Re: IIS / Web Services Security threats

Magdelin

I alternative might be to propose the following

Propose a gatekeeper layer, this tier would be the exposed layer that will
scrutinize the requests, traffic that comes in and act as a proxy to the
real web service.

This gatekeeper service will direct legitimate traffic (authorized,
authenticated and validated by your internal security requirements), then
also propose that the gateway service will log (create a report, busy work,
job security) of all illegitimate traffic, requests made as well as the
actions taken by the gateway.

This way no , virus, worms or even hack attempts can go ahead without the
approval of the gateway. You can even host your own server that gives
complete control, but that is an overkill.(IMHO)

The above proposed method will satisfy both the "political" nature as well
as functional nature. it is unnecessary like most political and bureaucratic
instances are, but at least you can move forward in getting the work done
within the constraints.



"Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx> wrote in message
news:DD67E18C-94E6-462C-8309-1EDCEACEFD94@xxxxxxxxxxxxxxxx
> Hi Henk,
>
> Thanks for your response. You will be surprised to know, due to a recent
> virus attack on the perimeter network, the common ports have been closed
> too.
> My company is pretty new to .NET or basically to web based applications.
> Only
> Mainframe and desktop applications were developed in the past decade.
>
> I also develop Java applications which runs on weblogic server. You will
> not
> believe the weblogic designated ports are open in firewall. Since, the
> entire
> world knows about port 80 and 443, I thought opening a specific port with
> IP
> Sec configuration may make the network little secure. Although, I know you
> can find out which ports are open by writing a small program.
>
> Thanks once again,
> Magdelin
>
> "Henk Verhoeven" wrote:
>
>> Magdelin,
>>
>> Are there any reasons why you do want to open alternate ports, usually
>> this
>> will freak out any security "expert".
>>
>> If you run it on the same ports that is open right now (I assume of
>> course),
>> like HTTP, HTTPS, FTP then you can use the same argument they use, that
>> IIS
>> is exposed and very bad people going to infiltrate.
>>
>> Use the existing ports, make sure your web services communication is
>> secure,
>> tokens, encryption or ssl and you should be fine.
>>
>> henk
>>
>>
>> "Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx> wrote in message
>> news:CBAB91C3-58F6-490C-A080-98998478B626@xxxxxxxxxxxxxxxx
>> > Hi,
>> >
>> > My security team thinks allowing communication between the two IIS
>> > instances
>> > leads to severe security risks. Basically, we want to put our
>> > presentation
>> > tier on the perimeter network and the business tier inside the fire
>> > wall
>> > or
>> > internal network. The biz tier will be developed and deployed as web
>> > services
>> > on IIS.
>> >
>> > I know microsoft recommends this architecture but I am not able to
>> > convince
>> > my security team. They say IIS is vulnerable to viruses and worms even
>> > though
>> > the communication between the web and app servers are secure with a
>> > firewall/SSL/IPSec. Even though we will open specific ports for
>> > accessing
>> > the
>> > web services, is it true that IIS is not a secure environment to access
>> > it
>> > from the perimeter network.
>> >
>> > If my security team is true, I wonder what would be the alternative to
>> > IIS.
>> > If they are not, how should we protect our network while allowing web
>> > service
>> > to run on IIS.
>> >
>> > I have read all security related recommendations published by
>> > Micrososft
>> > but
>> > no luck with my security team yet. Esp. the entire document from
>> > patterns
>> > &
>> > pratices:
>> > Improving Web Application Security - Threats and Countermeasures
>> >
>> > How are secure .NET enterprise applications developed and hosted in
>> > IIS?
>> > Are
>> > there any companies out there which uses this MS recommended
>> > architecture
>> > and
>> > yet have a secure network?
>> >
>> > Thanks,
>> > Magdelin
>>
>>
>>


.

Relevant Pages

  • Re: IIS / Web Services Security threats
    ... You will be surprised to know, due to a recent virus attack on the perimeter network, the common ports have been closed too. ... I also develop Java applications which runs on weblogic server. ... Since, the entire world knows about port 80 and 443, I thought opening a specific port with IP Sec configuration may make the network little secure. ... My security team thinks allowing communication between the two IIS ...
    (microsoft.public.dotnet.framework.webservices)
  • IIS / Web Services Security threats
    ... My security team thinks allowing communication between the two IIS instances ... internal network. ... The biz tier will be developed and deployed as web services ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: IIS / Web Services Security threats
    ... virus attack on the perimeter network, the common ports have been closed too. ... Sec configuration may make the network little secure. ... >> My security team thinks allowing communication between the two IIS ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: IIS / Web Services Security threats
    ... > You use the phrase 'My security team'. ... >> My security team thinks allowing communication between the two IIS ... >> tier on the perimeter network and the business tier inside the fire wall ... is it true that IIS is not a secure environment to access ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: IIS / Web Services Security threats
    ... You use the phrase 'My security team'. ... > My security team thinks allowing communication between the two IIS ... > tier on the perimeter network and the business tier inside the fire wall ... is it true that IIS is not a secure environment to access it ...
    (microsoft.public.dotnet.framework.webservices)