1 / 18

Web Services Gateway Implementation

Web Services Gateway Implementation. Michael Doney Bobby Kelley Peter Lannigan John Parker Robin Paschall Gregory Phillips Jennifer Valdez. NOAATECH 2006 November 2, 2005. Purpose. Provide information on the Web Services Gateway implementation at ESRL/GSD. Topics. Problems to Address

macayle-faughnan
Télécharger la présentation

Web Services Gateway Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Services GatewayImplementation Michael Doney Bobby Kelley Peter Lannigan John Parker Robin Paschall Gregory Phillips Jennifer Valdez NOAATECH 2006 November 2, 2005 Global Systems Division (GSD) Information and Technology Services

  2. Purpose Provide information on the Web Services Gateway implementation at ESRL/GSD Global Systems Division (GSD) Information and Technology Services

  3. Topics • Problems to Address • Resolution Objectives • Options Considered • Solution Implemented • Some of the Threats Mitigated • Example Web Application • Conclusion Global Systems Division (GSD) Information and Technology Services

  4. Problems to Address • Growing threat of malicious web application attacks • 43 externally visible web applications on 22 servers • Web applications written by many different developers • Server configurations done by distributed systems administrators • No centralized point of control for web application security Global Systems Division (GSD) Information and Technology Services

  5. Resolution Objectives • Ensure system & information security for web services • Establish centralized point of control for web application security • Minimize the number of directly accessible servers • Minimize the effort for web application developers • Maintain distributed systems administration • Keep the effort as transparent as possible to customers • Enable seamless addition of web applications for new projects Global Systems Division (GSD) Information and Technology Services

  6. Options Considered • All branch servers located in the public access area • Not practical • High cost to duplicate servers and storage • Not completely secure • High-availability pair of servers in the public access area to host all web applications • Large effort to port branch web applications to new servers • Differing operating systems and library requirements • Simply porting would not be adequate • Secure programming required • Rewrite existing web applications • Significant amount of time for all web application developers • Additional training expense for every web application developer • Requires frequent code reviews, a time consuming effort • Web Services Gateway • Dynamic information served from branch servers Global Systems Division (GSD) Information and Technology Services

  7. Solution Implemented GSD Web Services Gateway • A single GSD web services access point in the public access area • Load balancers • AppShield servers • Web/Proxy servers • Branch servers maintained behind the GSD firewall • Does not negate other IT security methods and practices • Does not negate the need for secure coding in web applications Staffing: Initial work began in 2003 Ranged from 1 to 10 people over 2.5 years (approximately 1.7 staff years of effort) Plus assistance to and support from approximately 15 web application developers Global Systems Division (GSD) Information and Technology Services

  8. Implementation • Load balancers, high-availability pair • Creates multiple virtual servers that map to multiple real servers • Multiple content switching options • URL, cookie, XML, http header, and SSL session ID • Multiple load balancing options • Least connections, response time, round robin, … • Supports 1,000,000 concurrent sessions • 4.4 Gbps throughput • AppShield servers & software, high-availability pair • Provides application level system & information security • Protects web applications from exploitation • Provides security policy tuning per requirements of each web application • Web/Proxy servers, high-availability pair • Some GSD web applications hosted on these servers • Proxy server provides connectivity to all web servers behind the firewall • Existing branch servers • Located behind the GSD firewall • Fewest changes for web masters and continued access to existing data stores • In some cases, coordination for customer changes were necessary • Customer network or firewall access from new GSD Web/Proxy servers • Needed to eliminate hard-coded IP addresses on customer systems if any existed Global Systems Division (GSD) Information and Technology Services

  9. High Level View Public Access Area GSD Intranet Firewall Firewall Internet Load Balancer Web/Proxy Server AppShield GSD Servers Load Balancer Web/Proxy Server AppShield High-availability Pairs Global Systems Division (GSD) Information and Technology Services

  10. Hardware and Software High-availability pairs: • Foundry ServerIronXL load balancing network switches $ 33,084 • Foundry ServerIronXL annual support (one year to date) $ 1,740 • SunFire V120 Servers $ 8,232 • AppShield 4.0 $ 27,000 • AppShield annual support (three years to date) $ 22,500 • Dell 2650 servers $ 11,296 • On-site AppShield training $ 11,450 TOTAL $115,302 Global Systems Division (GSD) Information and Technology Services

  11. AppShield Details • AppShield is a stateful reverse proxy application firewall • Most established product at the time of GSD’s implementation • Did not require complete redesign of existing web applications • The default configuration is the most secure • Three pre-defined security levels available: • Strict (starting point for GSD’s implementation) • Intermediate • Basic • Uses a positive security model • Enforces intended behavior versus watching for unintended behavior • Custom security levels can be defined • Customization rules (exceptions) can be written as necessary Global Systems Division (GSD) Information and Technology Services

  12. AppShield in Operation • Functions as a reverse proxy for requests and responses • Learns on-the-fly for each page • As HTML requests and responses are processed • Automatic generation of security policies • Automatic determination of acceptable responses • Forces HTTP requests from clients to conform to security policies • Maintains logs for denied requests • Logs can be viewed through the AppShield console • Exception rules can be generated to prevent blocking valid requests • Rule usage is logged to allow fine tuning • AppShield acts as the SSL termination point for encrypted traffic • Ensures that AppShield has visibility of all HTTP traffic Global Systems Division (GSD) Information and Technology Services

  13. AppShield SessionSource: Sanctum, Inc. • Verifies that request contains a legal entry URL to the site • Creates an application session token • Stored in an encrypted and signed cookie for subsequent transactions • Analyzes each HTML page as they are forwarded to the client • Patented Policy Recognition Engine • Searches for CGI parameters, hidden field values, etc. • Determines the security policy of the web application • Checks any exception rules for sites and web applications requested • Additional legal requests used to adjust the security policy for the session • Accomplished with Adaptive Reduction Technology • Reducer: Translates requests to simple & secure language • Expander: Rebuilds requests to ensure only legal information • In case of a hacking attempt, the reduction/expansion phase will fail • AppShield invokes a customizable error CGI with attack origin and type Global Systems Division (GSD) Information and Technology Services

  14. Implementation Workflow • Configure proxy server for web sites • Create URL mappings in AppShield • Test web sites through AppShield • Create exception rules IFNECESSARY • Retest through AppShield • Developers test through AppShield • Update DNS and go live • Monitor AppShield logs Global Systems Division (GSD) Information and Technology Services

  15. Load Balancer AppShield Web/Proxy Web Application Example Web Services Gateway Data Ingest Public Access Area HTTP database SQL Server Data Processing Cluster NFS read only Storage .gif files / static content Global Systems Division (GSD) Information and Technology Services

  16. Some of the Threats Mitigated • Parameter tampering • Cookie poisoning • HTTP request smuggling • Forceful browsing • Cross-site scripting • Buffer overflows • SQL injection • Third-party misconfiguration Global Systems Division (GSD) Information and Technology Services

  17. Conclusion • Implementing a Web Services Gateway at GSD added a significant additional layer of IT Security • Problems addressed and resolution objectives met • Achieved a single GSD web services access point in the public access area • Existing web sites and web applications were supported without requiring complete redesign • This implementation doesnot negate other IT Security methods and practices • Secure coding practices should be followed for web application development • GSD’s implementation is extensible, expandable, and adaptable Global Systems Division (GSD) Information and Technology Services

  18. Questions Bobby.R.Kelley@noaa.gov (303) 497- 4122 Global Systems Division (GSD) Information and Technology Services

More Related