Hi,
My security team thinks allowing communication between the two IIS instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall or
internal network. The biz tier will be developed and deployed as web services
on IIS.
I know microsoft recommends this architecture but I am not able to convince
my security team. They say IIS is vulnerable to viruses and worms even though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to IIS.
If they are not, how should we protect our network while allowing web service
to run on IIS.
I have read all security related recommendations published by Micrososft but
no luck with my security team yet. Esp. the entire document from patterns &
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS? Are
there any companies out there which uses this MS recommended architecture and
yet have a secure network?
Thanks,
Magdelin
7  1957 
Sounds more like office politics to me.
You use the phrase 'My security team'. does this mean the the security team
at your company or does this mean that the security team at your company
reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably a
matter of political wrangling depending on who the senior management are
more likely to listen to.
I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.
Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and analysing
the issue at hand.
Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can do
it 'safely', rather than putting blocks in your way, especially when those
blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Well Said Stephany,
I can witness to how productivity just flies out the door,
bureaucracy abounds and another fat , ugly and inflexible company was born
:-)
henk
"Stephany Young" <noone@localhost> wrote in message
news:uT**************@tk2msftngp13.phx.gbl... Sounds more like office politics to me.
You use the phrase 'My security team'. does this mean the the security
team at your company or does this mean that the security team at your
company reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably
a matter of political wrangling depending on who the senior management are
more likely to listen to.
I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.
Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and
analysing the issue at hand.
Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can
do it 'safely', rather than putting blocks in your way, especially when
those blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our
presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access
it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Magdelin,
Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".
If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.
Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.
henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Hi Stephany,
Thanks for your response. The security team is at my company and I
completely agree with your response. Though I knew what the real problem was,
I decided not to lose hope. I was basically looking for some facts, figures
and information which will give the team some confidence in this technology
as well as prevent them from giving excuses for not being able to support the
technology.
Currently, several IT divisions have unanimously voiced against the decision
made by the security. we have insisted a research on security best practices
for implementing distributed .NET web applications.
Thanks once again.
Magdelin
"Stephany Young" wrote: Sounds more like office politics to me.
You use the phrase 'My security team'. does this mean the the security team
at your company or does this mean that the security team at your company
reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably a
matter of political wrangling depending on who the senior management are
more likely to listen to.
I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.
Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and analysing
the issue at hand.
Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can do
it 'safely', rather than putting blocks in your way, especially when those
blocks are often based on ignorance or mis-information.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Hi Henk,
Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed too.
My company is pretty new to .NET or basically to web based applications. Only
Mainframe and desktop applications were developed in the past decade.
I also develop Java applications which runs on weblogic server. You will not
believe the weblogic designated ports are open in firewall. Since, the entire
world knows about port 80 and 443, I thought opening a specific port with IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.
Thanks once again,
Magdelin
"Henk Verhoeven" wrote: Magdelin,
Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".
If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.
Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.
henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Magdelin
I alternative might be to propose the following
Propose a gatekeeper layer, this tier would be the exposed layer that will
scrutinize the requests, traffic that comes in and act as a proxy to the
real web service.
This gatekeeper service will direct legitimate traffic (authorized,
authenticated and validated by your internal security requirements), then
also propose that the gateway service will log (create a report, busy work,
job security) of all illegitimate traffic, requests made as well as the
actions taken by the gateway.
This way no , virus, worms or even hack attempts can go ahead without the
approval of the gateway. You can even host your own server that gives
complete control, but that is an overkill.(IMHO)
The above proposed method will satisfy both the "political" nature as well
as functional nature. it is unnecessary like most political and bureaucratic
instances are, but at least you can move forward in getting the work done
within the constraints.
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:DD**********************************@microsof t.com... Hi Henk,
Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed
too.
My company is pretty new to .NET or basically to web based applications.
Only
Mainframe and desktop applications were developed in the past decade.
I also develop Java applications which runs on weblogic server. You will
not
believe the weblogic designated ports are open in firewall. Since, the
entire
world knows about port 80 and 443, I thought opening a specific port with
IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.
Thanks once again,
Magdelin
"Henk Verhoeven" wrote:
Magdelin,
Are there any reasons why you do want to open alternate ports, usually
this
will freak out any security "expert".
If you run it on the same ports that is open right now (I assume of
course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that
IIS
is exposed and very bad people going to infiltrate.
Use the existing ports, make sure your web services communication is
secure,
tokens, encryption or ssl and you should be fine.
henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@microsof t.com... > Hi,
>
> My security team thinks allowing communication between the two IIS
> instances
> leads to severe security risks. Basically, we want to put our
> presentation
> tier on the perimeter network and the business tier inside the fire
> wall
> or
> internal network. The biz tier will be developed and deployed as web
> services
> on IIS.
>
> I know microsoft recommends this architecture but I am not able to
> convince
> my security team. They say IIS is vulnerable to viruses and worms even
> though
> the communication between the web and app servers are secure with a
> firewall/SSL/IPSec. Even though we will open specific ports for
> accessing
> the
> web services, is it true that IIS is not a secure environment to access
> it
> from the perimeter network.
>
> If my security team is true, I wonder what would be the alternative to
> IIS.
> If they are not, how should we protect our network while allowing web
> service
> to run on IIS.
