[background]
recently "bob" told me about a situation which seemed simple: a dmz web server with a back end db on the trusted network was being upgraded. the IT staff started loading the new db software on the web server, breaking the tiered architecture model.
bob and i initially agreed this was bad, but let's play devils advocate for a minute.
[the tiered model]
the tiered model separates presentation, app logic, and db roles onto different hosts, and *is often implemented as*:
if the exposed front-end web server suffers a host compromise, the business-logic and data aren't immediately compromised, and the attacker will have trouble attacking these systems further because of tight fw policies between the dmz and trusted zones. well, that's the theory...
[problems?]
so why is this maybe silly? ask a pen-tester how they feel when they get an external network assessment where webapp and soc-eng are off limits... they groan and cuss, because many/most organizations today have gotten pretty good at limiting inet facing services and keeping inet facing hosts patched and up to date.
but those same inet facing web apps have logical ties back to systems which often reside on the internal network. application layer attacks like sql injection tunnel through the firewall on the back of trusted application functionality.
the tiered model defends against host vulns, but not app vulns. and are host vulns really more prevelant than app vulns today?
plus, how much protection do you actual get from the tiered model if a host level compromise occurs? the web server can be defaced, credentials can be stolen, and all the back-end data presented to users flows back and forth through the presentation layer. so is there a substantial security gain here?
maybe one can look at apps and equate parameters to listening services on hosts? they accept input and process it, and are vulnerable to attack. if you equate parameters to listeners (i know it's not a perfect comparision) then the attack surface on a web application is larger and more vulnerable than host services on the average inet facing segment.
[well we have WAFs, right?]
srsly? rly? i donno... i haven't seen these devices work in real-world environments yet, so i don't have much faith. they are either 'self-learning' models which prevent mainly simplistic automated attacks, or they are manually configured models which are nearly impossible to keep properly tuned. maybe some orgs have highly effective WAF deployments, but i haven't seen or heard about it...
[sooooo?]
isolating a presentation server in a high-security zone but letting it connect back to other machines in the trusted zone just isn't a good idea. there are at least a couple ways to improve this model.
if the tiered model is used, then all of the tiers should reside in their own DMZs. that way, when the database server gets owned via sqli and the attacker is pivoting to the next target, he'll be isolated in the db DMZ. maybe this is what the tiered model was always intended to be, but it isn't something i've seen very often on real-world networks. plus, an org willing to put in the time and effort to run 2 or 3 DMZs, they will probably also parameterize their queries, validate their inputs, encode their outputs, and make sure that the db app user isn't over-privileged.
a simplier alternative for some applications is to abandon the overhead of running multiple tiers and go back to a single-machine model. the machine can be isolated on a DMZ, and the content served by the application can be managed through a one-way push from the trusted network (trust -> DMZ only). this model has an advantage that the exposed machine has no connection back to the internal network. plus you have an on-site backup on your trusted network.
but if the apps gets a lot of input from users which is stored to be used in near-real-time by other applications or processes, the isolated push model fails because that data needs to be read back into the trusted network and the same injection vulns apply.
[anywho]
is there something obvious i'm missing? there's nothing amazing here, but it seems like the common implementation of the tiered model buys you very little in terms of security...?
Monday, September 21, 2009
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment