By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,208 Members | 1,072 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,208 IT Pros & Developers. It's quick & easy.

IIS / Web Services Security threats

P: n/a
Hi,

My security team thinks allowing communication between the two IIS instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall or
internal network. The biz tier will be developed and deployed as web services
on IIS.

I know microsoft recommends this architecture but I am not able to convince
my security team. They say IIS is vulnerable to viruses and worms even though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to IIS.
If they are not, how should we protect our network while allowing web service
to run on IIS.

I have read all security related recommendations published by Micrososft but
no luck with my security team yet. Esp. the entire document from patterns &
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS? Are
there any companies out there which uses this MS recommended architecture and
yet have a secure network?

Thanks,
Magdelin
Nov 23 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Sounds more like office politics to me.

You use the phrase 'My security team'. does this mean the the security team
at your company or does this mean that the security team at your company
reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably a
matter of political wrangling depending on who the senior management are
more likely to listen to.

I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.

Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and analysing
the issue at hand.

Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can do
it 'safely', rather than putting blocks in your way, especially when those
blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin

Nov 23 '05 #2

P: n/a
Well Said Stephany,
I can witness to how productivity just flies out the door,
bureaucracy abounds and another fat , ugly and inflexible company was born
:-)
henk
"Stephany Young" <noone@localhost> wrote in message
news:uT**************@tk2msftngp13.phx.gbl...
Sounds more like office politics to me.

You use the phrase 'My security team'. does this mean the the security
team at your company or does this mean that the security team at your
company reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably
a matter of political wrangling depending on who the senior management are
more likely to listen to.

I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.

Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and
analysing the issue at hand.

Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can
do it 'safely', rather than putting blocks in your way, especially when
those blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our
presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access
it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin


Nov 23 '05 #3

P: n/a
Magdelin,

Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".

If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.

Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.

henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin

Nov 23 '05 #4

P: n/a
Hi Stephany,

Thanks for your response. The security team is at my company and I
completely agree with your response. Though I knew what the real problem was,
I decided not to lose hope. I was basically looking for some facts, figures
and information which will give the team some confidence in this technology
as well as prevent them from giving excuses for not being able to support the
technology.

Currently, several IT divisions have unanimously voiced against the decision
made by the security. we have insisted a research on security best practices
for implementing distributed .NET web applications.

Thanks once again.
Magdelin


"Stephany Young" wrote:
Sounds more like office politics to me.

You use the phrase 'My security team'. does this mean the the security team
at your company or does this mean that the security team at your company
reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably a
matter of political wrangling depending on who the senior management are
more likely to listen to.

I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.

Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and analysing
the issue at hand.

Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can do
it 'safely', rather than putting blocks in your way, especially when those
blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin


Nov 23 '05 #5

P: n/a
Hi Henk,

Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed too.
My company is pretty new to .NET or basically to web based applications. Only
Mainframe and desktop applications were developed in the past decade.

I also develop Java applications which runs on weblogic server. You will not
believe the weblogic designated ports are open in firewall. Since, the entire
world knows about port 80 and 443, I thought opening a specific port with IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.

Thanks once again,
Magdelin

"Henk Verhoeven" wrote:
Magdelin,

Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".

If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.

Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.

henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin


Nov 23 '05 #6

P: n/a
Magdelin

I alternative might be to propose the following

Propose a gatekeeper layer, this tier would be the exposed layer that will
scrutinize the requests, traffic that comes in and act as a proxy to the
real web service.

This gatekeeper service will direct legitimate traffic (authorized,
authenticated and validated by your internal security requirements), then
also propose that the gateway service will log (create a report, busy work,
job security) of all illegitimate traffic, requests made as well as the
actions taken by the gateway.

This way no , virus, worms or even hack attempts can go ahead without the
approval of the gateway. You can even host your own server that gives
complete control, but that is an overkill.(IMHO)

The above proposed method will satisfy both the "political" nature as well
as functional nature. it is unnecessary like most political and bureaucratic
instances are, but at least you can move forward in getting the work done
within the constraints.

