architecture 2023 special offers on ProCADIS.comThe flexibility of BIG-IP APM in terms of authentication timing—whether it’s pre-authentication or just-in-time authentication—allows for a tailored user experience that can meet various security requirements. This adaptability is key in designing a network access solution that not only secures the infrastructure but also provides a seamless experience for the end-users. Remember to always keep security best practices in mind and regularly review your access policies to ensure they align with the latest security standards and organizational needs.