1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

Slides:



Advertisements
Similar presentations
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Advertisements

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.
Web Services, SOA and Security May 11, 2009 Michael Burnett.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
The Architecture of Transaction Processing Systems
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
VMware vCenter Server Module 4.
Web Application Architecture: multi-tier (2-tier, 3-tier) & mvc
Introduction to Databases Transparencies 1. ©Pearson Education 2009 Objectives Common uses of database systems. Meaning of the term database. Meaning.
JVM Tehnologic Company profile & core business Founded: February 1992; –Core business: design and implementation of large software applications mainly.
Additional SugarCRM details for complete, functional, and portable deployment.
1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
NCAI Exchange Network Tribal User Meeting 9-10 April 2008 Considerations for Tribal Database Application Security Bill Farr President ResourceVue, LLC.

Week 7 Lecture Web Database Development Samuel Conn, Asst. Professor
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Native Support for Web Services  Native Web services access  Enables cross platform interoperability  Reduces middle-tier dependency (no IIS)  Simplifies.
Securing Microsoft® Exchange Server 2010
Networked Application Architecture Design. Application Building Blocks Application Software Data Infrastructure Software Local Area Network Server Desktop.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
70-411: Administering Windows Server 2012
NOAA WEBShop A low-cost standby system for an OAR-wide budgeting application Eugene F. Burger (NOAA/PMEL/JISAO) NOAA WebShop July Philadelphia.
Tunis International Centre for Environmental Technologies Small Seminar on Networking Technology Information Centers UNFCCC secretariat offices Bonn, Germany.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Javascript Cog Kit By Zhenhua Guo. Grid Applications Currently, most grid related applications are written as separate software. –server side: Globus,
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Building Secure Web Applications With ASP.Net MVC.
Firewall Security.
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
INTRODUCTION TO DBS Database: a collection of data describing the activities of one or more related organizations DBMS: software designed to assist in.
Security fundamentals Topic 10 Securing the network perimeter.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Using Java, XML and XSLT to create secure internal access to local NOAA Research Science project and budget information Jason E. Fabritz, NOAA/PMEL-JISAO/UW.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Retele de senzori Curs 1 - 1st edition UNIVERSITATEA „ TRANSILVANIA ” DIN BRAŞOV FACULTATEA DE INGINERIE ELECTRICĂ ŞI ŞTIINŢA CALCULATOARELOR.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
Azure SQL Database Updates
Stop Those Prying Eyes Getting to Your Data
The Client/Server Database Environment
Secure Software Confidentiality Integrity Data Security Authentication
Principles of Network Applications
Server Concepts Dr. Charles W. Kann.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Introduction to SQL Server 2000 Security
Chapter 9: The Client/Server Database Environment
Introduction to Databases Transparencies
Lecture 1: Multi-tier Architecture Overview
Module 8: Securing Network Traffic by Using IPSec and Certificates
Presentation transcript:

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL Seattle

June 1, 2015 NOAATech 2006, Silver Spring, MD 2 June 1, 2015 This presentation Enable secure web access to budget information for: –Scientists –PI’s –Non administrative folks Data are sensitive and covered by Privacy Act. Will describe how we developed this application to allow secure access to these sensitive data.

June 1, 2015 NOAATech 2006, Silver Spring, MD 3 June 1, 2015 FDMS FDMS is the OAR Financial system –Used by all the OAR labs –Maintained on FDMS servers located at PMEL Two separate database instances for data storage Hosted on: –single database server –Production server (Citrix) OAR budget user access to the FDMS application though a Citrix Secure Gateway interface.

June 1, 2015 NOAATech 2006, Silver Spring, MD 4 June 1, 2015 What is PI Reports? Web based application that allows OAR Scientists to access detailed budget information on their projects User data access restricted down to either one of: –project code –lab division –project leader level –data type User management delegated to each lab Only interface between PI Reports and FDMS application is the data warehouse.

June 1, 2015 NOAATech 2006, Silver Spring, MD 5 June 1, 2015 Design guidelines Web based application Apache Web server on Linux platform Reports contain data from FDMS Data warehouse Had to isolate DB server authentication information from web server Completely isolate DB server from web server, to protect the DB even if web server compromised

June 1, 2015 NOAATech 2006, Silver Spring, MD 6 June 1, 2015 Implementation challenge FDMS servers hosted on a single subnet Web presence a new component for FDMS project –Bad idea to have a web server on the same subnet as data servers Wed servers usually well exposed Required a rethink of FDMS subnet topology.

