2

I need help explaining to non security people why I want to require the webserver/presentation layer in a dmz. I've given options for a tier two (presentation/logic -> logic/data in zones) architecture and an three tier architecture (presentation -> logic -> data zones).

Their argument is that I should be fine with firewall -> F5 with ASM -> firewall -> Presentation/Logic/data layer all in one zone. Their argument is that this is a two tiered architecture so should count to meet my requirement. I've asked them to find me an industry standard document explaining security design this way and have been stonewalled -- probably because there are not any.

I'm having difficulty explaining that the first thing a hacker from the internet touches should be dead ended and prevent north-south movement into the next zone. They want it in terms of architectural capabilities.

An ideas on how to explain a two tier application security design architecture in terms of architectural capabilities? Any other ideas would be helpful too.

Jim Beamer
  • 21
  • 2
  • Is the data also used by other, internal applications, or is the data only used by the webserver? – WhiteWinterWolf Aug 06 '17 at 17:55
  • other apps too will use the data, for the most part. The question really isnt specific to a particular applications right now -- it is defining capabilities and requirements. I general I want the capability to put a web/presentation layer in a DMZ and only allow in the ports that are needed to access the logic/data layer. – Jim Beamer Aug 06 '17 at 19:21

2 Answers2

1

ASM, and other WAFs, are excellent. They are not exactly a "tier", though. The point of breaking things into separate security zones per-tier is defense in depth. What happens if there is a remotely exploitable buffer overflow vulnerability in the service used for the presentation layer? (*I know. Impossible! http://thehackernews.com/2013/11/Vulnerability-JBoss-Application-Servers-exploit-code.html) You need 100% trust that the WAF will block it, despite whatever obfuscation technique thrown at it. That is a lot of trust. If the WAF fails to catch the issue, you are toast. The hacker owns EVERYTHING. They are inside the network and able to do whatever they want.

By layering you can limit damage and increase the chance of detecting a penetration. Firewall -> WAF -> Presentation/Logic -> Firewall -> Data, at a minimum.

That's not all, of course. You still need things like stored procedures and a heavily restricted user for access from Logic to Data layers. The WAF might miss a clever SQL injection. Maybe that data layer should also be in a DMZ of its own.

Keep in mind this is all logical separation. One firewall cluster, one F5 cluster, one hypervisor cluster, and one pair of VLANed switches would support any one of your proposed layouts without blowing hardware costs out of proportion. I am betting they are thinking adding security zones means lots of added hardware and complexity. It doesn't have to.

Paul Doom
  • 279
  • 1
  • 2
  • 7
0

Personally I found the 2 tier architecture mostly a marketing presentation to help business people to understand compartmentalisation. In this case an understanding of the consequences of a leak on one layer and what services/steps that can be taken to mitigate this. It is easier to view the architecture in terms of logical clusters and having defenses based on each cluster. Right now with virtualized networks, you can cluster all similar risk nodes and safely nuke all of them if you suspect they've been compromised and reinstate them.

munchguskin
  • 1