In today’s digital world, API gateways are often the first interaction of incoming requests from the outside world. In most scenarios, enterprises place the gateways in DMZ strategically to secure, protect and throttle their internal digital assets. Hence, security for these gateways becomes crucial and they need to be properly configured and hardened.
Whether it is a legacy transformation or microservices integration, dual gateway configuration is becoming a craze now for enhancing internal security. Where the internal gateway cluster is hardened to listen and interact with external DMZ gateway via mutual SSL connection, further policies can also verify the SSL handshakes to include client certificates. This deployment architecture not only enhances coherent security for internal applications, services, and persistent layers but also provides required protection to sensitive data via input validations and governance to APIs.
Broadcom has taken several measures at OS/Platform level to reduce the attack surface of Layer7 API Gateway, which includes configuring of security settings, rules, and policies, and also removing unnecessary components, services, and ports, etc., which in turn minimize vulnerabilities and exposure to threats, thereby making Layer7 API Gateway more resilient to attack.
I am listing down a few key strategies on Layer7 API Gateway hardening process below for reference:
- “Least Functionality” – Considering ONLY essential capabilities and specifically prohibit or restrict the use of unnecessary functions, services, ports, and protocols.
- “Application Whitelisting” – Allowing applications that are explicitly given permission, all other applications are denied.
- “Disabling Services” – Disabling unnecessary services minimizes exposure and enhances performances
- “Disabling Default Accounts” – Default accounts are vulnerable to exploitation. Alternate account “ssgconfig” with admin privileges is created instead.
- “Least Privilege” – Providing access control with minimal rights and permissions needed to accomplish a task.
Layer7 API Gateway endures a rigorous hardening process to provide a secure default deployment platform. As mentioned above Broadcom leverages several security principles listed above as part of gateway hardening technique. If you don’t have Layer7 API Gateway then, you need to ensure your gateway provider follows these stringent security principles to deliver a comparable deployment platform.
For relevant documentation on Layer7 Gateway hardening, please refer here.
Security Operations Framework
Broadcom’s Layer7 has established a security operations framework, which consists of proper policies, standards and support & patch management services that would help both day-to-day access and security of gateway. This framework provides a balance between security and usability while enabling the customer to apply any additional hardening as needed for compliance and validation (example: PCI DSS).
Layer7 API Gateway receives a monthly patching cycle, where security patches (platform/OS level) are released as needed on regular basis with reference to CVE & NVD (Common Vulnerability Exposure and National Vulnerability Database). Layer7 API management support delivers quarterly service packs or ad-hoc Security Patches to ensure the product is protected from all known threats and vulnerabilities.
Please refer Patching Requirements for different form factors here. See also:
- Layer7 API Management solutions and Patches
- Understand Layer7 API Gateway Patches
- Maintain the Layer7 API Gateway
- Upgrade the Layer7 API Gateway
Image Scanning for Security Vulnerability
All Gateway images (regardless of form factor) go through a thorough Secure Software Development Cycle (see Layer7 best practices here). These images are also checked with Static, Dynamic, and Manual Application Security Testing, plus other vulnerability scanning tools before release. Layer7 uses third-party tools to identify vulnerabilities in the host OS/platform and to examine the Docker image composition and component.
Common Criteria Certification
As part of our continuing effort to deliver the highest level of security, Layer7 API Gateway 9.x has been evaluated and certified for conformance in the Standard Protection Profile for Enterprise Security Management Policy Management and the Standard Protection Profile for Enterprise Security Management Access Control.
- Common Criteria (CC) is the most relevant security certification for solutions in APIM space; Broadcom is the only gateway vendor with a recent certification to more relevant profiles.
- This is been achieved after going through rigorous common criteria requirements.
- Common Criteria Certification is being recognized by governments in more than 26 countries worldwide including the United States.
For more information on Layer7 API Gateway Common Criteria Certification, please refer here
In today’s app economy, customers interact and transact with the business via mobile devices, if you realize, in most cases, apps are the only way consumers interact with the business. Hence, most of the enterprises are now jumping into the bandwagon of developing new and enhanced mobile, web and IoT applications to maintain a competitive edge and thereby fueling their digital growth. With that said, one of the challenges today’s enterprise faces is to ensure they provide consistent security and protection to their digital assets without compromising customer experience.
Broadcom delivers highly secured hardened gateways that not only focuses on legacy transformation, service integration, enhanced security, protection and governance to API’s but also emphasis on performance that allows our customers to take advantage of our many security capabilities without experiencing significant negative performance and scalability impacts. Layer7 API Gateway is an extensible, scalable, high-performance gateway to connect your most important data and applications across any combination of cloud, container or on-premises environments.
If you are using another API management platform, I am hoping that the information contained in this blog gives you enough information to ask your vendor specifically what policy setting, configuration, and documentation exists to configure your platform in a similar, secured fashion.