Re: Three Physical Tiers in the Name of Security?

["Groves Powers" <gpowers () ensafe com>]

Jeff,
    I think you're making the three-tier model more complex than it has to
be. Rather than considering the applications and physical locations, try to
focus on the function of each layer:

    - Presentation. (The user interface or 'front-end')
    - Logic. (The brains of the application)
    - Data. (The application's storage or 'backend')

    The three-tier concept was developed to abstract each function of the
application as to allow scaling and modularity.
    This means that tiered applications should easily grow to meet demand.
For instance, additional presentation points such as web servers or PDAs
could be added as needed to communicate with the logic and data tiers. The
same holds true for abstracting the database tier. The logic and
presentation layers shouldn't care where the data is coming from, only that
it's delivered as expected. A good example would be transitioning from a
file-based data store to SQL or Oracle. (This is often called 'loosely
coupled,' and should be a development goal.) If the application has this
abstraction, it is a simple change in the data layer that has no impact on
the rest of the application.
    Now, as to the original question: advantages and disadvantages of using
this approach. The paragraph, above, is just a few of the reasons for
developers. But, network security can also be managed to control access to
each layer. (Lyal's e-mail does an excellent job describing this.)  With
redundancy and managed layer-access, you may be able to mitigate DoS attacks
and loss of critical data.  Another genuine advantage is the ability to
"plug and play" layers based on need. (I.e. you may decide Oracle is a
better platform for your database, and swapping out the db is easy from a
façade.)
    One of the biggest disadvantages of the 3-Tier approach is the
single-point of failure created in small shops. If you have a logical
abstraction that dies, all applications utilizing this layer will fail. You
must use physical redundancy to ensure the model works in a large-scale
implementation.
    It is an internal decision as to your needs, but 3-Tier coding is
certainly one of the best models, to date. Just remember that building code
for today or tomorrow is often painful if you don't anticipate growth.
 
Groves Powers
Software Architect
EnSafe Inc.


-----Original Message-----
From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] 
Sent: Thursday, July 28, 2005 8:37 AM
To: 'Lyal Collins'; 'Richard Burgett'; webappsec () securityfocus com
Subject: RE: Three Physical Tiers in the Name of Security?

What is 3-tier? What is the "middle" of a web app?

Different folks may have different ideas of what goes in each tier. I think
this is because there are more than 3 tiers, and you have a choice about how
to break them up or group them physically, but the industry lacks the
terminology to easily talk about these choices.

The actual parts of most Web Apps (J2EE centric but I assume .NET is
equivalent):

1. Static content (HTML, images, etc)
2. Dynamic presentation code (JSP, servlets, etc.)
3. Business and persistence logic (EJBs, DAOs, JDO, Hibernate, etc.)
4. Databases and other backend systems

Which of those is the "middle" ? (Note that some people woild further
separate business logic from persistence, but that would just be a
distraction here since there really isn't a way to physically separate them)

Now, we actually have some choice in what kind of servers to run this stuff
on:

1. web servers - static content only (Apache)
2. servlet containers - static content, presentation, some (not all)
business logic (Tomcat)
3. full J2EE server: all the above plus EJB (all J2EE app servers such as
JBoss, Weblogic, etc)
4. Database servers

So you can already pick and choose whether you want your servlet container
to serve static content, whether you want a separate servlet and EJB servers
or just let one appserver do it all, etc. Assuming a full-blown EJB
applicaton, it could be deployed in any of the following combinations of
servers:

1. Apache (web), Tomcat (servlet), JBoss (ejb), Database
2. Tomcat (web,servlet), JBoss (ejb), Database
3. Apache (web), JBoss (servlet,ejb), Database
4. Jboss (web,servlet,ejb), Database

(Do not let the fact that JBoss (usually) contains an embedded Tomcat
distract you.. I am talking about a standalone instance of Tomcat)

Which of those is or isn't three-tier?

And that's still just talking about app server software. You then have a
choice about how many physical machines all this stuff is going to be on. I
started to list all possible combinations of how to distibrute the above
across two or more computers, but it got really long really fast.

