A Question of Web Security
Sometimes I have to admit gaps in my knowledge, no matter how much it pains me! I’m not a specialist but more of a jack of all trades, so bear with me here. I know some very smart folks read here and I’m hoping some will pipe up.
Hello Lazyweb, question time again. 
Among other things, I manage a bunch of web applications. Everything is two tiered with one (or more) web servers talking to a separate database server. Everything’s behind a firewall that only allows SSL (port 443) to pass through.
Simple enough, right?
We have a new client (well, hopefully) who insists that this is horrendously insecure and that the only way to fix it is to have the database server on a seperate segment and a firewall between the web and db networks.
To me that seems like an interesting way to slow down my database queries and introduce a new single point of failure.
However… I’m willing to admit I’m missing something. What though?
The database server has no exposure to the internet. Really, the only way to exploit it is via the web app, right? Perhaps via SQL injection (*shudder*) or other nasties. In that case, that extra firewall isn’t gonna help me!
Clue me in!
[image from lloydi -- it made me laugh]
Possibly Related posts:
- Downtime
- WordPress 2.3.2 Released – Security
- Top 100 Network Security Tools
- In Firewall Hell
- Security Task Manager hits the spot?
Comments
5 Responses to “A Question of Web Security”
Leave a Reply
Referrals and Ads
Flair and Sparklies
[...] http://www.solo-technology.com/blog/2008/06/12/a-question-of-web-security/ asks Hoosgot, [...]
Uhm…to me that idea sounds pretty useless…I mean…if you configure the DB correctly (ie. allow only connections from the server(s) that have to have access and so on and so forth, a firewall will make no difference, because…you aren’t running anything else on the DB server, right? and you *have* to have the DB communication port open to those servers…so…firewall or not, the exact same port is open…so…what your client said sounds to me like so much BS.
Then again, I’ve only been doing this kind of stuff for 12 years, so…I may be wrong
Hi Chris,
I came across this post via your account on Twitter. “horrendously insecure” is probably an overreaction, but firewalled two-tier architectures are a common security recommendation, and sometimes a requirement depending on if certain regulations are involved.
The reasoning behind it is that it adds an extra layer of security to the architecture that an attacker must penetrate in the event of a compromise.
As an example, take the scenario where a vulnerability and associated exploit is discovered on the web server. If an attacker compromises that, they then have unrestricted network access to the database server. This means they can attempt brute-force logins, attack other potentially vulnerable software (that may have fallen behind in patching since it’s behind the firewall…), or access other network services (backup agent, nfs?). If the db is behind a firewall, they would need to acquire db credentials (not potentially difficult) and then take over the database server via that specific connection, which may be a more difficult task depending on how well the database software is configured. Assuming that the db server is where the “crown jewels” of the application reside, it will be the likely next target in the event of a web server compromise.
Given that, it is still a limited scenario and something like SQL injection is much more likely these days. And yes, with SQL injection a firewall isn’t going to help. What it eventually comes down to is if the value of the data hosted by the application justifies the cost of the extra security measures. Another option, depending on your infrastructure, is simply using router ACLs to deny all traffic except for the necessary database traffic.
As Vox mentioned, you may be able to justify to the client that you have adequate compensating controls in place. Difficult to do with Windows systems, but on a Unix-based box, if _all_ you have is SSH and SQL open and SSH requires a key to login, the attack surface is greatly reduced.
I hope this has helped. Feel free to shoot me an email if you have any questions.
@Vox – It seems we’re pretty much on the exact same page.
@Damon – thanks for taking the time to share your thoughts on this. You’ve helped me get my head around where the client is most likely coming from… not sure I see the risk as all that high, but at least I can talk [a bit more] intelligibly about it.
[...] a long time of pondering, shuffling and avoiding I had to bite the bullet and put a firewall in between our production web [...]