Security Architecture for Multi-Tier Applications

By Paladion

October 15, 2005

The advent of the Internet has seen the introduction of multi-tier applications. Nowadays, multi-tier applications have become the norm for building enterprise software. The most common breakdown of a tiered application would be – Presentation, Business Logic and Data. Although there are other possibilities, we shall consider this breakdown for today's discussion.

Multi-tier applications first emerged as a way of solving some of the problems associated with the traditional client/server applications, but with the arrival of the Web, this architecture has dominated he development world. A schematic representation of the architecture is as follows:

Figure 1

The introduction of network security into this architecture will see the insertion of firewalls at different entry points. Firewalls are placed in order to regulate access to each of the above mentioned servers. The simplest and most uncomplicated thing to do would be to place a firewall between each of the servers and control access to them. The question is does this solution work?

Figure 2

Let’s analyze the traffic flow between the various components.

  1. Traffic between the Client and the Web Server is most likely to be HTTP on Port 80. It is imperative that a firewall be placed between the Client and the Web Server; this will allow access only to the HTTP service and block access to the other services running on the server.
  2. Traffic between the Web Server and the Application Server could either be on HTTP or some Custom Port. Here again, placing a firewall makes sense, as the traffic needs to be controlled between the Web Server and Application Server and should be allowed only on specific application ports and not operating system ports.
  3. Traffic between the Application Server and the Database server would most likely be on a SQL Port. This is where a firewall does not necessarily add value, because in order to obtain data from the database, no special ports are required – the authorized SQL port can be used by anyone(authorized and unauthorized ) to get data from the database. We’ll see how this is possible below.

For a serious attacker or malicious user to exploit a server, his end goal would be to obtain information that is stored on the database. For example, the database of an online banking site would contain, customer information, address details, accounts numbers, credit card numbers etc. Obtaining this information is extremely valuable to an attacker. Let’s see how far the attacker needs to go to obtain this information.

Let’s say for instance, the web server has a vulnerability that the attacker has been able to exploit. This has in turn given him shell access. Now, he looks at conquering the next hop, which is the application server. Assuming that the application server has been configured poorly and he obtains the privilege username and password, he obtains shell access to this server as well. Now, he has moved even closer to the valuable data that he is seeking, the database. Does he need to obtain shell access to the database in order to obtain this data? The answer is no! All he needs is, to be able to send a database query to the database and obtain that information. Can a firewall prevent this kind of attack? No. The query has come from a legitimate application server that would normally query the database server and this access would be allowed on the firewall ruleset. This just goes to show that to prevent every security breach, the answer is not a firewall. There are other measures one needs to take that are beyond the scope of this article.

Another point worth considering is performance, traffic between Application Servers and Database Servers is usually quite large. This is due to the fact that the application servers query the database for information, perform the business logic and send it back to the requesting party, which is the web server. The traffic usually is quite large and a large amount of data is processed for rendering that information to the web server, usually in the range of megabytes. But in the days of gigabit firewalls, throughput might not even be an issue but it is definitely an overhead on the firewall that can be avoided.

In conclusion to the above discussion, introducing firewalls between application servers and the database servers does not necessarily provide any significant improvement in security.

Tags: Features