• United States



Review: Protecting API connections with Forum Sentry

Oct 17, 20186 mins
Access ControlNetwork SecuritySecurity

The Forum Sentry API Security Gateway goes beyond access control and deep into security, monitoring all the connections that it forms between systems and enforcing very granular security policies.

network of connections / digital matrix
Credit: Gremlin / Getty Images

The unsung hero of today’s modern networks is the application program interface (API), the tiny programs and protocols that act as the bridges bringing users, networks, systems and information together. But they also make it difficult to connect legacy systems such as application servers with modern tools like smartphones. And, they are often targeted by attackers, because whoever controls the bridges can compromise or control the network.

There are lots of ways to try and manage APIs, from hand-written code that addresses a specific instance to systems that can install thousands of agents to generate APIs when needed. The Forum Sentry API Security Gateway from Forum Systems takes a novel approach, using an appliance to link everything from modern to legacy systems, while also hardening and monitoring those connections to keep them free from compromise or tampering. And, by protecting the APIs and enforcing security policies on those connections, it can also protect the core network.

The API Security Gateway is installed as a hardware appliance, but it can also be virtualized and put into a network as software. Each appliance can handle about 1,000 transactions per second before a second one would need to installed. Pricing is based on the number of appliances or virtual appliances that each organization needs.

Forum Sentry appliance Forum Systems

The Forum Sentry appliance is available as a rack-mounted hardware device, or it can be completely virtualized and deployed as software.

Getting started

Installing Forum Sentry is relatively easy, since it’s designed to sit inline between wherever applications are based, and the end users – which includes automated programs – that need to connect to those applications. There are no agents needed. Administrators simply need to point programs at the gateway and define what types of connections are allowed.

One thing that makes Forum Sentry so powerful is the fact that almost every conceivable legacy protocol and program type has been built into the appliance. This makes is possible to do things like control a legacy application using an iPhone, which was not even conceived, much less invented, when the legacy application was created. Forum Sentry handles the access controls on both ends, translating requests and commands so that each part can communicate. For organizations with legacy technology that they don’t want to overhaul, Forum Sentry could offer a less cumbersome solution to bring it into the modern age.

Forum Sentry workflow John Breeden II/IDG

Configuring or linking users with network assets is extremely easy yet also highly granular using a series of wizard-like tools provided by the Forum Sentry appliance. It comes pre-loaded with many common policies as well.

At its core, Forum Sentry acts as a reverse proxy to connect devices. By default, everything is denied in terms of connection, and its up to users to create policies regarding what kind of connections will be allowed. The appliance comes with quite a few template policies that make use of best security practices. These can be used unchanged, or modified as desired. Or users can create their own policies tied to the specific users, devices or programs within their network, or almost anything else.

Testing Forum Sentry

In our testing, we were able to create ways that a specific group of users could connect to Salesforce using their Google Account logins. This was done by first validating a user through Google and then having Forum Sentry generate and digitally sign a SAML 2.0 token, which included specific user data required for Salesforce entry. Salesforce then validated the users and allowed them to log in. Essentially, using the policies within Forum Sentry we were not only able to protect those Salesforce accounts, but also include them in an organization-wide single sign on program for users run through the appliance. And we could do all that using wizard-like configuration interfaces.

Beyond just creating the connections, Forum Sentry continues to monitor those connections. Administrators can see at a glance how many connections and APIs are being managed by the appliance. Better yet, users can be prevented from breaking network policy even after they are initially approved. For example, one of our users tried to download more data than the connection type allowed. Another attempted to access an area he did not have permission to visit. Still another attempted to download a virus, which was captured by the onboard Clam antivirus program which is resident and fully engaged on every Forum Sentry appliance.

Forum Sentry rule breaker: John Breeden II/IDG

In addition to linking systems, programs and users, Forum Sentry monitors traffic and can step in if a user suddenly violates policy. Rule breaker alerts are collected by the appliance and can be sent to a SIEM for further analysis.

Those rule-breaking activities are collected by Forum Sentry in the main interface and can also be sent out to any security appliance. Users can program how Forum Sentry responds to each of these rule violations too, whether blocking them, throttling traffic rates to that user, sending a warning message or just about anything in between.

Forum Sentry block detail John Breeden II/IDG

Administrators can dive down into transaction records to see exactly why certain actions were blocked or quarantined.

Forum Sentry can also be set to collect detailed log files on every transaction, or only those that violate policy. The log files themselves can be automatically protected as well. In addition to encrypting the log files, there are other precautions administrators can take, such as scanning for personal information like social security numbers and converting them to asterisks in the log files. That way, the logs themselves won’t become an additional security risk.

Forum Sentry policy viewer John Breeden II/IDG

Examining every aspect of a security policy can be done from within the main console, where a graphical interface makes all the interactions easy to comprehend and visualize.

The bottom line

The Forum Sentry API Security Gateway’s access control abilities are impressive, but it goes beyond access control and deep into security, monitoring all those connections that it forms and enforcing very granular security policies. It can even be used as part of a single sign on program, since it can control all aspects of connectivity and user access. Any organization with a large network can find a good use for Forum Sentry to help protect their APIs, connections and users.