global systems division (gsd) information and technology services web services gateway...

Global Systems Division (GSD)Information and Technology Services

Web Services GatewayImplementation

Michael DoneyBobby KelleyPeter LanniganJohn ParkerRobin PaschallGregory PhillipsJennifer Valdez

NOAATECH 2006November 2, 2005


Purpose

Provide information on the Web Services

Gateway implementation at ESRL/GSD


Topics

• Problems to Address

• Resolution Objectives

• Options Considered

• Solution Implemented

• Some of the Threats Mitigated

• Example Web Application

• Conclusion


Problems to Address

• Growing threat of malicious web application attacks

• 43 externally visible web applications on 22 servers

• Web applications written by many different developers

• Server configurations done by distributed systems administrators

• No centralized point of control for web application security


Resolution Objectives

• Ensure system & information security for web services

• Establish centralized point of control for web application security

• Minimize the number of directly accessible servers

• Minimize the effort for web application developers

• Maintain distributed systems administration

• Keep the effort as transparent as possible to customers

• Enable seamless addition of web applications for new projects


Options Considered

1. All branch servers located in the public access area– Not practical

• High cost to duplicate servers and storage

– Not completely secure

2. High-availability pair of servers in the public access area to host all web applications– Large effort to port branch web applications to new servers

• Differing operating systems and library requirements• Simply porting would not be adequate

– Secure programming required• Rewrite existing web applications• Significant amount of time for all web application developers• Additional training expense for every web application developer• Requires frequent code reviews, a time consuming effort

3. Web Services Gateway– Dynamic information served from branch servers


Solution Implemented

GSD Web Services Gateway• A single GSD web services access point in the public access area

– Load balancers– AppShield servers– Web/Proxy servers

• Branch servers maintained behind the GSD firewall• Does not negate other IT security methods and practices• Does not negate the need for secure coding in web applications

Staffing: Initial work began in 2003 Ranged from 1 to 10 people over 2.5 years (approximately 1.7 staff years of effort) Plus assistance to and support from approximately 15 web application developers


Implementation• Load balancers, high-availability pair

– Creates multiple virtual servers that map to multiple real servers– Multiple content switching options

• URL, cookie, XML, http header, and SSL session ID– Multiple load balancing options

• Least connections, response time, round robin, …– Supports 1,000,000 concurrent sessions– 4.4 Gbps throughput

• AppShield servers & software, high-availability pair– Provides application level system & information security– Protects web applications from exploitation– Provides security policy tuning per requirements of each web application

• Web/Proxy servers, high-availability pair– Some GSD web applications hosted on these servers– Proxy server provides connectivity to all web servers behind

the firewall

• Existing branch servers– Located behind the GSD firewall– Fewest changes for web masters and continued access to existing data stores– In some cases, coordination for customer changes were necessary

• Customer network or firewall access from new GSD Web/Proxy servers• Needed to eliminate hard-coded IP addresses on customer systems if any existed


High Level View

InternetAppShield

AppShield

Web/ProxyServer

Web/ProxyServer

Fir

ewa

ll

GSDServers

LoadBalancer

Public Access Area

High-availabilityPairs

LoadBalancer

Fir

ewa

llGSD

Intranet


Hardware and Software

High-availability pairs:– Foundry ServerIronXL load balancing network switches $ 33,084– Foundry ServerIronXL annual support (one year to date) $ 1,740– SunFire V120 Servers $ 8,232– AppShield 4.0 $ 27,000– AppShield annual support (three years to date) $

22,500– Dell 2650 servers $

11,296

– On-site AppShield training $ 11,450

TOTAL$115,302


AppShield Details

• AppShield is a stateful reverse proxy application firewall

• Most established product at the time of GSD’s implementation

• Did not require complete redesign of existing web applications

• The default configuration is the most secure

• Three pre-defined security levels available:– Strict (starting point for GSD’s implementation)

– Intermediate

– Basic

• Uses a positive security model– Enforces intended behavior versus watching for unintended behavior

• Custom security levels can be defined

• Customization rules (exceptions) can be written as necessary


AppShield in Operation

• Functions as a reverse proxy for requests and responses

• Learns on-the-fly for each page– As HTML requests and responses are processed

• Automatic generation of security policies• Automatic determination of acceptable responses• Forces HTTP requests from clients to conform to security policies

• Maintains logs for denied requests– Logs can be viewed through the AppShield console– Exception rules can be generated to prevent blocking valid requests

• Rule usage is logged to allow fine tuning

• AppShield acts as the SSL termination point for encrypted traffic– Ensures that AppShield has visibility of all HTTP traffic


AppShield SessionSource: Sanctum, Inc.

1. Verifies that request contains a legal entry URL to the site

2. Creates an application session token– Stored in an encrypted and signed cookie for subsequent transactions

3. Analyzes each HTML page as they are forwarded to the client– Patented Policy Recognition Engine– Searches for CGI parameters, hidden field values, etc.

4. Determines the security policy of the web application– Checks any exception rules for sites and web applications requested– Additional legal requests used to adjust the security policy for the session– Accomplished with Adaptive Reduction Technology

• Reducer: Translates requests to simple & secure language• Expander: Rebuilds requests to ensure only legal information• In case of a hacking attempt, the reduction/expansion phase will fail

» AppShield invokes a customizable error CGI with attack origin and type


Implementation Workflow

• Configure proxy server for web sites

• Create URL mappings in AppShield

• Test web sites through AppShield

• Create exception rules IF NECESSARY

• Retest through AppShield

• Developers test through AppShield

• Update DNS and go live

• Monitor AppShield logs


Web Application Example

Load Balancer

AppShield

Web/Proxy

DataProcessing

Cluster

database

Storage.gif files / static content

SQL

NFS

read only

Server

Public Access Area

WebServicesGateway

HTTP

DataIngest


Some of the Threats Mitigated

• Parameter tampering

• Cookie poisoning

• HTTP request smuggling

• Forceful browsing

• Cross-site scripting

• Buffer overflows

• SQL injection

• Third-party misconfiguration


Conclusion

• Implementing a Web Services Gateway at GSD added a significant additional layer of IT Security

• Problems addressed and resolution objectives met

• Achieved a single GSD web services access point in the public access area

• Existing web sites and web applications were supported without requiring complete redesign

• This implementation doesdoes notnot negate other IT Security methods and practices

• Secure coding practices should be followed for web application development

• GSD’s implementation is extensible, expandable, and adaptable


Questions

[email protected]

(303) 497- 4122

global systems division (gsd) information and technology services web services gateway...

Documents

servers web applications

gsd web services gateway

branch web applications

web application security

visible web applications

web applications staffing

technology services

web applications large