WebApp Sec mailing list archives

Re: Web app based on .net - best practice?

From: Alex Russell <alex () netWindows org>
Date: Tue, 22 Apr 2003 11:17:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 23 April 2003 08:41 am, Mads Rasmussen wrote:

Imagine I have a .net based application

I thought it would be a good idea to have the presentation layer (asp)
in a DMZ and the business layer (components in VB and C#) in a safe site
behind a firewall. The communication in between would take place with
RPC calls.


This is the logical equivalent of having them on the same machine in the 
same namespace. Your "layering" in this case is only physical, and while it 
_could_ provide the oppourtunity for safety inspection of the RPC calls, I 
doubt you're taking advantage of it.

I know that RPC is not considered secure but we have a firewall in
between the DMZ and the safe site (not a guarantee things work out, I
know)


What, exactly, do you beleive a firewall is buying you here? I'm willing to 
bet that it's not doing what you think it's doing.

My concern is that if the whole application was based in the DMZ, it
would be hard to control injections and stuff like that. With the
division we can control (somewhat) what calls goes to the safe site
(business layer).


- From this description, I think you've got your layers (and the security 
needs of each) confused a bit. When securing an app like this, your network 
setup only marginally informs your application level security design, and 
says nothing of your needs. Firewalls and DMZs are going to allow you to 
handle problems at layer 2 and layer 3, but they have little (if no) 
bearing on the application-level security you seem to be interested in.

When it comes to securing the app itself, you'll want to seperate the 
_logical_ layers of the application strongly. This means well constrained 
interfaces which are ideally watched and logged for malicious behaviour. 
Using RPC (I'm assuming SOAP or XML-RPC?), you have the ability on both 
ends of the connection to do some sanity checking as well as protocol 
integrity checking in the middle.

Your layer 2 and 3 security provisions provide you with a strong foundation 
for your layer 7 security precautions, but they are not interchangeable.

HTH

- -- 
Alex Russell
alex () netWindows org
alex () SecurePipe com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+pWskoV0dQ6uSmkYRApXfAJ9LYcpO1JQbTMjwIMeD7Yc5AqdA9wCfRB92
snXRJdIzqQMpyeA+7OjvK5w=
=mDkD
-----END PGP SIGNATURE-----

Current thread:

Web app based on .net - best practice? Mads Rasmussen (Apr 23)
- RE: Web app based on .net - best practice? Dennis Hurst (Apr 23)
- Re: Web app based on .net - best practice? Alex Russell (Apr 23)
- RE: Web app based on .net - best practice? TUER, DON (Apr 23)
- RE: Web app based on .net - best practice? Shaji Sethu (Apr 23)
- <Possible follow-ups>
- RE: Web app based on .net - best practice? Calderon, Juan C (CORP, DDEMESIS) (Apr 23)
- RE: Web app based on .net - best practice? Harbar, Spencer (Apr 24)