Presentation is loading. Please wait.

Presentation is loading. Please wait.

Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker.

Published byGwenda Sanders Modified over 9 years ago

Similar presentations

Presentation on theme: "Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker."— Presentation transcript:

1 Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker Robin Paschall Gregory Phillips Jennifer Valdez NOAATECH 2006 November 2, 2005

2 Global Systems Division (GSD) Information and Technology Services Purpose Provide information on the Web Services Gateway implementation at ESRL/GSD

3 Global Systems Division (GSD) Information and Technology Services Topics Problems to Address Resolution Objectives Options Considered Solution Implemented Some of the Threats Mitigated Example Web Application Conclusion

4 Global Systems Division (GSD) Information and Technology Services Problems to Address Growing threat of malicious web application attacks 43 externally visible web applications on 22 servers Web applications written by many different developers Server configurations done by distributed systems administrators No centralized point of control for web application security

5 Global Systems Division (GSD) Information and Technology Services Resolution Objectives Ensure system & information security for web services Establish centralized point of control for web application security Minimize the number of directly accessible servers Minimize the effort for web application developers Maintain distributed systems administration Keep the effort as transparent as possible to customers Enable seamless addition of web applications for new projects

6 Global Systems Division (GSD) Information and Technology Services Options Considered 1.All branch servers located in the public access area –Not practical High cost to duplicate servers and storage –Not completely secure 2.High-availability pair of servers in the public access area to host all web applications –Large effort to port branch web applications to new servers Differing operating systems and library requirements Simply porting would not be adequate –Secure programming required Rewrite existing web applications Significant amount of time for all web application developers Additional training expense for every web application developer Requires frequent code reviews, a time consuming effort 3.Web Services Gateway –Dynamic information served from branch servers

7 Global Systems Division (GSD) Information and Technology Services Solution Implemented GSD Web Services Gateway A single GSD web services access point in the public access area –Load balancers –AppShield servers –Web/Proxy servers Branch servers maintained behind the GSD firewall Does not negate other IT security methods and practices Does not negate the need for secure coding in web applications Staffing: Initial work began in 2003 Ranged from 1 to 10 people over 2.5 years (approximately 1.7 staff years of effort) Plus assistance to and support from approximately 15 web application developers

8 Global Systems Division (GSD) Information and Technology Services Implementation Load balancers, high-availability pair –Creates multiple virtual servers that map to multiple real servers –Multiple content switching options URL, cookie, XML, http header, and SSL session ID –Multiple load balancing options Least connections, response time, round robin, … –Supports 1,000,000 concurrent sessions –4.4 Gbps throughput AppShield servers & software, high-availability pair –Provides application level system & information security –Protects web applications from exploitation –Provides security policy tuning per requirements of each web application Web/Proxy servers, high-availability pair –Some GSD web applications hosted on these servers –Proxy server provides connectivity to all web servers behind the firewall Existing branch servers –Located behind the GSD firewall –Fewest changes for web masters and continued access to existing data stores –In some cases, coordination for customer changes were necessary Customer network or firewall access from new GSD Web/Proxy servers Needed to eliminate hard-coded IP addresses on customer systems if any existed

9 Global Systems Division (GSD) Information and Technology Services High Level View Internet AppShield Web/Proxy Server Web/Proxy Server Firewall GSD Servers Load Balancer Public Access Area High-availability Pairs Load Balancer Firewall GSD Intranet

10 Global Systems Division (GSD) Information and Technology Services Hardware and Software High-availability pairs: –Foundry ServerIronXL load balancing network switches$ 33,084 –Foundry ServerIronXL annual support (one year to date)$ 1,740 –SunFire V120 Servers$ 8,232 –AppShield 4.0$ 27,000 –AppShield annual support(three years to date)$ 22,500 –Dell 2650 servers$ 11,296 –On-site AppShield training$ 11,450 TOTAL$115,302

11 Global Systems Division (GSD) Information and Technology Services AppShield Details AppShield is a stateful reverse proxy application firewall Most established product at the time of GSD’s implementation Did not require complete redesign of existing web applications The default configuration is the most secure Three pre-defined security levels available: –Strict (starting point for GSD’s implementation) –Intermediate –Basic Uses a positive security model –Enforces intended behavior versus watching for unintended behavior Custom security levels can be defined Customization rules (exceptions) can be written as necessary

12 Global Systems Division (GSD) Information and Technology Services AppShield in Operation Functions as a reverse proxy for requests and responses Learns on-the-fly for each page –As HTML requests and responses are processed Automatic generation of security policies Automatic determination of acceptable responses Forces HTTP requests from clients to conform to security policies Maintains logs for denied requests –Logs can be viewed through the AppShield console –Exception rules can be generated to prevent blocking valid requests Rule usage is logged to allow fine tuning AppShield acts as the SSL termination point for encrypted traffic –Ensures that AppShield has visibility of all HTTP traffic

13 Global Systems Division (GSD) Information and Technology Services AppShield Session Source: Sanctum, Inc. 1.Verifies that request contains a legal entry URL to the site 2.Creates an application session token –Stored in an encrypted and signed cookie for subsequent transactions 3.Analyzes each HTML page as they are forwarded to the client –Patented Policy Recognition Engine –Searches for CGI parameters, hidden field values, etc. 4.Determines the security policy of the web application –Checks any exception rules for sites and web applications requested –Additional legal requests used to adjust the security policy for the session –Accomplished with Adaptive Reduction Technology Reducer: Translates requests to simple & secure language Expander: Rebuilds requests to ensure only legal information In case of a hacking attempt, the reduction/expansion phase will fail »AppShield invokes a customizable error CGI with attack origin and type

14 Global Systems Division (GSD) Information and Technology Services Implementation Workflow Configure proxy server for web sites Create URL mappings in AppShield Test web sites through AppShield Create exception rules IF NECESSARY Retest through AppShield Developers test through AppShield Update DNS and go live Monitor AppShield logs

15 Global Systems Division (GSD) Information and Technology Services Web Application Example Load Balancer AppShield Web/Proxy Data Processing Cluster database Storage.gif files / static content SQL NFS read only Server Public Access Area Web Services Gateway HTTP Data Ingest

16 Global Systems Division (GSD) Information and Technology Services Some of the Threats Mitigated Parameter tampering Cookie poisoning HTTP request smuggling Forceful browsing Cross-site scripting Buffer overflows SQL injection Third-party misconfiguration

17 Global Systems Division (GSD) Information and Technology Services Conclusion Implementing a Web Services Gateway at GSD added a significant additional layer of IT Security Problems addressed and resolution objectives met Achieved a single GSD web services access point in the public access area Existing web sites and web applications were supported without requiring complete redesign does notThis implementation does not negate other IT Security methods and practices Secure coding practices should be followed for web application development GSD’s implementation is extensible, expandable, and adaptable

18 Global Systems Division (GSD) Information and Technology Services Questions Bobby.R.Kelley@noaa.gov (303) 497- 4122

Download ppt "Global Systems Division (GSD) Information and Technology Services Web Services Gateway Implementation Michael Doney Bobby Kelley Peter Lannigan John Parker."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Firewall Configuration Strategies

Firewall Configuration Strategies
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Client-Server Processing and Distributed Databases

Client-Server Processing and Distributed Databases
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Brad Baker CS526 May 7 th, 2008 5/7/2008 1. 1. Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Similar presentations

Ads by Google