IAP HOSTING is:
- A cIAP (cloud Internet Access Point). Mainly, it is a security product between Internet and your public application hosted in your private zone
- The acronym (with imagination and goodwill) of Opensource cIAP Nextgen
- A Societe Generale Open Source project developped by Marouan BELGHITH within Public Cloud Feature Team (Cloud Center Of Excellence) of Societe Generale
- Compatible on AZURE but can be modified to use another Cloud Service Provider (OpenStack, Vmware...) or bare-metal, most of components are Linux-based softwares
- An AWS version called OCTANE is already available and OpenSource OCTANE
IAP HOSTING can:
- Securly expose a WebSite to Internet
- Protect you against intrusions (SQL injection, cross-site scripting (XSS), file inclusion...) & virus
- Limit you against deny of service
- Detect malicious activities or policy violations
- Securly expose your Private Apps to Internet
- Collect all the logs and provide metrics and analytics
- Be easily derivated on other x86 (OpenStack, Bare-Metal) platform in order to have the same Internet Access Point in a multi-cloud context
- AWS version is already published and OpenSource OCTANE
Features are:
- SSL Offloading
- Web Application Firewall
- Two layers of IP filtering
- Intrusion Detection System
- Centralized Logs
HTTPS connections are terminated on the CIAP Hosting. This is a requirement to inspect the request.
To secure access to the Web Application, the CIAP Hosting implements a Web Application Firewall (WAF). This component inspects requests made to the Application and will detect and block those considered as unsafe. Typically, it provides protections againt most of the attacks likereported by the Open Web Application Security Project (OWASP).
The CIAP Hosting uses two security providers to filter requests to the Web Application:
- Security groups provided by the Cloud Service Provider
- A third-party firewall
To secure access to the Web Application, the CIAP Hosting implements an Intrusion Detection System (IDS). This component inspects requests made to the Application and will detect and block those considered as unsafe.
The CIAP Hosting keep the logs 365 days using Azure Log Analytics solution
There are several layers (from the most exposed -Internet- to the less exposed -Internal-):
- redundant load-balancers
- redundant filtering layer
- redundant reverse-proxies
- redundant proxies with SSL terminaison
- redundant WAF or TCP relay (it depends on the protocol used)
- redundant Antivirus & IDS
- redundant firewalls
- AZURE Private DNS or Azure Virtual Network peering
Those functionnalities are deployed by:
- The Terraform aims to build the AZURE infrastructure (Virtual Machines, LoadBalancers, Network Security Groups ...)
- The ansible playbook will configure all software components (inside Virtual Machines and even connectivity through Azure)
For further details, a more complete READme is available in each directory.
- Autoscaling group implementation
- Common referential
- API to manage web exposition
- IDS choice: suricata/snort
This project has been created in 2020 by Marouan BELGHITH, Domain Owner by Lucas BARRIERE and Product Owner by Yannick NEFF
