Re: AW: Three Physical Tiers in the Name of Security?

[dinis_webappsec <dinis_webappsec () ddplus net>]

I just would like to add, that from my personal experience, even when
systems have three layers that are separated by some 'low hanging fruit
protection' stuff (like firewalls, or IIS Application Pools), the
functionality that exists from layer 3 to layer 2 and from layer 2 to
layer 1 (being layer 3 the Internet facing one) is more than enough to
gain full access to the targeted asset (which is usually a database)

What I mean is that if I am able to execute malicious code in the web
server, I can use the interfaces to the 'business layer' to gain full
access to the 'Database Layer'.

Why? Because attacks from 'internal' malicious code are very rarely
considered and mitigated.

And if they have a Fat C++/.Net/Java client (or in he 'new 2006 version'
in AJAX :) I can even start this 'exploitation-stack' on the client machine.

Dinis Cruz
.Net Security Consultant
Owasp .Net Project Leader

Rehberger Leopold wrote:

> Hi,
>
> In fact there are some security considerations. One is the possibility to place firewalls between the layers.
> This gives you more control regarding security.
>
> The proper place for the presenaton layer is a DMZ. Why? Because nowadays many attacks work on the application level 
> through Http Protocol (Code Injection, Path Traversal, Parameter Manipulaton, Use of Buffer Overflows,...) The first 
> server which may be attacked on that level ist the one which holds the presentation layer, because this is the server 
> which actually answers the Http Requests. Do you like to have this server in your Corporate Network? I guess not.
>
> So it is definitly a good idea to seperate the presentation layer from the application layer and seperate those two layers through a firewall. To even gain more flexibility regarding security proxies, application gateways and web filters may be placed between the layers as well. 
>
> Another point is the possibility to change protocols between the layers, which gives you additional security.
>
> Typically the following architecture will give you proper security:
>
> Internet -> FW1 - Proxies, Webfilter - Presentation Layer -> FW2 -> Application Layer -> Data Layer
>
> If you deal with an application where the presentation layer and the application layer are not seperatable I would 
> consider the following Architecture:
>
> Internet -> FW1 - Proxies, Webfilter -> FW2 Presentation+Appl. Layer -> FW3  -> Data Layer
>
> Of course this are only recommendations. Your architecture depends on your actual situation and your needs for 
> security. You may choose more or less layers and firewalls.
>
> greetings,
>
> Leopold Rehberger
>
>
>
> ________________________________
>
> Von: Richard Burgett [mailto:richard_burgett () yahoo com]
> Gesendet: Do 28.07.2005 03:52
> An: webappsec () securityfocus com
> Betreff: Three Physical Tiers in the Name of Security?
>
>
>
> One of our new colleagues is leading the charge to
> require *all* business logic (i.e. database calls) to
> be physically located on a middle tier server (which
> is separate from the Web and DB Server).  The
> motivation for this change is "to be more secure".
> We're a Microsoft shop, and are finally moving from
> ASP to ASP.Net for public facing web apps (ones that
> provide web registrations and similar with a
> database).
>
> I can understand using Three Physical Tiers for the
> reasons of performance, scalability, and design
> purposes.  But, I've yet to find a compelling reason
> why to do this for security reasons (after some
> googling).
>
> Could anyone point to some sort of authoritative
> document on this or give a response?
>
> Chapter 7 in the "Building Secure ASP.NET
> Applications" book has very useful information, I'm
> just basically trying to see how security mesures up
> between the 2 physical tier scenario of "ASP.NET to
> SQL Server" and 3 physical tier scenarios of "ASP.NET
> to Remote Enterprise Services to SQL Server" (or even
> "Using .NET Remoting").
>
> Do 2 Physical tiers only cut it for small web sites
> that don't store things like Credit Card info (i.e.
> "Grandma's Cookie Shop")?  Where would you draw the
> line for moving to 3 tiers (being a bank)?  Upto what
> level of sensitive info can you store in 2 physical
> tiers? 
>
> In trying to look at it from a bad guy's perspective,
> how much more protection does the extra physical tier
> give you? (especially in terms of trying to escalating
> database privilege or trying to penetrate backend
> systems)  I'm not too familiar with these newer
> technologies in terms of pen-testing, but I imagine it
> wouldn't be that much harder to "island hop" across
> the middle tier with netcat (or similar) after gaining
> access and elevating privileges.  (these newer
> technologies must use open ports that pass through the
> firewall between servers that could somehow be
> compromised). 
>
> We have a fairly low volume of transactions, and were
> hoping to smoothe out the learning curve for our
> existing developers that are learning .Net and web
> stuff and take a more gradual approach.  (although
> some of our apps are small and they all probably don't
> warrant the extra complexity of this approach). 
>
> Personally, I don't like the rigid rule of having to
> create a class on a middle tier for all database calls
> to populate a web page, but maybe it will grow on me
> ;)
>
>
> Some of our developers are thinking 3 tiers is
> actually 3 tears from the eyes, lol
>
> Thanks for any feedback,
> Richard
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>
>
>