Question
· May 25, 2016

Web applications, and architecture/security related questions

Hi,

Assume an architecture where an ECP Database Server is connected to by one or more ECP Application Servers inside a firewall.The application server hosts the web application that web users connect to.

The Web servers are outside the firewall, and, (using the CSP gateway/server mechanism) issue requests over the SuperServer port and into the application server.

I know that the traffic between the Web Server and the ECP application server can be encrypted using HTTPS, and access to the CSPServer on the Application server is username/password secured.

Q1: In order to bolster security, is it possible for the SuperServer port connection between the AP Server and the Web Server to only be initiated by the Application Server ?

In this model, we'are assuming only the Superserver port would be opened on the firewall, CSP_Gateway Service would be defined to allow only Web Servers IP's sitting outside the firewall, or, IP addresses within the firewall (for admin purposes).   All other Services that use the SuperServer port (object bindings, etc) would be restricted to only IP Addresses within the firewall.  Given this configuration, the next question would be: 

Q2: With the Web Server outside the firewall having only CSP Gateway access into the  Application server, other than disabling all non-essential Web Applications, and securing Web applications with authentication/authorisation, are there certain best-practices within CSP or ZEN development that should be followed in order to avoid malicious injection of code by a hacker ?

Thanks - 

Steve

Discussion (2)1
Log in or sign up to continue

Steve,

I would recommend to distant webservers from ECP Application servers. In your case I would install webserver exactly on the server where ECP Application Server have already installed, so in this case your connect via superport will be secured, and in this case only web port should be opened in the firewall. Outside of this servers after firewall you need to use some load balancer, in this case I would recommend to use HAProxy. Connection between extarnal HAProxy and  internal webservers could be secured with ssl, but I'm not sure that is really needed.

And in this case it is possible to store all static content such as JS, CSS and images on server where load balancer placed, to avoid redundant request to the data servers. It is not a big problem for the production systems.

So finally in simple view it my looks like below.

Hi Steve,

There are multiple ways to accomplish this and really depends on the security policies of a given organization.  You can do as you have outlined in the original post, you can do as Dmitry has suggested, or you can even take it a step further and provide an external facing DMZ (eDMZ) and an internal DMZ (iDMZ).  The eDMZ contains only the load balancer with firewall rules only allowing HTTPS access to load balance to only the web servers in the iDMZ, and then the iDMZ has firewall rules to only allow TLS connections to the super server ports on the APP servers behind all firewalls.

Here is a sample diagram describing the eDMZ/iDMZ/Internal network layout.

So, as you can see there are many ways this can be done, and the manner in which to provide network security is up to the organization.  It's good to point out that InterSystems technologies can support many different methodologies of network security from the most simple to very complex designs depending on what the application and organization would require.

Kind Regards,

Mark B