"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:DD**********************************@microsof t.com...
Hi Henk,

Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed
too.
My company is pretty new to .NET or basically to web based applications.
Only
Mainframe and desktop applications were developed in the past decade.

I also develop Java applications which runs on weblogic server. You will
not
believe the weblogic designated ports are open in firewall. Since, the
entire
world knows about port 80 and 443, I thought opening a specific port with
IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.

Thanks once again,
Magdelin

"Henk Verhoeven" wrote:
Magdelin,

Are there any reasons why you do want to open alternate ports, usually
this
will freak out any security "expert".

If you run it on the same ports that is open right now (I assume of
course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that
IIS
is exposed and very bad people going to infiltrate.

Use the existing ports, make sure your web services communication is
secure,
tokens, encryption or ssl and you should be fine.

henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com...
> Hi,
>
> My security team thinks allowing communication between the two IIS
> instances
> leads to severe security risks. Basically, we want to put our
> presentation
> tier on the perimeter network and the business tier inside the fire
> wall
> or
> internal network. The biz tier will be developed and deployed as web
> services
> on IIS.
>
> I know microsoft recommends this architecture but I am not able to
> convince
> my security team. They say IIS is vulnerable to viruses and worms even
> though
> the communication between the web and app servers are secure with a
> firewall/SSL/IPSec. Even though we will open specific ports for
> accessing
> the
> web services, is it true that IIS is not a secure environment to access
> it
> from the perimeter network.
>
> If my security team is true, I wonder what would be the alternative to
> IIS.
> If they are not, how should we protect our network while allowing web
> service
> to run on IIS.
>
> I have read all security related recommendations published by
> Micrososft
> but
> no luck with my security team yet. Esp. the entire document from
> patterns
> &
> pratices:
> Improving Web Application Security - Threats and Countermeasures
>
> How are secure .NET enterprise applications developed and hosted in
> IIS?
> Are
> there any companies out there which uses this MS recommended
> architecture
> and
> yet have a secure network?
>
> Thanks,
> Magdelin


Nov 23 '05 #7

P: n/a
Magdelin wrote:
Hi Henk,

Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed too.
My company is pretty new to .NET or basically to web based applications. Only
Mainframe and desktop applications were developed in the past decade.

I also develop Java applications which runs on weblogic server. You will not
believe the weblogic designated ports are open in firewall. Since, the entire
world knows about port 80 and 443, I thought opening a specific port with IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.

Thanks once again,
Magdelin

"Henk Verhoeven" wrote:

Magdelin,

Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".

If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.

Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.

henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@micros oft.com...
Hi,

My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.

I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.

If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.

I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures

How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?

Thanks,
Magdelin


Hello,

If you want to experiment with .Net and web services you don't have too
many alternatives to IIS (at least I don't know any). But I have been
using IIS + .Net for quite a long time and didn't find any unusual
security problems (every software has some security problems that need
to and are constantly patched by their authors, this also applies to IIS ).
Your case is quite typical: a public web server (accessible from the
Internet, let's call it 'frontend') communicating with application
server in the intranet. In case of .Net the application server is very
often hosted in another IIS and is accessed by the frontend server using
..Net Remoting. The communication with the application server is very
often based on HTTP + SOAP - the frontend server makes HTTP calls to
application server, and the application server listens on single port -
80 for example. The application server does not initiate any connections
to the frontend server - all connections are initiated by frontend and
go to application server.
This configuration is very simple for network administrators to
maintain, and very easy to keep secure - using firewalls, ipsec or other
secure protocols. There is only one application server port that needs
to be made accessible to the frontend server, so you don't have to open
any additional 'holes' in your intranet firewall.
And when it comes to the frontend server security - well, your security
team should know how to secure public HTTP server - IIS is no different
in this aspect than any other server. It is important that in the
architecture described above the frontend server is just what its name
says - just a frontend, does not contain business logic and data. All
important information is managed and kept by the application server.

So, summing up, there is no security problem introduced by the fact that
two IIS-es communicate. This is the common case (the case described
above), and I think that it is even more secure than other possible
solutions with .Net web applications.

Best Regards
Rafal Gwizdala

Nov 23 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.