The main application domain for FirstSpirit is the management of operations on large Internet-facing websites. As FirstSpirit is built on the best of breed paradigm, the delivery of the website to the browsing website visitors is not done by FirstSpirit, but by standard webserver or portal server technology. In such a common scenario, the FirstSpirit system is only used by the group of FirstSpirit users which are website editors, developers or designers, accessing FirstSpirit from their office environment's local area network or VPN and not from the Internet.
In enterprise environments where FirstSpirit users are working from outside of the organization's local network over the Internet, and using VPN is no option, firewall configurations are required to open access to the FirstSpirit https port from the Internet. Technically, this change would fulfill the requirement for allowing FirstSpirit users access from the Internet and completed the task.
Viewing this simple configuration change from the security analyst's role, adds consideration of standard procedures, which are usually applied when enterprise applications are opened to Internet clients. Those are as follows:
- Internet-facing services should be placed in a DMZ network
- Internet-facing services which allow read and write access to business-related information should be secured by a second and independent layer of protection to mitigate threats by a 2nd different implementation in addition to the already existing built-in protection of the application.
Relocating the FirstSpirit host to a DMZ network is trivial as FirstSpirit requires only few dependencies as SQL database and LDAP which can be made accessible from the DMZ.
Adding an independent layer of protection is usually done by using a standard Web Application Firewall (WAF) with Web Access Management (WAM) functionality. A WAF adds a protection layer regarding common threats like cross site scripting (XSS), cross site request forgery (XSRF), cookie poisoning, session highjacking and many others in addition to the already existing security mechanisms implemented in the application. The Web Access Management System limits the acess to any componente of the application to a defined group of users and adds its own authentication system. The WAM authentication usually forwards information about the authenticated user to the application. FirstSpirit as application supports integration of WAM authentication systems, which saves the editor from having to authenticate on the FirstSpirit start page after having provided his password or ticket credentials to the WAM.
After the authentication phase, the WAF and WAM works in background on the server side in a transparent way so that the user experience on the client with FirstSpirit presents as the same as before without WAF or WAM.
Some of our customers are using the following products:
A selection of other WAF and WAM systems:
Regarding WAM functionality, many of these systems can be used directly with FirstSpirit, some require a custom FirstSpirit JAAS authentication module.
The e-Spirit Professional Services is offering support for connecting your Web Application Firewall or Web Access Management System to FirstSpirit. Please contact your e-Spirit Account Manager or use http://www.e-spirit.com/contact for arranging consultation.
