WebApp Sec mailing list archives
RE: Three Physical Tiers in the Name of Security?
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Thu, 28 Jul 2005 18:27:31 +1000
I can offer a few thoughts, which may even be relevant. The 3 physical tier approach means: - web-app layer traffic can be firewalled into specific ports and thus specific protocols - web-app layer traffic can be "IPS'ed" - there is potential for using different OSes in different layers (I did note you said this is an MS shop) to avoid the possible monoculture problem (e.g. certain attacks agains the OS may work effectivly at all 3 layers) - in some IT shops, 3 tiers can improve access control and segregation of duties by separating the skills needed for each layer/technology base into discrete boxes. E.g. why would a DBA or programmer need access to the layer that stores SSL certs/private keys? Of course, if there is ony 1 person doing all 3 functions, this is moot. These may offer advantages in your environment - without knowing the risk environment/models to be protected against, it's hard to say. Clearly document the pros and cons for internal decisions/approval should clearly articulate the benefits being sought, and set down a future architectural direction/intention. Lyal -----Original Message----- From: Richard Burgett [mailto:richard_burgett () yahoo com] Sent: Thursday, 28 July 2005 11:52 AM To: webappsec () securityfocus com Subject: Three Physical Tiers in the Name of Security? One of our new colleagues is leading the charge to require *all* business logic (i.e. database calls) to be physically located on a middle tier server (which is separate from the Web and DB Server). The motivation for this change is "to be more secure". We're a Microsoft shop, and are finally moving from ASP to ASP.Net for public facing web apps (ones that provide web registrations and similar with a database). I can understand using Three Physical Tiers for the reasons of performance, scalability, and design purposes. But, I've yet to find a compelling reason why to do this for security reasons (after some googling). Could anyone point to some sort of authoritative document on this or give a response? Chapter 7 in the "Building Secure ASP.NET Applications" book has very useful information, I'm just basically trying to see how security mesures up between the 2 physical tier scenario of "ASP.NET to SQL Server" and 3 physical tier scenarios of "ASP.NET to Remote Enterprise Services to SQL Server" (or even "Using .NET Remoting"). Do 2 Physical tiers only cut it for small web sites that don't store things like Credit Card info (i.e. "Grandma's Cookie Shop")? Where would you draw the line for moving to 3 tiers (being a bank)? Upto what level of sensitive info can you store in 2 physical tiers? In trying to look at it from a bad guy's perspective, how much more protection does the extra physical tier give you? (especially in terms of trying to escalating database privilege or trying to penetrate backend systems) I'm not too familiar with these newer technologies in terms of pen-testing, but I imagine it wouldn't be that much harder to "island hop" across the middle tier with netcat (or similar) after gaining access and elevating privileges. (these newer technologies must use open ports that pass through the firewall between servers that could somehow be compromised). We have a fairly low volume of transactions, and were hoping to smoothe out the learning curve for our existing developers that are learning .Net and web stuff and take a more gradual approach. (although some of our apps are small and they all probably don't warrant the extra complexity of this approach). Personally, I don't like the rigid rule of having to create a class on a middle tier for all database calls to populate a web page, but maybe it will grow on me ;) Some of our developers are thinking 3 tiers is actually 3 tears from the eyes, lol Thanks for any feedback, Richard __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Three Physical Tiers in the Name of Security? Richard Burgett (Jul 27)
- RE: Three Physical Tiers in the Name of Security? Lyal Collins (Jul 28)
- Re: Three Physical Tiers in the Name of Security? Lucas Holt (Jul 28)
- Re: Three Physical Tiers in the Name of Security? Frank O'Dwyer (Jul 28)
- Re: Three Physical Tiers in the Name of Security? Christopher Canova (Jul 28)
- Re: Three Physical Tiers in the Name of Security? Frank O'Dwyer (Jul 29)
- <Possible follow-ups>
- RE: Three Physical Tiers in the Name of Security? Jeff Robertson (Jul 28)
- Re: Three Physical Tiers in the Name of Security? Groves Powers (Jul 28)
- RE: Three Physical Tiers in the Name of Security? Lyal Collins (Jul 28)