Is storing session data in the DMZ ok in an n-tier enterprise web application?

Question

Say I have a standard multi-tier web application with web servers in the DMZ and multiple services only accessible from an authenticated web app. Also let's suppose the web app uses server-side sessions.

I'm interested in the community opinion - do you think it would be ok to store web app session data in some kind of a database still in the DMZ, or should that data be in a proper backend database, encapsulated by a service? (By database in the DMZ I mean any kind of database, SQL, NoSQL, or even the filesystem of the web server like for example PHP does this by default.)

I understand it's all about what I want it to be protected against.

• Considering an attacker only having access to the application UI, it almost doesn't matter (see at the bottom) as long as there is no session-related vulnerability in the application, but if there is one, session data is breached anyway.

• Considering an attacker already having access to the web server with the user running the web app (eg. OS command injection in the web app), he would be able to either read the database in the DMZ or connect to the session service using the application credentials.

• For an attacker already root/admin on the web server it's also the same.

• From a management perspective, IT ops for the DMZ and a secure zone would typically be the same people.

• Considering an attacker having gained some level of access to something else (not the web app) in the DMZ, it could be easier to access other servers, like the one containing the session data for this web app. This would be even more of a concern with a session store like Redis where authentication is not a strong point. But what if there is nothing else in this infrastructure apart from this application in question?

So what would be the benefit of putting session data behind a service? What would justify the additional cost, complexity and performance penalty?

For example having the session database in the DMZ, I could think of the threat of misconfiguration of the infrastructure that allows somebody from outside network level access to the session database.

Also some unrelated vulnerabilities in the web application might result in the breach of session data, especially if it's on the web server itself, like for example a simple local file inclusion could then be enough. But this risk can be mitigated in other ways in some environments (the application process itself doesn't necessarily have to have access to the session database files directly - or it could simply be a separate database, not on the web app).

So would you accept such an application as properly n-tier and reasonably secure in this regard, or do you think this idea is flawed and session data should be handled the same as any other application data?

Answer 1

Ultimately, this comes down to the level of risk you are prepared to carry. To assess that, you need to understand the impact of each risk being realised.

In this case, if there is relatively little impact if the session data is breached - which is to say that an attacker couldn't use the session data to mass exfiltrate personally identifiable data or create costly errors - then you are probably OK to keep it in the DMZ with the application.

If the session data would give access to credit card or other financial information, addresses, medical data, ... - especially for multiple users, then I'd say that was a significant risk and I would want to see it better secured.