Layer7 API Management

Expand all | Collapse all

CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices?

Jump to Best Answer
  • 1.  CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices?

    Posted 11-14-2016 04:18 AM

    CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices? What are typical flow  configurations?



  • 2.  Re: CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices?

    Posted 11-17-2016 10:02 PM

    Hi,

    You can add cert based security assertions or IP based filtering assertions.

     

    Thanks



  • 3.  Re: CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices?
    Best Answer

    Posted 11-18-2016 01:52 PM

    Hi Kareem,

    Your best practices will depend on on your APIs and actual security requirements, but I agree in part with Navaneeth - at a minimum you should add cert-based security assertions; I am less enthusiastic about SSL or IP-based filtering, and I encourage you to build your service with both if you are able.

    A typical flow looks like some combination of the following (with the relevant Gateway Policy in parentheses, if different from the bulleted item): 

    • Require SSL or TLS (Require SSL or TLS Transport)
    • IP-based filtering assertions (Restrict access to IP Address Range)
    • Require Credentials / Authenticate Against Identity Provider
    • Require OAuth 2.0 Token
    • API key enforcement (requires a few policy settings, but in general you should be setting up your API so that you can track usage, and this is enabled/supported by an API key; note that you can use this in lieu of some of the more restrictive credentials and authentication / authorization assertions if you wish)
    • Rate Limiting with throttling and shaping (Apply Rate Limit)

    This a good start, and all of these are very easy to implement on the Gateway.

    Cheers,

    -case-



  • 4.  Re: CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices?

    Posted 11-21-2016 02:16 AM

    Thanks for the information Case. that's good information to start  

     

    Regards

    Kareem