>
> I have read all security related recommendations published by
> Micrososft
> but
> no luck with my security team yet. Esp. the entire document from
> patterns
> &
> pratices:
> Improving Web Application Security - Threats and Countermeasures
>
> How are secure .NET enterprise applications developed and hosted in
> IIS?
> Are
> there any companies out there which uses this MS recommended
> architecture
> and
> yet have a secure network?
>
> Thanks,
> Magdelin
Magdelin wrote: Hi Henk,
Thanks for your response. You will be surprised to know, due to a recent
virus attack on the perimeter network, the common ports have been closed too.
My company is pretty new to .NET or basically to web based applications. Only
Mainframe and desktop applications were developed in the past decade.
I also develop Java applications which runs on weblogic server. You will not
believe the weblogic designated ports are open in firewall. Since, the entire
world knows about port 80 and 443, I thought opening a specific port with IP
Sec configuration may make the network little secure. Although, I know you
can find out which ports are open by writing a small program.
Thanks once again,
Magdelin
"Henk Verhoeven" wrote:
Magdelin,
Are there any reasons why you do want to open alternate ports, usually this
will freak out any security "expert".
If you run it on the same ports that is open right now (I assume of course),
like HTTP, HTTPS, FTP then you can use the same argument they use, that IIS
is exposed and very bad people going to infiltrate.
Use the existing ports, make sure your web services communication is secure,
tokens, encryption or ssl and you should be fine.
henk
"Magdelin" <ma**********@newsgroups.nospam> wrote in message
news:CB**********************************@micros oft.com...
Hi,
My security team thinks allowing communication between the two IIS
instances
leads to severe security risks. Basically, we want to put our presentation
tier on the perimeter network and the business tier inside the fire wall
or
internal network. The biz tier will be developed and deployed as web
services
on IIS.
I know microsoft recommends this architecture but I am not able to
convince
my security team. They say IIS is vulnerable to viruses and worms even
though
the communication between the web and app servers are secure with a
firewall/SSL/IPSec. Even though we will open specific ports for accessing
the
web services, is it true that IIS is not a secure environment to access it
from the perimeter network.
If my security team is true, I wonder what would be the alternative to
IIS.
If they are not, how should we protect our network while allowing web
service
to run on IIS.
I have read all security related recommendations published by Micrososft
but
no luck with my security team yet. Esp. the entire document from patterns
&
pratices:
Improving Web Application Security - Threats and Countermeasures
How are secure .NET enterprise applications developed and hosted in IIS?
Are
there any companies out there which uses this MS recommended architecture
and
yet have a secure network?
Thanks,
Magdelin
Hello,
If you want to experiment with .Net and web services you don't have too
many alternatives to IIS (at least I don't know any). But I have been
using IIS + .Net for quite a long time and didn't find any unusual
security problems (every software has some security problems that need
to and are constantly patched by their authors, this also applies to IIS ).
Your case is quite typical: a public web server (accessible from the
Internet, let's call it 'frontend') communicating with application
server in the intranet. In case of .Net the application server is very
often hosted in another IIS and is accessed by the frontend server using
..Net Remoting. The communication with the application server is very
often based on HTTP + SOAP - the frontend server makes HTTP calls to
application server, and the application server listens on single port -
80 for example. The application server does not initiate any connections
to the frontend server - all connections are initiated by frontend and
go to application server.
This configuration is very simple for network administrators to
maintain, and very easy to keep secure - using firewalls, ipsec or other
secure protocols. There is only one application server port that needs
to be made accessible to the frontend server, so you don't have to open
any additional 'holes' in your intranet firewall.
And when it comes to the frontend server security - well, your security
team should know how to secure public HTTP server - IIS is no different
in this aspect than any other server. It is important that in the
architecture described above the frontend server is just what its name
says - just a frontend, does not contain business logic and data. All
important information is managed and kept by the application server.
So, summing up, there is no security problem introduced by the fact that
two IIS-es communicate. This is the common case (the case described
above), and I think that it is even more secure than other possible
solutions with .Net web applications.
Best Regards
Rafal Gwizdala This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Xizor |
last post by:
Ok, I'm new to PHP and MySQL. I've been going through tutorials, reading the
documentation, and looking through web sites. PHP to me seems great! With
MySQL it seems even better.
However, I'm an...
|
by: rjames.clarke |
last post by:
I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in...
|
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data...
|
by: WebMatrix |
last post by:
Hello,
I have developed a web application that connects to 2 different database
servers. The connection strings with db username + password are stored in
web.config file.
After a code review,...
|
by: google |
last post by:
I have a few general questions. I am working on a new database to be
used within my company. I would like to give a couple of people,
particularly HR, the ability to add and delete Access users,...
|
by: Innycool |
last post by:
Save 25% on Norton Internet Security
Automatic security updates
Advanced phishing detection
Two-way firewall blocks hackers
Windows security holes shielded
Public wireless network...
|
by: Salad |
last post by:
On one computer I am getting the message "This file may not be safe if
it contains code that was intended to harm your computer. Open It?" and
on my computer I didn't get that message when I...
|
by: dheeraj857 |
last post by:
Well i am studying about web security. I have found some threats that developer should take care while coding.
1) Validate user input
2) SQL Injection
3) Cross -site scripting
I would like...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
| |
