Advice on securing an intranet web app

Question

Hello we currently run a third party intranet browser based app. The single server is in a data centre and access is a public facing IP address secured by a Netscaler enabling 2FA authentication (physical fobs) and then forwarding to the internal url for the app login.

We wish to migrate the server to AWS (seems straightforward) and then allow secure MFA access. What can we use to replace the Netscaler's role. Ideally clients will use Microsoft or Google Authenticator soft MFA. The app itself is a third party CRM system and we don't have access to the codebase. I'm a bit lost with the AWS options such as WAF, Cognito etc. Is someone able to offer advice on what to use or indeed if Cognito etc. are the right tools. I guess this must be a fairly common requirement but I can't find anything on the knowledge base.

Thank you.

Accepted Answer

Hey Anthony, your looking then at some kind of reverse proxy to front your internal web server.

I'd say you have a a few options..

1. Search AWS Marketplace for a 3rd Party product that you can deploy into your VPC
2. Purhase, setup and install a 3rd Party product into your VPC like your NetScalers
3. Use an AWS ALB with user authentication as such https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html This allows you to force users to authenticate with something like a OIDC Service or Amazon Cognito

Answer

Hi,

With AWS, MFA authenticators are managed with IAM: https://aws.amazon.com/iam/features/mfa/

If you look at this page, you will see that both Google and Microsoft software authenticator for IOS and Android are supported.

To try them, please, follow this setup guidance: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html

Best.

Didier

Advice on securing an intranet web app

관련 콘텐츠