Application Security Made in Switzerland






Full text


Security at bank level

Airlock is now the established Swiss standard for eBanking—and that’s a fact. Our lengthy experience of wor king in the international financial sector means that you benefit from the best possible online security—reliable, efficient and process-optimized.


The Airlock Suite is just as flexible as your requirements. That’s because Airlock can adapt—to existing environ-ments, new challenges and individual needs. The result: your investment is excellently protected, and you ben-efit from customized solutions.

Cutting cost

Intelligent software architecture, central authentication functionalities and cutting-edge user self-services: these are the assets that make the Airlock solution so outstandingly attractive in terms of cost—a solution that will permanently reduce your IT expenditure.

User self services

Forgotten passwords, lost logins, new user accounts—customer support has to deal with a host of routine tasks. That’s why we opt for well-designed user self-services. Thanks to this approach, Airlock can cut costs while boosting your customer and employee satisfaction level.

Integrated solutions, one single source

Individual components, perfectly coor-dinated in one complete package— that’s Airlock. No matter how varied your requirements are, Airlock Suite is your guarantee of well thought-out solutions from one single source-scalable and flexible.

Swiss made

No doubt about it: the highest qual ity— that’s what Airlock offers you, because our security applications are devel-oped exclusively in Switzerland: your guarantee of maximum reliability, precision and perfection.

The problem of internet security is almost as old as the internet itself. But there is a reliable

solution: Airlock Suite from Ergon. Airlock Suite is underpinned by superb Swiss engineering

expertise, many years of experience and well thought-out concepts that master the most

complex challenges. Airlock Suite deals with the issues of filtering and authentication in one

complete and coordinated solution—setting new standards for usability and services.

Online banking, eCommerce, mobile access: the Airlock Web Application Firewall will reliably protect your internet applications—thanks to system-atic control and filtering mechanisms backed up by a diverse range of enhance-ment options.

When combined with Airlock WAF, Airlock Login ensures reliable user authentication and authorization. But that’s not all: as well as superlative security, Airlock Login delivers high usability and cost-efficiency.

Airlock IAM is the suite’s central authen tication platform, including enterprise functions. With this pro duct, customers, partners or employ ees log in just once for secure access to data and applications. Airlock IAM also automates user administration.


The Airlock Web Application Firewall offers a unique combination of protective mechanisms

for web applications. Whether your objective is legal compliance, security for your applications

or protection for eCommerce: Airlock WAF will upgrade security for your internet applications—

a permanent solution with a host of well thought-out functionalities.

Thanks to Airlock WAF, businesses can exploit the potential of the internet without jeopardizing the security and availability of their web applications and services. Each access is systematically monitored and filtered at every level. Used in conjunction with an authentication solution such as Airlock Login or IAM, Airlock WAF can force upstream

user authentication and authorization. This allows a uni - form, central single sign-on infrastructure. All information is also made available via monitoring and reporting functions. Airlock WAF is one of a few web application security solution on the market that provides superla-tive end-to-end protection for complex web environments.

Reverse Proxy and Web Application Firewall

Airlock WAF offers a unique protection mechanism by oper - ating as a combined secure reverse proxy server and web application firewall. All access attempts are systematically controlled and filtered.

Control via a central access point

Airlock WAF is a central point of control for web access, avoiding anonymous interactions with applications that have user authentication. Airlock covers every layer reducing costs and dependencies.

Shorter time to market thanks to virtual patching

Secure now, fix later—that’s virtual patching in a nutshell. Airlock WAF’s reverse proxy approach makes it very easy for you to virtualize servers and services. Virtual import of patches is also possible. The benefit: security-relevant weaknesses are quickly remedied at a central point over all applications.

Improved availability and performance

Web applications and web services deal only with authorised users and valid data traffic. High availability is guaranteed through load balancing and failover functions.

SIEM integration

The Airlock Operations app for Splunk® Enterprise makes aggregated management reports available on security issues and application usage. Network administrators can use various dashboards to investigate security-critical events so application and performance problems are rapidly resolved.

Simple operation

Airlock is a linux-based software appliance with a hardened operating system. It runs on the common hardware platforms, in virtual machines and in the cloud. Airlock offers a fast and easy installation and allows cost efficient operation.

Product information

PKI Mobile


Mobile TAN Database/

Directory Applications

Cross Domain SSO with SAML or OAuth 2.0

Application in other Domain Password Management/ Transaction Signing RADIUS Client Corporate Network A B C D Kerberos/ Smart Card SAML Assertion Flickering Mobile TAN Client Certificate

Airlock system overview


Practical, lean and secure: Airlock Login is the ideal complement to Airlock WAF for reliable

user authentication and authorization. Airlock Login offers efficient solutions and easy handling

at an attractive price. Airlock Login features convincingly high usability and straightforward


Solid basis for more

Because it is directly integrated with Airlock WAF, Airlock Login allows fast and convenient implementation of strong upstream user authentications with in-company single sign-on. There may be a need for extensive additional func-tions such as web service interfaces, step-up authentication workflows, support for cross-domain SSO or user self services. In these cases, an upgrade from Airlock Login to Airlock IAM could not be easier: simply import a new license, and the Airlock IAM functions will be activated.

Secure and strong access control

Virtually every modern web application requires user identification to allow certain types and levels of access.

Airlock Login provides upstream authentication and allows access control for customers and employees to be central-ised and run independently of the business logic.

Single sign-on (SSO)

Airlock Login ensures that even legacy web applications with own user master records can be easily integrated in the standardised web single sign-on infrastructure.

Easy configuration—also in regard to running time

Configurations can be efficiently processed using the graphic editor. Airlock Login has a flexible architecture that permits configuration changes at run-time without any session loss or operational disruption.


