[nycbug-talk] (no subject)

Marc Spitzer mspitzer at gmail.com
Sat Jul 14 16:45:54 EDT 2007 

On 7/14/07, Aleksandar Kacanski <kacanski_s at yahoo.com> wrote:
>
>
> Hello,
> I have been heaving interesting discussions regarding  security
> implementation of the multi tier web architecture. Long ago I used to be
> proponent of the fw per layer approach. This would boil down to fw before
> and between web tier and application and one between db or any other back
> end  form of meta data silo(s). Through experience and lengthly
> troubleshooting sessions I am weary of FW  and persistent connections and
> work around with socket_keepalive properties. I am specifically referring to
> apache and ajp proxy plugin but I saw number of production issues with real
> proxy servers and fw. These days I prefer to have a fw fronting some sort of
> load balancer on the unsecure subnet and to move web tier to private network
> without fw between it and app stack. Second instance of the fw I add between
> application portal and meta data silo. I see no gain in heaving web servers
> in the DMZ just to terminate http traffic on the DMZ zone. In my opinion
> possible exploits will be executed against business logic  and application
> content and/or  "database layer" .  The web tier  is strictly  being used
> to "proxy" dynamic content at this point via binary protocol.
>
> Any views or comments?
> Regards,
>
> Aleksandar (Sasha) Kacanski (NYUMC)

Well not that all that much of an expert on this stuff, and being in
love with the sound of my own voice, here is my take on it:

Looks reasonable.  The only thing is you need to also have a
application level firewall in the mix.  A proxy firewall to inspect
all inbound http/s traffic for bad things , buffer overflows, sql
injection and out of bounds values(ie what happens when I order -3
TVs) come to mind.  From what I read I think you are talking about
stateful packet filters as your firewalls.  The thing about proxies is
that to truly use them you need a lot of information about how the app
behaves, good urls, form vars with acceptable values etc.  This is
time consuming and also may require more money to be spent on
hardware/licenses.  I won't talk about unicode, its evil.

marc
-- 
Freedom is nothing but a chance to be better.
Albert Camus

More information about the talk mailing list