I am not just bitching.. I have dealt with real problems that came from
different people in an organization meaning different things when they said
things like "frontend", "backend", "distruted", "web server", etc.

Jeff Robertson
Manager of Web Application Security
Digital Insight


> -----Original Message-----
> From: Lyal Collins [mailto:lyal.collins () key2it com au]
> Sent: Thursday, July 28, 2005 04:28
> To: 'Richard Burgett'; webappsec () securityfocus com
> Subject: RE: Three Physical Tiers in the Name of Security?
>
>
> I can offer a few thoughts, which may even be relevant.
> The 3 physical tier approach means:
> - web-app layer traffic can be firewalled into specific ports and thus
> specific protocols
> - web-app layer traffic can be "IPS'ed"
> - there is potential for using different OSes in different 
> layers (I did
> note you said this is an MS shop) to avoid the possible 
> monoculture problem
> (e.g. certain attacks agains the OS may work effectivly at 
> all 3 layers)
> - in some IT shops, 3 tiers can improve access control and 
> segregation of
> duties by separating the skills needed for each 
> layer/technology base into
> discrete boxes. E.g. why would a DBA or programmer need 
> access to the layer
> that stores SSL certs/private keys?  Of course, if there is 
> ony 1 person
> doing all 3 functions, this is moot.
>
> These may offer advantages in your environment - without 
> knowing the risk
> environment/models to be protected against, it's hard to say.
>
> Clearly document the pros and cons for internal 
> decisions/approval should
> clearly articulate the benefits being sought, and set down a future
> architectural direction/intention.
>
> Lyal
>
> -----Original Message-----
> From: Richard Burgett [mailto:richard_burgett () yahoo com] 
> Sent: Thursday, 28 July 2005 11:52 AM
> To: webappsec () securityfocus com
> Subject: Three Physical Tiers in the Name of Security?
>
>
> One of our new colleagues is leading the charge to
> require *all* business logic (i.e. database calls) to
> be physically located on a middle tier server (which
> is separate from the Web and DB Server).  The
> motivation for this change is "to be more secure". 
> We're a Microsoft shop, and are finally moving from
> ASP to ASP.Net for public facing web apps (ones that
> provide web registrations and similar with a
> database).
>
> I can understand using Three Physical Tiers for the
> reasons of performance, scalability, and design
> purposes.  But, I've yet to find a compelling reason
> why to do this for security reasons (after some
> googling).
>
> Could anyone point to some sort of authoritative
> document on this or give a response?
>
> Chapter 7 in the "Building Secure ASP.NET
> Applications" book has very useful information, I'm
> just basically trying to see how security mesures up
> between the 2 physical tier scenario of "ASP.NET to
> SQL Server" and 3 physical tier scenarios of "ASP.NET
> to Remote Enterprise Services to SQL Server" (or even
> "Using .NET Remoting").
>
> Do 2 Physical tiers only cut it for small web sites
> that don't store things like Credit Card info (i.e.
> "Grandma's Cookie Shop")?  Where would you draw the
> line for moving to 3 tiers (being a bank)?  Upto what
> level of sensitive info can you store in 2 physical
> tiers?  
>
> In trying to look at it from a bad guy's perspective,
> how much more protection does the extra physical tier
> give you? (especially in terms of trying to escalating
> database privilege or trying to penetrate backend
> systems)  I'm not too familiar with these newer
> technologies in terms of pen-testing, but I imagine it
> wouldn't be that much harder to "island hop" across
> the middle tier with netcat (or similar) after gaining
> access and elevating privileges.  (these newer
> technologies must use open ports that pass through the
> firewall between servers that could somehow be
> compromised).  
>
> We have a fairly low volume of transactions, and were
> hoping to smoothe out the learning curve for our
> existing developers that are learning .Net and web
> stuff and take a more gradual approach.  (although
> some of our apps are small and they all probably don't
> warrant the extra complexity of this approach).  
>
> Personally, I don't like the rigid rule of having to
> create a class on a middle tier for all database calls
> to populate a web page, but maybe it will grow on me
> ;)
>
>
> Some of our developers are thinking 3 tiers is
> actually 3 tears from the eyes, lol
>
> Thanks for any feedback,
> Richard
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com