Web-based login application Web-based administration interface Integrated database for user profiles

Service containers for batch jobs and letter generation Technical interfaces


1 and 2-factor authentication

Password verification against directory (LDAP, MSAD), OTP token server via RADIUS, RSA SecurID, MTAN (SMS), client certificates

Role-based access control (RBAC)

Complex authentication workflows (e.g. step-up, step-down) Support for a wide range of additional authentication methods Dynamic access control (based on environment attributes) Login application

Change and reset password via email Portal funktion

User self-services

Various other functions (representation, GTCs, maintenance reports /notifications, etc.) Single Sign-on (SSO) and identity federation

Simple SSO (using cookies, HTTP headers, on-behalf form login, back-side Kerberos, etc.) Cross-domain SSO and identity federation

Identity Management Find and show users

Manage, aggregate and provision identity and role information Deployment

Integration in Airlock WAF

Deployment is possible outside of Airlock WAF Client capability

Airlock Login and Airlock IAM compaired


Airlock IAM is the suite’s central authentication platform, including enterprise functions.

With this product, customers, partners or employees log in just once for secure access to

data and applications. Airlock IAM also automates user administration and provides user


SSO for heterogeneous application environments

In addition to a large number of supported SSO mecha-nisms (e. g. SAML, OpenID Connect), Airlock IAM also accepts authentication tickets issued by other entities.

Cross-domain single sign-on

Airlock IAM supports Federated Identity Management (FIdM) and therefore facilitates cross-domain SSO. Acting as a central identity provider (IDP) in this case, Airlock IAM regis- ters, reports and manages user data. User data are auto-matically synchronised with third-party systems via the standardised interface. This always ensures a consistent status of user data for all parties. Another advantage is maximum usability. The specific services (service providers) come from other domains and use identities transmitted via SAML, OAuth or OpenID Connect.

Authentication services

Airlock IAM has its own integrated authentication services for matrix cards, mobile TAN via SMS and mobile OTP. All these variants are very cheap since there is no need to purchase any tokens or any special operating hardware. Their administration is fully integrated in the product.

In addition other authentication services as well as many different hardware or software tokens are supported.

Centralisation of user data

Airlock IAM is the central point of control for the administra-tion of authenticaadministra-tion data. For other applicaadministra-tions or com - ponents in SOA environments Airlock IAM provides a web service interface (SOAP or REST) which offers actions rela- ted to authentication: for example, Airlock IAM can enforce complex password policies while password changes are still made remotely in a business application.

User self-services

In addition to user administration, there are a number of user self-services which cover the entire lifecycle of a user account for single sign-on. The workflows for self-administration of user data cover self-registration, self-migration, self-provisioning of external logins, password changes and user profile data editing.

Product information

Airlock WAF

– Secure Reverse Proxy – Termination of TCP / IP

– SSL, SSL VPN, HTTP / S, AMF, JSON and SOAP / XML filter – Multi-level filtering

– Dynamic whitelisting – URL encryption – Smart form protection – Cookie protection – Load balancing – ICAP content filtering – Content rewriter (Raw, HTML) – Access control, authentication & SSO – HSM support

– Airlock Operations App for Splunk

Airlock Login

– Supported tokens

OTP token via Radius (RSA SecurID, Kobil SecOVID, VASCO Digipass, etc.), Client certificates (X.509, SuisseID, etc.) – Integrated tokens

Password, Mobile TAN, Email-OTP – Single sign-on

Kerberos, HTTP Cookies, HTTP Headers, URL-Tickets, Basic Auth, Form Post on behalf

– User directories

JDBC databases, LDAP directories / MS ActiveDirectory – User self-services

automatic password reset, portal function

– Operational features

failover, audit log, log viewer, web-based administration console, hot deployment without restart

– Operatingsystems

Java-based: Linux, Windows, VMWare

Airlock IAM additional to Airlock Login

– Supported tokens

CrontoSign, Kobil AST, Swisscom MobileID, OATH -Tokens – Integrated tokens

Mobile OTP, matrix card – Identity Federation

SAML 2.0 IDP / SP, OAuth 2.0, OpenID Connect – Single sign-on


– Integrated database for user extension – User administration / IAM

User, token and role administration, report engine, pass-word policy enforcement

– User self-services

Self-registration, self-migration, self-administration, kiosk and portal function for own user data

– Interfaces

Webapplication, RADIUS, SOAP, REST, EAP / TLS 802.1X – Operational features

Multitenancy, statistical evaluations



smart people – smart software

Founded in 1984, Ergon Informatik AG now has workforce of 235 and numbers among the most long-standing and successful IT service providers in Switzerland. Over 80 % of our employees are graduate software developers, and most of them have trained as IT engineers at the Swiss Federal Institute of Technology (ETH), Zurich—one of the world’s top ten universities. Ergon Informatik AG has also won multiple awards for its sustainable personnel policy.

Ergon Informatik AG is a broadly diversified company that provides services to a wide variety of sectors. Ergon has exceptional expertise in sectors such as financial services, eBanking, telecommunications and security. In 1997, Ergon developed Switzerland’s first eBanking system for a well-known Swiss bank . Airlock Suite, our security product, was launched on the market in 2002 and is now used by 300 customers around the globe.

For more information visit

Copyright Notice

Copyright © 2015 Ergon Informatik AG. All Rights Reserved. All technical documentation that is made available by Ergon Informatik AG is the copyrighted work of Ergon Informatik AG and is owned by Ergon Informatik AG. Ergon, the Ergon logo, “smart people smart software” and Airlock are registered trademarks of Ergon Informatik AG. Microsoft and ActiveDirectory are registered trademarks or trademarks of Microsoft Corporation in the United States and / or other countries. Other products or trademarks mentioned are the property of their respective owners.