1

I need to expose via Internet an insecure internal web app that can't be modified to be made intrinsically more secure. The most common solution for this problem is to access the web app through VPN. Unfortunately, this isn't possible in my situation so I'm left scrambling for another solution.

At some point I've experienced working with firewalls that could dynamically open ports after users passed authentication through a web form. The form was on a website served by the firewall device and, behind the scenes, the firewall was using the credentials provided through the form to authenticate against Active Directory. After the auth passed, for a limited time the firewall opened some ports for the IP from which the web form connection originated.

I would like to use something like this in my scenario as it would provide sufficient security for my web app. Unfortunately I don't know the tech. stack to look for or the well-established names for this kind of firewall auth.

Can someone enlighten me on which technologies I need to look at?

Thanks, Bogdan

bogdan
  • 65
  • 11
  • 1
    I'm not sure what you mean when you say that your web application is insecure. Is the web code vulnerable to some well known exploit or exploits? A firewall can secure access to your web application but it can't make the web application secure. – joeqwerty Jul 04 '13 at 15:06
  • Yes, the web code is vulnerable. I'm not looking to protect ourselves against out clients who need to access the insecure web app. I'm aware that anyone who has access to the web app can crack it open. I just need to build that dynamic firewall to prevent anyone from the Internet from having access to the web app. – bogdan Jul 04 '13 at 15:44
  • Cisco calls it 'Identity Firewall' – Teftin Jul 04 '13 at 20:29
  • Good point @teftin. I see that Junos also supports exactly the same functionality and they describe it as if to answer my question "A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict and permit firewall users to access protected resources (different zones) behind a firewall based on their source IP address and other credentials." – bogdan Jul 05 '13 at 08:14

2 Answers2

1

Your idea has a flaw, it implies that IPs uniquely identify users, but they don't.

I think what you are trying to describe is a web application firewall that will do some pass through authentication + reverse proxying. It might also filter a couple of well known attacks depending on the implementations, but overall your plan is far from solid.

You might as well consider isolating your application on a sandbox. It's never a good idea to leave a knowingly vulnerable machine out there, because it will be exploited in ways that you haven't thought off.

user
  • 1,408
  • 8
  • 10
  • I'm aware and I'm OK with this flaw. Usually someone wants to access the insecure web app for 5 minutes and, in our case, the source IP doesn't change across those 5 minutes. I don't care if the source IP can hide behind it 10, 100, 1000, 10000 other users. I just don't want the other couple hundred million IPs on the Internet to be able to access my web app. – bogdan Jul 04 '13 at 16:14
  • The link you provided looks promising. I'll look into it and get back. – bogdan Jul 04 '13 at 16:16
  • "A WAF ... applies a set of rules to an HTTP conversation". WAFs may solve my problem but they look very much like overkill for my need. I would be happy for traffic to be temporarily allowed at layer 3. WAFs are designed to actively monitor and protect against various type of issues detected at layer 7. I'll try to avoid the complexity of configuring one, if I can. Thank you very much for the pointer. – bogdan Jul 05 '13 at 08:11
0

If you are using Linux for your firewall, look at iptables which is how the firewall is implemented. The Shorewall documentation will point you in the direction of [Dynamic Zones][1].

It may be possible to get fail2ban to add the appropriate entry when it sees an login success message in a logfile.

In my case I use authentication per service:

  • SMTP Submission and IMAP always require authentication.
  • Internal Web services are available over HTTPS with authentication.
  • Squid proxy can be configured with authentication. (Currently only available locally or via VPN.)

In your case a web proxy with authentication should provide the necessary access. Apache can be configured to do this relatively easily.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • This looks very close to what I need (from overviews). Can you please confirm/deny the following: (1) Where is the auth. part in Dynamic Zones' docs? I can't find any other ref. to auth. in docs, except in overview (2) Can Dynamic Zones rules be based on IPs NOT known beforehand? (3) Can rules expire after a certain time? – bogdan Jul 05 '13 at 08:01
  • As noted in the documentation, it doesn't cover implementing the authentication. I don't use Dynamic Zones, but I understand they are intended for use where the IPs are not known in advance. It has been my experience that fail2ban does expire the rules. Expiry will need to be be programmed. Using a web proxy is likely a simpler approach, without needing any dynamic fiddling of firewall rules. – BillThor Jul 05 '13 at 14:17