Global Systems Division (GSD)Information and Technology Services
Web Services GatewayImplementation
Michael DoneyBobby KelleyPeter LanniganJohn ParkerRobin PaschallGregory PhillipsJennifer Valdez
NOAATECH 2006November 2, 2005
Global Systems Division (GSD)Information and Technology Services
Purpose
Provide information on the Web Services
Gateway implementation at ESRL/GSD
Global Systems Division (GSD)Information and Technology Services
Topics
• Problems to Address
• Resolution Objectives
• Options Considered
• Solution Implemented
• Some of the Threats Mitigated
• Example Web Application
• Conclusion
Global Systems Division (GSD)Information and Technology Services
Problems to Address
• Growing threat of malicious web application attacks
• 43 externally visible web applications on 22 servers
• Web applications written by many different developers
• Server configurations done by distributed systems administrators
• No centralized point of control for web application security
Global Systems Division (GSD)Information and Technology Services
Resolution Objectives
• Ensure system & information security for web services
• Establish centralized point of control for web application security
• Minimize the number of directly accessible servers
• Minimize the effort for web application developers
• Maintain distributed systems administration
• Keep the effort as transparent as possible to customers
• Enable seamless addition of web applications for new projects
Global Systems Division (GSD)Information and Technology Services
Options Considered
1. All branch servers located in the public access area– Not practical
• High cost to duplicate servers and storage
– Not completely secure
2. High-availability pair of servers in the public access area to host all web applications– Large effort to port branch web applications to new servers
• Differing operating systems and library requirements• Simply porting would not be adequate
– Secure programming required• Rewrite existing web applications• Significant amount of time for all web application developers• Additional training expense for every web application developer• Requires frequent code reviews, a time consuming effort
3. Web Services Gateway– Dynamic information served from branch servers
Global Systems Division (GSD)Information and Technology Services
Solution Implemented
GSD Web Services Gateway• A single GSD web services access point in the public access area
– Load balancers– AppShield servers– Web/Proxy servers
• Branch servers maintained behind the GSD firewall• Does not negate other IT security methods and practices• Does not negate the need for secure coding in web applications
Staffing: Initial work began in 2003 Ranged from 1 to 10 people over 2.5 years (approximately 1.7 staff years of effort) Plus assistance to and support from approximately 15 web application developers
Global Systems Division (GSD)Information and Technology Services
Implementation• Load balancers, high-availability pair
– Creates multiple virtual servers that map to multiple real servers– Multiple content switching options
• URL, cookie, XML, http header, and SSL session ID– Multiple load balancing options
• Least connections, response time, round robin, …– Supports 1,000,000 concurrent sessions– 4.4 Gbps throughput
• AppShield servers & software, high-availability pair– Provides application level system & information security– Protects web applications from exploitation– Provides security policy tuning per requirements of each web application
• Web/Proxy servers, high-availability pair– Some GSD web applications hosted on these servers– Proxy server provides connectivity to all web servers behind
the firewall
• Existing branch servers– Located behind the GSD firewall– Fewest changes for web masters and continued access to existing data stores– In some cases, coordination for customer changes were necessary
• Customer network or firewall access from new GSD Web/Proxy servers• Needed to eliminate hard-coded IP addresses on customer systems if any existed
Global Systems Division (GSD)Information and Technology Services
High Level View
InternetAppShield
AppShield
Web/ProxyServer
Web/ProxyServer
Fir
ewa
ll
GSDServers
LoadBalancer
Public Access Area
High-availabilityPairs
LoadBalancer
Fir
ewa
llGSD
Intranet
Global Systems Division (GSD)Information and Technology Services
Hardware and Software
High-availability pairs:– Foundry ServerIronXL load balancing network switches $ 33,084– Foundry ServerIronXL annual support (one year to date) $ 1,740– SunFire V120 Servers $ 8,232– AppShield 4.0 $ 27,000– AppShield annual support (three years to date) $
22,500– Dell 2650 servers $
11,296
– On-site AppShield training $ 11,450
TOTAL$115,302
Global Systems Division (GSD)Information and Technology Services
AppShield Details
• AppShield is a stateful reverse proxy application firewall
• Most established product at the time of GSD’s implementation
• Did not require complete redesign of existing web applications
• The default configuration is the most secure
• Three pre-defined security levels available:– Strict (starting point for GSD’s implementation)
– Intermediate
– Basic
• Uses a positive security model– Enforces intended behavior versus watching for unintended behavior
• Custom security levels can be defined
• Customization rules (exceptions) can be written as necessary
Global Systems Division (GSD)Information and Technology Services
AppShield in Operation
• Functions as a reverse proxy for requests and responses
• Learns on-the-fly for each page– As HTML requests and responses are processed
• Automatic generation of security policies• Automatic determination of acceptable responses• Forces HTTP requests from clients to conform to security policies
• Maintains logs for denied requests– Logs can be viewed through the AppShield console– Exception rules can be generated to prevent blocking valid requests
• Rule usage is logged to allow fine tuning
• AppShield acts as the SSL termination point for encrypted traffic– Ensures that AppShield has visibility of all HTTP traffic
Global Systems Division (GSD)Information and Technology Services
AppShield SessionSource: Sanctum, Inc.
1. Verifies that request contains a legal entry URL to the site
2. Creates an application session token– Stored in an encrypted and signed cookie for subsequent transactions
3. Analyzes each HTML page as they are forwarded to the client– Patented Policy Recognition Engine– Searches for CGI parameters, hidden field values, etc.
4. Determines the security policy of the web application– Checks any exception rules for sites and web applications requested– Additional legal requests used to adjust the security policy for the session– Accomplished with Adaptive Reduction Technology
• Reducer: Translates requests to simple & secure language• Expander: Rebuilds requests to ensure only legal information• In case of a hacking attempt, the reduction/expansion phase will fail
» AppShield invokes a customizable error CGI with attack origin and type
Global Systems Division (GSD)Information and Technology Services
Implementation Workflow
• Configure proxy server for web sites
• Create URL mappings in AppShield
• Test web sites through AppShield
• Create exception rules IF NECESSARY
• Retest through AppShield
• Developers test through AppShield
• Update DNS and go live
• Monitor AppShield logs
Global Systems Division (GSD)Information and Technology Services
Web Application Example
Load Balancer
AppShield
Web/Proxy
DataProcessing
Cluster
database
Storage.gif files / static content
SQL
NFS
read only
Server
Public Access Area
WebServicesGateway
HTTP
DataIngest
Global Systems Division (GSD)Information and Technology Services
Some of the Threats Mitigated
• Parameter tampering
• Cookie poisoning
• HTTP request smuggling
• Forceful browsing
• Cross-site scripting
• Buffer overflows
• SQL injection
• Third-party misconfiguration
Global Systems Division (GSD)Information and Technology Services
Conclusion
• Implementing a Web Services Gateway at GSD added a significant additional layer of IT Security
• Problems addressed and resolution objectives met
• Achieved a single GSD web services access point in the public access area
• Existing web sites and web applications were supported without requiring complete redesign
• This implementation doesdoes notnot negate other IT Security methods and practices
• Secure coding practices should be followed for web application development
• GSD’s implementation is extensible, expandable, and adaptable
Global Systems Division (GSD)Information and Technology Services
Questions
(303) 497- 4122