Layer7 Access Management

Expand all | Collapse all

How CA siteminder addresses security concerns?

Jump to Best Answer
  • 1.  How CA siteminder addresses security concerns?

    Posted 06-17-2015 08:41 AM

    Hi,

     

    Wanted to know how CA Siteminder R12.52 address below security concerns?

    (1) Man in the Middle

    (2) SQL Injection

    (3) Session Hijacking

    (4) Session fixation

    (5) Cross-site request forgery (CSRF)

     

    Thanks,

    JK



  • 2.  Re: How CA siteminder addresses security concerns?
    Best Answer

    Posted 06-17-2015 08:05 PM

    (1) Man in the Middle

     

    A VPN and/or SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection to the application is recommended to encrypt traffic and stop man-in-the-middle attacks.

    Use the following web agent settings as needed:

    - UseSecureCookie

    - UseSecureCPCookies

     

     

    (2) SQL Injection

    Following doc has detailed information on how to prevent various CSS Attacks including Sql Injection

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/1525270.html

     

    Following ACO settings are of particular interest :

    -BadCSSChars

    -BadQueryChars

    -BadUrlChars

    -BadFormChars

     

    (3) Session Hijacking & (4) Session fixation

     

    The best solution to prevent from this is using the new Session Assurance feature.

    Demo can be found below :

    https://www.youtube.com/watch?v=S0Atd_JFML0

     

    (5) Cross-site request forgery (CSRF)

    Cross Site Request Forgery (CSRF) attacks can be prevented by using the following webagent ACO parameters-

     

    ValidTargetDomain - Web Agents can help protect from phishing attempts that could redirect users to a hostile web site.

     

    This parameter specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the

    domains set in this parameter, the redirect is denied.

     

    During processing, the ValidTargetDomain parameter identifies the valid domains for the target. Before redirecting the user, the Web Agent compares

    the values in the redirect URL against the domains in this parameter. Without this parameter, the Web Agent redirects the user to targets in any

    domain.

     

    TargetAsRelativeURI-

    This will ensure that the webagent works with targets that are appended to its own fully qualified domain name, so that bogus targets in other cookie

    domains cannot slip through as it would require the target URI be on the same Domain as the authentication service. Since everything would be

    relative, an outside source could not force you out of your domain.

     

    Regards,

    Ujwol



  • 3.  Re: How CA siteminder addresses security concerns?

    Posted 06-18-2015 01:57 PM

    Thanks Ujwol for detailed explanation. This is exactly what i wanted.



  • 4.  Re: How CA siteminder addresses security concerns?

    Posted 06-21-2015 06:51 PM

    Hi Jagadeesh, I am glad that you found it useful. Could you please help mark the question as answered now ?



  • 5.  Re: How CA siteminder addresses security concerns?

    Posted 06-23-2015 12:02 PM

    Hi Ujwol,

     

    I would like to do it but am not able to find that option. Please let me know where i can mark it and will definitely do it.

     

    Thanks,

    Jagadeesh.K