Misc

Web-based application infrastructure: Extended connectivity means more risk

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Negative exposure: Web scanners reveal unknown holes."

Download it now to read this article plus other related content.

Typical Web-based application infrastructures (see Figure 1) are segmented based on user trust levels. They contain firewalls to restrict traffic flow to authorized services. External traffic is allowed only to the Web server on ports 80 (HTTP) and 443 (SSL). An IDS monitors traffic for anomalies.

All operating systems are hardened. The Web server is secured. An external scan of this IP space would reveal no vulnerabilities.

However, add an e-business application on top of this infrastructure, and, by design, Internet users' connectivity is extended enormously. Customers can place their own orders in the organization's processing system, automatically triggering associated events in areas such as billing, the supply chain and the manufacturing line. To make this happen, the application layer allows users to indirectly interact with the Web server, the database server, the SMTP server and the application server.

This extended connectivity to an organization's assets brings a whole new set of risks. A failure in the application-layer controls could give attackers unauthorized access and the ability to do a great deal of damage.

About the authors:
Kelly White is a senior security engineer with TruSecure Corp.'s Enhanced Services Group.

Yong-Gon Chon is is director of TruSecure Corp.'s Enhanced Services Group. TruSecure publishes Information Security.

This was first published in January 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: