OPLON SECURE ACCESS INSTALLATION (MFA)

Resources Needed

OPLON SECURE ACCESS (OSA) is very easy to install, you just need to have a Virtualization system suitable for receiving OVA images typical of virtual environments such as VMware / Hyper-V, (and for testing also Virtual Box)

a) Download the image from the Official Oplon website https://www.oplon.net/ at the link https://www.oplon.net/it/freeware/

b) Configure the virtualization environment appropriately

First Boot

Once Appliance is installed you get to the first boot which will typically produce a login like the one highlighted:

First boot

First Login (Default Passsword)

at this point you can login with the User "administrator " with the default password "adminadmin ":

First login

Check IP assigned by the Hypervisor [ip a]

now we need to understand what ip address is assigned by the virtual infrastructure where we placed our appliance with the #ip a command:

Ricerca Ip assegnato: sulla nostra appliance è : 192.168.1.129

WHAT ARE WE GOING TO DO?

We wish to assign a fixed IP to Our Machine.

to do this we elevate ourselves to root (superuser) with sudo -i and run the network manager tool mntui #sudo -i #nmtui` this opens a semi-graphical form for us with which we can set network parameters that normally require editing of files within the operating system such as

IP Assignment / GW / DNS

We reboot the network

always from the mntui semigraphic interface we restart the network card IP Assignment / GW / DNS

We can log in with an SSH client on our newly configured System

now our system has a Fixed ip set which we verify with ip a

# ip a check new iP assigned

OPLONSETUP --- we set up Console Management and delegated passes

In this semi-graphic form we set the ip where we want the interface of dashBoard to be placed in Listening, the password of the User rootto enter on it and the delegated password used by other Adc to be able to associate with it #oplonsetup Launch of oplonsetupcommand

at this point we set the operations that we need execution ofoplonsetupcommand

OPLONRESTART --- let's restart the java processes with the parameters set

# oplonrestart

ACCESS TO THE DASHBOARD

log in form

dashboard Log in Port 4444

COPY USEFUL REWRITINGS from templates to our platform

Rewrite Header Rules Research

We flag the Templates view and search in search for the string 2fa research rewrite headers

Rewrite Header Rules Copy

we copy Templates in our A10_LBLGoPlatformPlatform

rewrite headers copy

Rewrite Header Rules Research and Copy

A video of the operation of copying the Rewrite Header Rules secure Templates into our Platform A10_LBLGoPlatform. VIDEO Research and Copy rewrite headers.


Oplon MFA (Multi Factor Authentication) Explanation Operation and Features

we give an overview of the operation of MFA (Multi Factor Authentication) to better understand the steps that will describe its implementation on resources exposed by our Virtual Appliance

Multifactor Authentication is today the best way to protect services that must be exposed to the Internet audience.

**Oplon MFA is integrated into the latest version of the Oplon ADC platform and allows you to secure all WEB services that require strong authentication without touching or integrating anything into the service. image 1

Any service, or part of it, that traverses the Oplon ADC layer can undergo dual-factor authentication simply by applying a rule. This is completely transparent to the application, which can be reached by the operator only after ascertaining its identity.

MFA Service

image 2

MFA services are immedialy available because they are attested in Super Oplon Cloud, a service provided directly by Oplon Networks and therefore immediately applicable to all services that traverse Oplon ADC (check Oplon ADC version for activation).

Advantages

  1. Any WEB service or part of it that traverses Oplon ADC at Layer 7 can undergo Dual Authentication

  2. Dual Authentication is directly available for WEB services without installing any other component besides the ADC since it is sufficient to apply a rule on the resource to be protected and activate the service at oplon Networks

  3. Users who need to access resources can self-register on the service without prior header. It will be sufficient on the part of the manager to accept the request, decline it, or enter a termination date beyond which the operator will be disabled for that service.

  4. MFA can be used and registered either through email or through Mobile APP available for iOS and Android

  5. The Mobile APP does not need the phone number to be activated. Not needing to activate the Mobile APP with a cell phone number has the following benefits:

    a. Private Smartphones users don't need to give their phone number

    b. At the server configuration level, the customer does not have to contract with telephone operators, saving considerable amounts of money as the number of users increases

    c. Configuration does not require any integration with telephony providers with significant advantages in both economics and reduced adoption time

    d. In the case of foreign users, there are no limitations dictated by telephon contracts for the provision of SMS services

  6. Access authorization management is handled through Tenants and Managers. This means that it is possible to delegate to service Managers the authority to authorize access to a user

  7. Any MFA operation, from the user's request for authorization to the Manager's confirmation or denial of authorization are tracked in a way that cannot be modified by users

  8. Tracking of operations on services is attributable to the unique user who performed MFA increasing the overall security of the system

  9. A unique user can request for access to different services

  10. With Oplon MFA it is very easy to integrate SSO into existing applications because the user login and its features are added to the http header that reaches the end servers. This system, simplified compared to other platform, allows:

    a. With very little implementation effort, it is possible on the application side (the service manager) to read the information from the header and prepare an automatic login

    b. With Oplon MFA it is possible to indicate both roles (groups) and impersonations on a per-service basis. This allows an MFA user to indicate to the end application which user, role (group) to announce with on that specific application and facilitate SSO implementations by the application manager

    c. For the reasons described above (a) (b), with Oplon MFA, services can be unconnected to the Internet, as recent best practices predict, increasing security exponentially by not allowing latent viruses to activate and any malicious plug-ins to exfiltrate sensitive data


