Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AW: Three Physical Tiers in the Name of Security?

from [Rehberger Leopold] Network Security [Permanent Link]
Subject: AW: Three Physical Tiers in the Name of Security?
Date: Thu, 28 Jul 2005 22:36:43 +0200 
Hi,
 
In fact there are some security considerations. One is the possibility to place 
firewalls between the layers.
This gives you more control regarding security.
 
The proper place for the presenaton layer is a DMZ. Why? Because nowadays many 
attacks work on the application level through Http Protocol (Code Injection, 
Path Traversal, Parameter Manipulaton, Use of Buffer Overflows,...) The first 
server which may be attacked on that level ist the one which holds the 
presentation layer, because this is the server which actually answers the Http 
Requests. Do you like to have this server in your Corporate Network? I guess 
not.
 
So it is definitly a good idea to seperate the presentation layer from the 
application layer and seperate those two layers through a firewall. To even 
gain more flexibility regarding security proxies, application gateways and web 
filters may be placed between the layers as well. 
 
Another point is the possibility to change protocols between the layers, which 
gives you additional security.
 
Typically the following architecture will give you proper security:
 
Internet -> FW1 - Proxies, Webfilter - Presentation Layer -> FW2 -> Application 
Layer -> Data Layer
 
If you deal with an application where the presentation layer and the 
application layer are not seperatable I would consider the following 
Architecture:
 
Internet -> FW1 - Proxies, Webfilter -> FW2 Presentation+Appl. Layer -> FW3  -> 
Data Layer
 
Of course this are only recommendations. Your architecture depends on your 
actual situation and your needs for security. You may choose more or less 
layers and firewalls.
 
greetings,
 
Leopold Rehberger
 
 

________________________________

Von: Richard Burgett [mailto:richard_burgett@yahoo.com]
Gesendet: Do 28.07.2005 03:52
An: webappsec@securityfocus.com
Betreff: Three Physical Tiers in the Name of Security?



One of our new colleagues is leading the charge to
require *all* business logic (i.e. database calls) to
be physically located on a middle tier server (which
is separate from the Web and DB Server).  The
motivation for this change is "to be more secure".
We're a Microsoft shop, and are finally moving from
ASP to ASP.Net for public facing web apps (ones that
provide web registrations and similar with a
database).

I can understand using Three Physical Tiers for the
reasons of performance, scalability, and design
purposes.  But, I've yet to find a compelling reason
why to do this for security reasons (after some
googling).

Could anyone point to some sort of authoritative
document on this or give a response?

Chapter 7 in the "Building Secure ASP.NET
Applications" book has very useful information, I'm
just basically trying to see how security mesures up
between the 2 physical tier scenario of "ASP.NET to
SQL Server" and 3 physical tier scenarios of "ASP.NET
to Remote Enterprise Services to SQL Server" (or even
"Using .NET Remoting").

Do 2 Physical tiers only cut it for small web sites
that don't store things like Credit Card info (i.e.
"Grandma's Cookie Shop")?  Where would you draw the
line for moving to 3 tiers (being a bank)?  Upto what
level of sensitive info can you store in 2 physical
tiers? 

In trying to look at it from a bad guy's perspective,
how much more protection does the extra physical tier
give you? (especially in terms of trying to escalating
database privilege or trying to penetrate backend
systems)  I'm not too familiar with these newer
technologies in terms of pen-testing, but I imagine it
wouldn't be that much harder to "island hop" across
the middle tier with netcat (or similar) after gaining
access and elevating privileges.  (these newer
technologies must use open ports that pass through the
firewall between servers that could somehow be
compromised). 

We have a fairly low volume of transactions, and were
hoping to smoothe out the learning curve for our
existing developers that are learning .Net and web
stuff and take a more gradual approach.  (although
some of our apps are small and they all probably don't
warrant the extra complexity of this approach). 

Personally, I don't like the rigid rule of having to
create a class on a middle tier for all database calls
to populate a web page, but maybe it will grow on me
;)


Some of our developers are thinking 3 tiers is
actually 3 tears from the eyes, lol

Thanks for any feedback,
Richard

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Three Physical Tiers in the Name of Security?, Frank O'Dwyer
Next by Date:  My review of 19 Sins, Andrew van der Stock
Previous by Thread:  Three Physical Tiers in the Name of Security?, Richard Burgett
Next by Thread:  Re: AW: Three Physical Tiers in the Name of Security?, dinis_webappsec
Indexes:  [Date] [Thread] [Top] [All Lists]