Hello!
I am curious to know what type of filtering and packet inspection controls are typically recommended/used for on-prem PRA/RS appliances. As typical use cases (e.g. remote users, vendor access etc.) require the appliance to be external network facing , it is not feasible to restrict access to IP ranges. Based on KB articles SSL Offloading is not supported for client to appliance communication.
Question: What typical network security controls are recommended apart from restricting the outbound from appliance, blocking known-bad source IPs, and segmentation.
Anyone using Web App Firewalls , NGFWs or IDPS effectively ? Are there any resources available that can help identifying know benign traffic vs malicious traffic ?
Solved
PRA/RS Network Traffic Filtering /Inspection
Best answer by tdearman
BeyondTrust's Secure Remote Access (SRA) Appliance is only compatible with Transport Layer load balancers that do not act as a reverse proxy. The SRA Appliance is not compatible with Application Layer load balancers. Additionally, the appliance does not work with a load balancer used to equally divide active session traffic between two, simultaneously-active SRA Appliances. The supported solution is to use Atlas technology. For more information regarding Atlas Technology, refer to the Atlas Cluster Guide.
BeyondTrust SRA Appliance does not support reverse proxying, as reverse proxies change the destination IP of the traffic to the IP of the proxy. However, not all load-balancers act as reverse proxies, so it's important to distinguish between the two. For BeyondTrust SRA Appliance to work properly, the traffic must be allowed to pass through without termination. If the proxy or balancer terminates the connection, the BeyondTrust SRA appliance will not function correctly.
Load balancers typically operate at OSI Layer 4 (Transport Layer) or Layer 7 (Application Layer) to dynamically re-route traffic between multiple hosts on a network based on any one of several algorithms (for example, round robin, weighted round robin, least connections, or least response time).
The Application Layer Load Balancer route traffic is based upon data found in application layer protocols such as HTTP. An example of this is a load-balancer which sits between a public web server, a SRA Appliance, and the Internet such that incoming traffic is inspected to see what URL it is directed to and then forwarded to the appropriate IP accordingly. This is not supported by the SRA appliance client traffic. Clients will fail to connect if Layer 7 load-balancing affects the appliance's connection.
The Transport Layer load balancers act based on transport layer protocols (IP, TCP, FTP, UDP) (ibid) This kind of load-balancing is just another kind of Network Address Translation (NAT) because it does not inspect the HTTP protocol information (for example, what URL the traffic is requesting); instead, it simply inspects what destination socket (port + IP) is requested, and forwards it to a specific IP accordingly. This is the same function that a Layer 4 router or switch would perform. All of this happens at the network layer transparently to the SRA Appliance, so the client traffic will work. An example of this is when a load-balancer is set up to re-direct the client traffic to the IP of one appliance so long as that appliance is online but to a different appliance if the original one is not.
BeyondTrust's Secure Remote Access (SRA) Appliance is only compatible with Transport Layer load balancers that do not act as a reverse proxy. The SRA Appliance is not compatible with Application Layer load balancers. Additionally, the appliance does not work with a load balancer used to equally divide active session traffic between two, simultaneously-active SRA Appliances. The supported solution is to use Atlas technology. For more information regarding Atlas Technology, refer to the Atlas Cluster Guide.
BeyondTrust SRA Appliance does not support reverse proxying, as reverse proxies change the destination IP of the traffic to the IP of the proxy. However, not all load-balancers act as reverse proxies, so it's important to distinguish between the two. For BeyondTrust SRA Appliance to work properly, the traffic must be allowed to pass through without termination. If the proxy or balancer terminates the connection, the BeyondTrust SRA appliance will not function correctly.
Load balancers typically operate at OSI Layer 4 (Transport Layer) or Layer 7 (Application Layer) to dynamically re-route traffic between multiple hosts on a network based on any one of several algorithms (for example, round robin, weighted round robin, least connections, or least response time).
The Application Layer Load Balancer route traffic is based upon data found in application layer protocols such as HTTP. An example of this is a load-balancer which sits between a public web server, a SRA Appliance, and the Internet such that incoming traffic is inspected to see what URL it is directed to and then forwarded to the appropriate IP accordingly. This is not supported by the SRA appliance client traffic. Clients will fail to connect if Layer 7 load-balancing affects the appliance's connection.
The Transport Layer load balancers act based on transport layer protocols (IP, TCP, FTP, UDP) (ibid) This kind of load-balancing is just another kind of Network Address Translation (NAT) because it does not inspect the HTTP protocol information (for example, what URL the traffic is requesting); instead, it simply inspects what destination socket (port + IP) is requested, and forwards it to a specific IP accordingly. This is the same function that a Layer 4 router or switch would perform. All of this happens at the network layer transparently to the SRA Appliance, so the client traffic will work. An example of this is when a load-balancer is set up to re-direct the client traffic to the IP of one appliance so long as that appliance is online but to a different appliance if the original one is not.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.