1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL Seattle
June 1, 2015 NOAATech 2006, Silver Spring, MD 2 June 1, 2015 This presentation Enable secure web access to budget information for: –Scientists –PI’s –Non administrative folks Data are sensitive and covered by Privacy Act. Will describe how we developed this application to allow secure access to these sensitive data.
June 1, 2015 NOAATech 2006, Silver Spring, MD 3 June 1, 2015 FDMS FDMS is the OAR Financial system –Used by all the OAR labs –Maintained on FDMS servers located at PMEL Two separate database instances for data storage Hosted on: –single database server –Production server (Citrix) OAR budget user access to the FDMS application though a Citrix Secure Gateway interface.
June 1, 2015 NOAATech 2006, Silver Spring, MD 4 June 1, 2015 What is PI Reports? Web based application that allows OAR Scientists to access detailed budget information on their projects User data access restricted down to either one of: –project code –lab division –project leader level –data type User management delegated to each lab Only interface between PI Reports and FDMS application is the data warehouse.
June 1, 2015 NOAATech 2006, Silver Spring, MD 5 June 1, 2015 Design guidelines Web based application Apache Web server on Linux platform Reports contain data from FDMS Data warehouse Had to isolate DB server authentication information from web server Completely isolate DB server from web server, to protect the DB even if web server compromised
June 1, 2015 NOAATech 2006, Silver Spring, MD 6 June 1, 2015 Implementation challenge FDMS servers hosted on a single subnet Web presence a new component for FDMS project –Bad idea to have a web server on the same subnet as data servers Wed servers usually well exposed Required a rethink of FDMS subnet topology.
June 1, 2015 NOAATech 2006, Silver Spring, MD 7 June 1, 2015 Implementation challenge (cont.) Even if Web server hosted in a DMZ –Two tier application implies you must have db authentication information on web server –Compromise web server and you have access to the database. Potential platform incompatibilities –Data assets on a windows platform –Required to use Linux/Apache web platform Some type of messaging/middleware required
June 1, 2015 NOAATech 2006, Silver Spring, MD 8 June 1, 2015 Implementation Different aspects to consider: –Secure the FDMS network –Isolate high risk components from high value components –Ensure proper user authentication –Application level security –Database security –Data transport encryption
June 1, 2015 NOAATech 2006, Silver Spring, MD 9 June 1, 2015 Implementation Network NetScreen firewall Three separate subnets –Public: Web server –Application: Application server –Secure: Database server Deny-all policy –incoming and outgoing – with only select ports between network zones open to selected IP addresses
June 1, 2015 NOAATech 2006, Silver Spring, MD 10 June 1, 2015 FDMS subnet - before Database server Application server Certificate server FDMS Users Citrix connection Application access controlled by IP address user authentication FDMS subnet Citrix connection
June 1, 2015 NOAATech 2006, Silver Spring, MD 11 June 1, 2015 FDMS subnet after Web Application Secure Port 80 & 443 Port c Port d Web server XML Web Services App. server DB server Citrix CSG server Application access CSG server No direct access to “Secure” zone Application server
June 1, 2015 NOAATech 2006, Silver Spring, MD 12 June 1, 2015 Implementation: Isolate high value components from high risk components Separate functions, separate servers –Web server – tier 1 –Add an XML web services middle tier. Web services allows interoperability between Linux/Apache/PHP & Windows. Web services hosted on dedicated server –Windows Server 2003 –Web Services implemented in C#.Net –Allows efficient DB connectivity (ADO.Net) –Database server - tier 3
June 1, 2015 NOAATech 2006, Silver Spring, MD 13 June 1, 2015 Implementation User authentication Authentication is done against user information in database –Username, password and lab By default users have no data access
June 1, 2015 NOAATech 2006, Silver Spring, MD 14 June 1, 2015 Implementation: Application level security Web Server –Linux/Apache/PHP –PHP NuSOAP Library for SOAP messaging Secure web server coding practices –Input verification SQL injection not possible
June 1, 2015 NOAATech 2006, Silver Spring, MD 15 June 1, 2015 Implementation: Application level security XML Web Services application server –Session tokens a parameter in all web methods –Verify legitimacy of web service method invoker Valid requestor Session still valid Get user identifier –No in-line SQL for db interactions. –All application server to web server messaging using SOAP messages
June 1, 2015 NOAATech 2006, Silver Spring, MD 16 June 1, 2015 Implementation: Database All business rules are embedded in database Minimum permission database users DB user access defined in DB roles –Each role only has execute permission to select stored procedures Authentication User administration Data querying DB user access –Stored procedures only –No direct access to data tables
June 1, 2015 NOAATech 2006, Silver Spring, MD 17 June 1, 2015 Implementation Encrypted transport Web client to web server –SSL Web server to application server –SSL
June 1, 2015 NOAATech 2006, Silver Spring, MD 18 June 1, 2015 Implementation Server & messaging platform Web –Red Hat Linux –Apache –PHP Middleware –Windows Server 2003 Database server platform –Windows Server 2003
June 1, 2015 NOAATech 2006, Silver Spring, MD 19 June 1, 2015 Implementation software Middleware messaging –XML Web Services –Written in C#.Net Web –NuSOAP PHP soap library Database servers –SQL Server –Stored procedures for business rules (Transact sql)
June 1, 2015 NOAATech 2006, Silver Spring, MD 20 June 1, 2015 Schematic Web Application Secure Port 80 & 443 Port 1423 Port 1203 Port 80 & 443 Port 1423 Port 1203 user Web server App. Server DB Server https request XML Web service request ADO.Net DB request ADO.Net DB response XML Web service response https response
June 1, 2015 NOAATech 2006, Silver Spring, MD 21 June 1, 2015 Our experience Disadvantages –More network infrastructure –More server infrastructure –More software infrastructure –Performance compromise due to overhead but it’s fast anyway because CPUs are faster –PHP Web services support not mature
June 1, 2015 NOAATech 2006, Silver Spring, MD 22 June 1, 2015 Our experience Advantages –Hides high value db assets Isolated network environment –Effort to compromise significantly increased Two LAN zones and two firewall zones to breach –Function separation Presentation Site functionality Business rules –Development benefit –Maintenance benefit
June 1, 2015 NOAATech 2006, Silver Spring, MD 23 June 1, 2015 In Conclusion We have been able to secure PI Reports with this architecture. Same infrastructure and architecture will be used to develop other FDMS products.