Comments on: A Question of Web Security

By: In Firewall Hell » Solo Technology

In Firewall Hell » Solo Technology — Sun, 04 Oct 2009 14:54:15 +0000

[...] a long time of pondering, shuffling and avoiding I had to bite the bullet and put a firewall in between our production web [...]

By: Chris

Chris — Mon, 16 Jun 2008 18:48:22 +0000

@Vox – It seems we’re pretty much on the exact same page.

@Damon – thanks for taking the time to share your thoughts on this. You’ve helped me get my head around where the client is most likely coming from… not sure I see the risk as all that high, but at least I can talk [a bit more] intelligibly about it.

By: Damon C

Damon C — Mon, 16 Jun 2008 15:11:52 +0000

Hi Chris,

I came across this post via your account on Twitter. “horrendously insecure” is probably an overreaction, but firewalled two-tier architectures are a common security recommendation, and sometimes a requirement depending on if certain regulations are involved.

The reasoning behind it is that it adds an extra layer of security to the architecture that an attacker must penetrate in the event of a compromise.

As an example, take the scenario where a vulnerability and associated exploit is discovered on the web server. If an attacker compromises that, they then have unrestricted network access to the database server. This means they can attempt brute-force logins, attack other potentially vulnerable software (that may have fallen behind in patching since it’s behind the firewall…), or access other network services (backup agent, nfs?). If the db is behind a firewall, they would need to acquire db credentials (not potentially difficult) and then take over the database server via that specific connection, which may be a more difficult task depending on how well the database software is configured. Assuming that the db server is where the “crown jewels” of the application reside, it will be the likely next target in the event of a web server compromise.

Given that, it is still a limited scenario and something like SQL injection is much more likely these days. And yes, with SQL injection a firewall isn’t going to help. What it eventually comes down to is if the value of the data hosted by the application justifies the cost of the extra security measures. Another option, depending on your infrastructure, is simply using router ACLs to deny all traffic except for the necessary database traffic.

As Vox mentioned, you may be able to justify to the client that you have adequate compensating controls in place. Difficult to do with Windows systems, but on a Unix-based box, if _all_ you have is SSH and SQL open and SSH requires a key to login, the attack surface is greatly reduced.

I hope this has helped. Feel free to shoot me an email if you have any questions.

By: Vox

Vox — Sat, 14 Jun 2008 03:32:07 +0000

Uhm…to me that idea sounds pretty useless…I mean…if you configure the DB correctly (ie. allow only connections from the server(s) that have to have access and so on and so forth, a firewall will make no difference, because…you aren’t running anything else on the DB server, right? and you *have* to have the DB communication port open to those servers…so…firewall or not, the exact same port is open…so…what your client said sounds to me like so much BS.

Then again, I’ve only been doing this kind of stuff for 12 years, so…I may be wrong

By: A Question of Web Security

A Question of Web Security — Fri, 13 Jun 2008 04:55:43 +0000

[...] http://www.solo-technology.com/blog/2008/06/12/a-question-of-web-security/ asks Hoosgot, [...]