June 1, 2015 NOAATech 2006, Silver Spring, MD 7 June 1, 2015 Implementation challenge (cont.) Even if Web server hosted in a DMZ –Two tier application implies you must have db authentication information on web server –Compromise web server and you have access to the database. Potential platform incompatibilities –Data assets on a windows platform –Required to use Linux/Apache web platform Some type of messaging/middleware required

June 1, 2015 NOAATech 2006, Silver Spring, MD 8 June 1, 2015 Implementation Different aspects to consider: –Secure the FDMS network –Isolate high risk components from high value components –Ensure proper user authentication –Application level security –Database security –Data transport encryption

June 1, 2015 NOAATech 2006, Silver Spring, MD 9 June 1, 2015 Implementation Network NetScreen firewall Three separate subnets –Public: Web server –Application: Application server –Secure: Database server Deny-all policy –incoming and outgoing – with only select ports between network zones open to selected IP addresses

June 1, 2015 NOAATech 2006, Silver Spring, MD 10 June 1, 2015 FDMS subnet - before Database server Application server Certificate server FDMS Users Citrix connection Application access controlled by IP address user authentication FDMS subnet Citrix connection

June 1, 2015 NOAATech 2006, Silver Spring, MD 11 June 1, 2015 FDMS subnet after Web Application Secure Port 80 & 443 Port c Port d Web server XML Web Services App. server DB server Citrix CSG server Application access CSG server No direct access to “Secure” zone Application server

June 1, 2015 NOAATech 2006, Silver Spring, MD 12 June 1, 2015 Implementation: Isolate high value components from high risk components Separate functions, separate servers –Web server – tier 1 –Add an XML web services middle tier. Web services allows interoperability between Linux/Apache/PHP & Windows. Web services hosted on dedicated server –Windows Server 2003 –Web Services implemented in C#.Net –Allows efficient DB connectivity (ADO.Net) –Database server - tier 3

June 1, 2015 NOAATech 2006, Silver Spring, MD 13 June 1, 2015 Implementation User authentication Authentication is done against user information in database –Username, password and lab By default users have no data access

June 1, 2015 NOAATech 2006, Silver Spring, MD 14 June 1, 2015 Implementation: Application level security Web Server –Linux/Apache/PHP –PHP NuSOAP Library for SOAP messaging Secure web server coding practices –Input verification SQL injection not possible

June 1, 2015 NOAATech 2006, Silver Spring, MD 15 June 1, 2015 Implementation: Application level security XML Web Services application server –Session tokens a parameter in all web methods –Verify legitimacy of web service method invoker Valid requestor Session still valid Get user identifier –No in-line SQL for db interactions. –All application server to web server messaging using SOAP messages

June 1, 2015 NOAATech 2006, Silver Spring, MD 16 June 1, 2015 Implementation: Database All business rules are embedded in database Minimum permission database users DB user access defined in DB roles –Each role only has execute permission to select stored procedures Authentication User administration Data querying DB user access –Stored procedures only –No direct access to data tables

June 1, 2015 NOAATech 2006, Silver Spring, MD 17 June 1, 2015 Implementation Encrypted transport Web client to web server –SSL Web server to application server –SSL

June 1, 2015 NOAATech 2006, Silver Spring, MD 18 June 1, 2015 Implementation Server & messaging platform Web –Red Hat Linux –Apache –PHP Middleware –Windows Server 2003 Database server platform –Windows Server 2003

June 1, 2015 NOAATech 2006, Silver Spring, MD 19 June 1, 2015 Implementation software Middleware messaging –XML Web Services –Written in C#.Net Web –NuSOAP PHP soap library Database servers –SQL Server –Stored procedures for business rules (Transact sql)

June 1, 2015 NOAATech 2006, Silver Spring, MD 20 June 1, 2015 Schematic Web Application Secure Port 80 & 443 Port 1423 Port 1203 Port 80 & 443 Port 1423 Port 1203 user Web server App. Server DB Server https request XML Web service request ADO.Net DB request ADO.Net DB response XML Web service response https response

June 1, 2015 NOAATech 2006, Silver Spring, MD 21 June 1, 2015 Our experience Disadvantages –More network infrastructure –More server infrastructure –More software infrastructure –Performance compromise due to overhead but it’s fast anyway because CPUs are faster –PHP Web services support not mature

June 1, 2015 NOAATech 2006, Silver Spring, MD 22 June 1, 2015 Our experience Advantages –Hides high value db assets Isolated network environment –Effort to compromise significantly increased Two LAN zones and two firewall zones to breach –Function separation Presentation Site functionality Business rules –Development benefit –Maintenance benefit

June 1, 2015 NOAATech 2006, Silver Spring, MD 23 June 1, 2015 In Conclusion We have been able to secure PI Reports with this architecture. Same infrastructure and architecture will be used to develop other FDMS products.