Re: 2 Tier vs 3 Tier

[Vic Vandal <vvandal () well com>]

In today's world you can implement 2-3 filtered tiers using a single firewall, as many of them support much more than 
two network interfaces and they support traffic filtering on each interface.  So you can allow only web (HTTP/HTTPS) 
traffic into the web tier, then only allow the web tier to run application-specific traffic into the app tier, and then 
only allow the app tier to run DB-specific traffic into the DB tier.  When I use the term 'single firewall' I kinda 
mean a fault-tolerant, load-balanced pair, at minimum.  Hacks and everything else aside, if you only have one hardware 
firewall and it has some hardware problem then your tiers of servers will basically be out of commission while you 
scramble to get new hardware and a new firewall built.

I can't really speak to any security benefits of a 2-tier architecture over a 3-tier architecture, and could only make 
that 2-tier argument over a completely flat architecture where everything runs on the same box or the same network 
segment.  
Well, I can offer you one weak argument.  You can always make the case that it will be easier to keep a single box 
patched and hardened than multiple boxes in split tiers, which will also save your organization money on hardware and 
sys-admin maintenance costs.  

I did a pen-test on a vendor one time where they ran the app and DB tiers on a single system behind a firewall (it 
wasn't HTTP-based).  They thought their implementation was secure and that no one could break out of the app and into 
the DB.  They were very, very wrong.  Of course you can have an insecure multi-tier architecture that allows the same 
level of exploitation across multiple hosts, but there are a lot of benefits to keeping the tiers physically and 
logically separate.  I'm just saying.

As for compensating controls do some basic traffic filtering at your Internet-facing router.  You can drop/blackhole a 
lot of junk traffic there.  Harden each tier, both from an OS and application viewpoint.  Keep everything patched 
(network devices, operating systems, applications, etc.).  Scan your servers for security compliance, and scan your web 
apps for code vulnerabilities.  Implement both HIDS and N-IPS, if you can.  Network-based IPS can knock down a lot of 
attacks that make it past your screening router.

You mentioned host-based firewalls, and I'd advise to stay away from them unless you're talking about running firewall 
software on dedicated hardware.  Running your firewall on the same box(es) as your web app isn't advisable.  Suppose 
you have a vulnerability in your web app and someone sends it a string command (a la xp_cmdshell for example) that 
shuts off the firewall?  Then you're running wide open.  WAFs are in style now, and they have some benefit.  But you 
can accomplish the same thing with a standard firewall and IPS device, if using a decent IPS product.

Sorry there's not much detail above.  I'm pressed for time so that's just some brief thoughts to consider.  What I 
forgot to ask or mention up front that your security control requirements should be somewhat based on the value of 
information, time, reputation, etc. that might be lost if your system(s) is compromised.  I know nothing about your 
specific goal, and you could be talking about running your own personal system to get you remote access to some 
generally value-less data of your own (your personal calendar, web bookmarks, etc.).  But since you said "we are 
building" I assume you are asking as a representative of your employer, and that there might be more at stake.

Peace,
Vic

----- Original Message -----
From: "Thugzclub Thugzclub" <thugzclub () googlemail com>
To: security-basics () securityfocus com
Sent: Tuesday, January 3, 2012 10:50:31 AM
Subject: 2 Tier vs 3 Tier

All,

We are building a system and despite the security benefits of a 3 tier
architecture, I feel that a 2 Tier architecture will suffice.
1 - Any argument for the security benefits of the 2 Tier architecture
2 - Any compensating controls that I can deploy to protect my web
server/application server? I am looking at HIDS and Host based
firewalls as a starter....

thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------