This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

G2O authorization enablement

Posted on 10-13-2016 10:16 AM
Not applicable
Reply posted on --/--/---- --:-- AM

We are trying to address a security concern where any user can hit the Apigee platform most northbound point (all vhosts in our organisations). As all the calls to these domains come from Akamai CDN, we would like to have G2O authorization enabled on all vhosts.


Is this is possible in the current Apigee infrastructure?

Notice the request is not about tightening proxy access as that is controlled through OAuth and API keys. This question is about not allowing unknown consumers to be able to potential overload the entry infrastructure.

I have raised a support case for this but been encouraged to share with the community whilst a response is provided.

0 7 238
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
ozanseymen
Staff
Reply posted on --/--/---- --:-- AM

Hi @gonzalo.silva.cruz

I can see three possible ways of implementing this:

  1. Use G2O nginx module on Apigee infrastructure
  2. Use Java callout to validate signatures
  3. Use an external service (e.g. an external nginx or F5) to validate signatures

For item 1 - If this is in cloud, I'd doubt that Apigee will be able to host and maintain such custom nginx modules specific to your organization. This will also create road blocks for Apigee engineering and operations teams during regular component updates.

For item 2 - G2O implementation mostly relies on conventional crypto functions (MD5 or HMAC). Therefore it is possible, albeit a little difficult, to implement this in Apigee proxies as Java callout. I don't know of any official SDKs released by Akamai but if there is code already, we can look at using them. Performing this computational logic in Apigee proxies might contradict your need of "not allowing unknown consumers to be able to potential overload the entry infrastructure" - as such implementation might overload apigee infrastructure more than simple pass through depending on CPU usage of your existing apigee implementation.

For item 3 - Another approach is to pass G2O headers through Apigee to the target and use another component (nginx, f5) on target end to perform the validation. There are G2O modules for F5 and nginx. Taking this logic one step forward, you could implement a service callout, passing the signature headers, on request preflow making a dummy request to a specific nginx or F5 cluster on target side to validate signatures.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ozanseymen
Reply posted on --/--/---- --:-- AM

Hi @oseymen@apigee.com,

Thanks for the comment. However, please notice that options 2 and 3 are beyond the point where we need the protection to be placed. We know we can add logic to our proxies or even beyond Apigee but what we need is for the protection to exist at the entry point of Apigee. Therefore, option 1 matches what we would expect. I would argue that G2O is standard enough to be of use for anyone that needs it and not just our organisation. I would definitely like to have this requirement is explored as there seems to be value as Apigee appears to be exploitable at the moment.


0 Likes

Posted on --/--/---- --:-- AM
ozanseymen
Staff
In response to
Reply posted on --/--/---- --:-- AM

Hi @gonzalo.silva.cruz

Your comment "Apigee appears to be exploitable at the moment" seems worrying - would you care to extend this a little?

As I said earlier, having Apigee support a custom nginx module in its multi-tenant infrastructure for your organisation will probably won't work. However if you feel it is acceptable to handle this in policy layer, and if G2O is standard enough as you say, then there must be some code/sdk out there to handle the signature validation in any Apigee supported language: node, JS, Java, Python.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to ozanseymen
Reply posted on --/--/---- --:-- AM

Hi @Ozan Seymen

The exposure is around being able to hit "/" (without accessing any proxy). The concern is that an attack on it would stress the Apigee platform rendering it unable to process real calls. Once again, this is not about handling the concern at the proxy layer which would come secondary.

0 Likes

Posted on --/--/---- --:-- AM
ceber
Staff
Reply posted on --/--/---- --:-- AM

Is the security concern specifically denial of service attack on the Apigee routing layer?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi @gonzalo.silva.cruz. I get what you are asking for. In addition to what you are asking, we have technology to prevent 'overrunning' apigee. Would be great to understand your specific situation (challenges you are protecting against). and talk about layered/defense in depth approach. If you want to connect directly i'm at david at apigee

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to
Reply posted on --/--/---- --:-- AM

Thanks @david123, I will get in contact.

0 Likes