Re: Web app based on .net - best practice?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 23 April 2003 08:41 am, Mads Rasmussen wrote:
> Imagine I have a .net based application
>
> I thought it would be a good idea to have the presentation layer (asp)
> in a DMZ and the business layer (components in VB and C#) in a safe site
> behind a firewall. The communication in between would take place with

This is the logical equivalent of having them on the same machine in the same namespace. Your "layering" in this case is only physical, and while it _could_ provide the oppourtunity for safety inspection of the RPC calls, I doubt you're taking advantage of it.

> I know that RPC is not considered secure but we have a firewall in
> between the DMZ and the safe site (not a guarantee things work out, I
> know)

What, exactly, do you beleive a firewall is buying you here? I'm willing to bet that it's not doing what you think it's doing.

> My concern is that if the whole application was based in the DMZ, it

• From this description, I think you've got your layers (and the security needs of each) confused a bit. When securing an app like this, your network setup only marginally informs your application level security design, and says nothing of your needs. Firewalls and DMZs are going to allow you to handle problems at layer 2 and layer 3, but they have little (if no) bearing on the application-level security you seem to be interested in.

When it comes to securing the app itself, you'll want to seperate the _logical_ layers of the application strongly. This means well constrained interfaces which are ideally watched and logged for malicious behaviour. Using RPC (I'm assuming SOAP or XML-RPC?), you have the ability on both ends of the connection to do some sanity checking as well as protocol integrity checking in the middle.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Your layer 2 and 3 security provisions provide you with a strong foundation for your layer 7 security precautions, but they are not interchangeable.

HTH

• -- Alex Russell alex@netWindows.org alex@SecurePipe.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+pWskoV0dQ6uSmkYRApXfAJ9LYcpO1JQbTMjwIMeD7Yc5AqdA9wCfRB92 snXRJdIzqQMpyeA+7OjvK5w=
=mDkD
-----END PGP SIGNATURE----- Received on Wed Apr 23 12:36:20 2003