Apigee Proxy Server to UCSB Target Server Security Decision

Owned by Steven Maglio
Jun 09, 2020
2 min read

Current Security Mechanisms

 

Apigee API Key

Authorization Header

Google OAuth/JWT Token

Firewall / IP Whiltelisting

HTTPS Everywhere

 

Apigee API Key

Authorization Header

Google OAuth/JWT Token

Firewall / IP Whiltelisting

HTTPS Everywhere

Description

The Apigee API Key is used to authenticate the request from the client to the Apigee Proxy

The Basic authorization header of an Campus LDAP username:password combination that is used by the UCSB Target servers to authenticate the clients.

A JWT generated by Google to authenticate the end user that is using the client application (generally a student). Use by the UCSB Target server to authenticate the end user for access restrictions.

Used to ensure that connections to the UCSB Target servers are only coming from Apigee (rather than the entire internet)

WHEN THE APIGEE PROXY SERVER IP ADDRESSES CHANGE, THIS FAILS AND CAUSES OUTAGES

All connections are done over HTTPS, so all traffic is encrypted in flight.

Connection

Client → Apigee

Client → UCSB

Client → UCSB

Apigee → UCSB

Client → Apigee → UCSB

Protection

Prevents unauthorized access to endpoints/proxies in Apigee

Prevents unauthorized access to UCSB Target server endpoints

Prevents unauthorized access to UCSB Target server data

Prevents random system on the internet from access to the UCSB Target server endpoints

Prevents third parties from viewing traffic

The security mechanism from the Apigee Proxy server to the UCSB Target Servers

 

IP Whitelisting

Two Way SSL (docs)

Magic Key Header (example)

OAuth on Target (not pass-thru OAuth)

 

IP Whitelisting

Two Way SSL (docs)

Magic Key Header (example)

OAuth on Target (not pass-thru OAuth)

Pros

  • Familiarity

  • Easy to Implement

  • Very Secure

  • Middle Ground to Implement

  • With our traffic, it should be minor CPU cost

  • Very Secure

Cons

  • IP Addresses change and everything breaks

  • Apigee Pricing for Static IPs is more expensive than are current contract is setup for (current: Standard, required: Enterprise) (link)

  • Management/Maintenance Overhead

  • Coordinated Updates

  • There are other issues that come with SSL, like certificate expiration (the recent Sectigo switchover for the campus SSL provider)

  • Not as easy to implement on IP Address whitelisting

  • Could be a performance hit on the application, is implemented at the application level

  • Need to add OAuth into Apigee Flows (creation, update, and management)

  • Will add extra overhead on calls for the setup and renewal of the authentication

Difficulty Level

Easy

medium

Easy

hard

Decision

 

 

Gonna go with this

 

Action Items

  • @Diana Antova - Will ask how much Apigee Enterprise would cost us.

  • @Gary Scott - Will setup a Proof of Concept in Apigee