Protecting mobile applications with the ISAM module for IBM DataPower Gateway, Part 2: Creating and applying multi-factor authentication policies using one-time passwords

In Part 1 of this tutorial series, you learned how to deploy the ISAM
reverse proxy on IBM DataPower Gateway to enforce access to a
mobile application. The reverse proxy was then combined with a Multi Protocol
Gateway to provide additional API security and integration functionality. This
full solution provides a comprehensive gateway enforcement point and mobile
API access on the DataPower platform. In this second part, you will extend the
security policy to include enforcement of a one-time password. This policy
will require an OTP authentication level step-up when a “high value”
transaction is attempted. The enforcement of this policy will be done using
the ISAM reverse proxy on DataPower. The policy definition and runtime
evaluation will be done using ISAM for Mobile.

Related:

How can the x-frame-options HTTP header of ADFS 3 be manipulated?

By default, ADFS 3 responses contain the “X-Frame-Options: DENY” HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.

At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.

It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?

For example as suggested in the RFC (https://tools.ietf.org/html/rfc7034#section-2.3.2.3)?

  1. A page that wants to render the requested content in a frame
    supplies its own origin information to the server providing the
    content to be framed via a query string parameter.

  2. The server verifies that the hostname meets its criteria, so that
    the page is allowed to be framed by the target resource. This
    may, for example, happen via a lookup of a whitelist of trusted
    domain names that are allowed to frame the page. For example,
    for a Facebook “Like” button, the server can check to see that
    the supplied hostname matches the hostname(s) expected for that
    “Like” button.

  3. The server returns the hostname in “X-Frame-Options: ALLOW-FROM”
    if the proper criteria was met in step #2.

  4. The browser enforces the “X-Frame-Options: ALLOW-FROM” header.

Related:

Use business rules as an authorization engine

Authorization policies in web-based applications are not only
complicated, but also dynamic. If you implement those policies in the source code
of the application, you must change it every time the policy changes. This
article shows you how to use a business rule engine, Nools, to make
authorization decisions in a Node.js application. This allows the security
policy to be stored as an object, and edited with a simple Angular-based user
interface.

Related:

Deploy a disk image on bare-metal

I try to understand Foreman and other deployment/provisioning systems, and how to use them best. Granted, installing the OS with some kind of prepared answers and scripts – Kickstart, AutoYAST etc. – is the best way for the majority of cases.

But when you want to deploy the same system to bare metal and to the cloud, you’re back to images for the cloud part (optimally, constructed through a script, so you have the advantages of treating image construction as code). Now consider that your bare metal is all of the same type; would it not make sense to deploy the cloud image to bare metal, too?

Having some kind of PXE system that pulls the disk image from some place, runs some scripts similar to cloud-init, and reboots? Such a system could even be useful for other provisioning systems. Yet I do not find any of the sort, not even discussions about it, which indicates to me that I am on the wrong path. The FOG project or DRBL might be candidates, but no one seems to write about using them with Foreman?

Related:

Use social media credentials for your apps using Bluemix Single Sign On

In this tutorial, learn how to secure your web applications
using the IBM Single Sign On service in IBM Bluemix. Using this service, you can
authenticate users to any web or mobile application. In addition, you can use multiple
identity providers like Facebook, Google+, or LinkedIn, as well as any SAML identity
provider. Furthermore, you can use a custom user directory directly managed in Bluemix.
All identity providers can be used simultaneously so that the end users can choose among
them.

Related:

Protecting mobile applications with the ISAM module for IBM DataPower Gateway, Part 1: Securing and optimizing mobile workloads using mobile patterns

The IBM Security Access Manager module for IBM DataPower
Gateway delivers strong authentication capabilities to protect mobile
applications with multi-factor authentication based on contextual data and
enforcement using one-time passwords. Enterprises must protect both consumer
and employee mobile applications from malicious attackers to avoid data
exposures and unauthorized access to mobile applications. Stronger security
can be enforced using multiple authentication factors, often based on
“something you know”, such as a password, and “something you have”, such as a
mobile device. In this tutorial, you will learn how to use the ISAM module
multi-factor security framework to protect applications based on user
credentials.

Related:

What does it mean when Linux has no I/O scheduler

I have some virtual machines running Ubuntu cloud-based image 14.04-1 LTS version. I wanted to see the IO performance of different IO schedulers on the VM so I went to /sys/block/<drive>/queue/scheduler on the guest OS to change the IO scheduler. Usually, there should be cfq, deadline, or noop to choose. But what I saw is none. Does it mean that Canonical has removed the I/O scheduler in the cloud-based image or the scheduler none here is the renamed noop scheduler? and what happens if we don’t have an I/O scheduler in the system? All the io requests were directly sent the host in FIFO order?

Thanks for shed some light!

Related: