Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Web app based on .net - best practice?

Re: Web app based on .net - best practice?

From: Alex Russell <alex_at_netWindows.org>
Date: Tue, 22 Apr 2003 11:17:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 23 April 2003 08:41 am, Mads Rasmussen wrote:
> Imagine I have a .net based application
>
> I thought it would be a good idea to have the presentation layer (asp)
> in a DMZ and the business layer (components in VB and C#) in a safe site
> behind a firewall. The communication in between would take place with
> RPC calls.

This is the logical equivalent of having them on the same machine in the
same namespace. Your "layering" in this case is only physical, and while it
_could_ provide the oppourtunity for safety inspection of the RPC calls, I
doubt you're taking advantage of it.

> I know that RPC is not considered secure but we have a firewall in
> between the DMZ and the safe site (not a guarantee things work out, I
> know)

What, exactly, do you beleive a firewall is buying you here? I'm willing to
bet that it's not doing what you think it's doing.

> My concern is that if the whole application was based in the DMZ, it
> would be hard to control injections and stuff like that. With the
> division we can control (somewhat) what calls goes to the safe site
> (business layer).

- From this description, I think you've got your layers (and the security
needs of each) confused a bit. When securing an app like this, your network
setup only marginally informs your application level security design, and
says nothing of your needs. Firewalls and DMZs are going to allow you to
handle problems at layer 2 and layer 3, but they have little (if no)
bearing on the application-level security you seem to be interested in.

When it comes to securing the app itself, you'll want to seperate the
_logical_ layers of the application strongly. This means well constrained
interfaces which are ideally watched and logged for malicious behaviour.
Using RPC (I'm assuming SOAP or XML-RPC?), you have the ability on both
ends of the connection to do some sanity checking as well as protocol
integrity checking in the middle.

Your layer 2 and 3 security provisions provide you with a strong foundation
for your layer 7 security precautions, but they are not interchangeable.

HTH

- --
Alex Russell
alex_at_netWindows.org
alex_at_SecurePipe.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+pWskoV0dQ6uSmkYRApXfAJ9LYcpO1JQbTMjwIMeD7Yc5AqdA9wCfRB92
snXRJdIzqQMpyeA+7OjvK5w=
=mDkD
-----END PGP SIGNATURE-----
Received on Apr 23 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos