Web service security through depth
I'm working on a project that uses the Globus Toolkit
as a secure service container. Globus can be more effort than necessary to run services, but it provides a solid security stack that uses digital certs and mutual authentication through SSL for authentication and encryption. Two-way SSL is rather secure and usually doesn't raise too many eyebrows.
However, one of the security analysts insisted this was insecure because you could use an HTTP reverse proxy between the user and the service. His reasoning was that you can't put the service container in the DMZ as it is too much of a security risk. Instead you put a web server (IIS or Apache) in the DMZ and have it proxy all traffic directly to the service container.
This is frustrating for several reasons:
1) increased cost and complexity - I generally like KISS
2) Limited increase in security. A configuration I usually use is to have the app server in the DMZ and the database inside the local network. The external firewall limits all traffic to 443 (or 80 if you have plain HTTP), protects against DoS, etc. etc. The vulnerability is that someone could compromise the app server if there is some exploit that works on 443 or 80. But with a reverse proxy, everything is forwarded on to the app server, so you can still exploit any 443/80 vulnerabilities even if the app server is within the local network. In fact, this is a greater risk because now someone has compromised the app server inside the local network, rather than a server in the DMZ.
3) Having an HTTP server proxy SSL sessions means that there are now 2 SSL sessions. One between the user and the HTTP server and then one between the HTTP server and the service. This is not only a performance problem, but now you have to delegate the user credentials. This means that the service can't use stuff like mutual-authentication with users because the proxy server is a man in the middle (although one under benevolent control).
So, what I've been doing is asking everyone I know who designs web services if this isn't stupid. So far I've had 4 architects from 4 different companies say that this configuration is unnecessary and that they don't do it.
In the meantime, we're going to use web services without an HTTP proxy server. It seems NIST
is on our side, so I'm hoping we'll be able to withstand the "We must triple encrypt stuff" crowd.
Labels: services, SOA