OPLON SECURE ACCESS (MFA) INSTALLATION STEPS

  • Certificate request to Intermediate super.oplon.cloud

  • Keystore .P12 entry in Virtual Appliance OPLON SECURE ACCESS

  • Receiving ACTIVATION_CODE

  • Customizing Rewrite Header Rule

    • Customizing Rewrite Header Rule 2faActivation

Certificate request to Intermediate super.oplon.cloud

Receiving CERTIFICATE .P12 with Password.

once you have completed the certificate request process you will come into Possession of a .P12 File which will be the certificate with which the appliance will interface with super.oplon.cloud to verify the trustworthiness of the connection to allow Multifactor Authentication User permissions Request Certificate Validity on Super Oplon Cloud

Keystore Insertion .P12 in Virtual Appliance OPLON SECURE ACCESS.

At this point we can import the Keystore into Our Virtual Appliance. Certified Import

we select the file from the local path where we placed it and decide to Insert it on Our Platform Certified Import

A video of the operation of inserting the Keystore into our Platform A10_LBLGoPlatform VIDEO Keystore Insertion.

Reception ACTIVATION_CODE OPLON SECURE ACCESS (MFA)

Along with the .P12 certificate and its Password we also received an *ACTIVATION_CODE and during the Customization of Rewrite Header Rules we will see how to use it

Customization Rewrite Header Rule 2faActivation

at this point we proceed to customize the rewrite rules that will enable OPLON SECURE ACCESS resources to be authorized by Multiple Authentication Factor

We go to the Rewrite Header rules menu in Rewrite management and look for the Rewrite Header rule 2faActivation we look for Rewrite header Rule 2faActivation

Once we got into Parameters Writing we look for the Variablessection and, supposing that we received an ACTIVATION_CODE with "ACTIVATIONCODE" value, we proceed to its insertion insertion ACTIVATION_CODE

A video of the operation of insertion of ACTIVATION_CODE in the Rewrite Header Rule 2faActivation Insertion VIDEO ACTIVATION_CODE.

Customization Rewrite Header Rule 2faGeneric

at this point we proceed to the customization of the Rewrite rules that will enable OPLON SECURE ACCESS resources to be authorized by Multiple Factor Authentication

We go in the Rewrite Header rules menu in Rewrite management and look for the Rewrite header Rule 2faGeneric

Once we got into Writing of Parameters we look for the Variables section and insert the appropriate values to the CLIENT_KEYSTORE_NAME --> (in our example "THECertificate.p12") and CLIENT_KEYSTORE_PASSWORD items --> (the password received with it) insertion Certificate Data

A video of the operation of Parameters insertion in the Rewrite Header 2faGeneric Rule Insertion VIDEO Certificate Data.

APPLICATION of rewrites to the resources of OPLON SECURE ACCESS

at this point it is a matter of deciding where to apply them, remembering that rewrites can be applied to Level of

  • ADCs
  • Groupings
  • Domains
  • Endpoints

For this demonstration we decided to apply them at the level of Domains

APPLICATION of rewrites to a resource of type Domains.

at this point we can protect any of the resources exposed by OPLON SECURE ACCESS with a system of Multiple Factor Authentication

Protection of a domain with Rewrite Rules Multiple Factor Authentication

at this point we proceed to the implementation on a domain of MFA protection rules we decide to protect the domain a_domain.oplon.net

Research of the Domain

ADC Settings / Domains and we look for the domain a_domain.oplon.net and get into edit Domain research

Insertion Rewrite header rules

inside the customization of the domain we look for the Rewrite header rules section and insert the two rewrites that we did a little while ago 2faGeneric and 2faActivation Domain research

Insertion Video Rewrite Rules MFA on Resource (e.g. Domain)

A video of the domain search operation and on inserting the 2faGeneric and 2faActivation rewrite header Rules VIDEO Insertion on Resource, for example "Domain"



MFA Observations during calls with the clients

Where in the configuration of the Oplon Adc is it possible to bring in an MFA (Multiple Authentication Factor) control?

  • Following the logic and application philosophy of Oplon ADC a rewrite can be applied at the Hierarchical Level of ADC, or Group , or Domain or Context , or , like any other product rewrite rule, through regexp.

    What is exactly the effect that is presented to the user in the case in which an MFA rewrite has been elevated in the context of a domain or even into a resource subjected to a regexp that matches it?

    • very simply, the resource results to be unreachable from everyone who was not enabled by his/her own manager.

Authentication portal

Does it mean that I am forced to redo the authentication any time I get into a resource submitted to rewrite?

  • No, you aren't! You'll be forced to do it only if the session ofthe current Browser is closed. Authentication has been executed with injection of cookies, therefore it won't be lost until those cookies are valid for the browser in use.

MFA SETUP

  1. verify that the VAPP can reach the ACM MFA
  2. certified upload
  3. ---- copy to ADC template 2faActivation.
  4. change the ACTIVATION CODE
  5. apply the rule on ADC global (Operation ALWAYS)
  6. copy on ADC template 2faGeneric
  7. change password and certfied name
  8. apply the rule on areas to be protected
  9. the tenant registers
  10. tenant creation and user tenant association on db (NOI)
  11. domain addition
  12. manager addition
  13. create permission rule
  14. request for the resource which owns the permission
  15. accept request
  16. try again to access the same resource