Security

Nothing gets passed unless its scanned by the Security controls, Security is one of the major aspects of the Technology in the Financial sector, Just imagine in today's world using mobile based Banking Apps without security, it can be cataclysmic, there are bad people in this world who make a living by only hacking and stealing or compromising weak IT applications, so any new or old application you build or is already running there are certain security guidelines which need to be followed

Security is vast domain which has so many aspects and has to be covered from so many angles, for example just by deploying an Anti-virus on a server you won't be able to achieve 100 percent security as for securing a single server which is serving requests from the internet you need a lot of other security arrangements such as:

· DMZ firewall

· Web Application Firewall

· Reverse Proxy

· IPS

· Core firewall

· Patching

· SIEM

· Vulnerability scanners

It’s pretty clear that Security is a vast domain and if you want to secure your organizations IT assets then you have cover it from all different vectors.

So, let’s dive into some of these important components and understand how they are architected in an organization and how they work.

There is already a different section on Firewalls which is an integral component to understand the other components in the Network, so i wont be writing much about it in this section

Let's start with WAF (Web Application Firewall)

Please Note: Security domain is vast and cannot be entirely covered in this section, I have just picked up the major security components and explained it, to cover it entirely I plan to write another section on this blog

WAF

As the name suggests this is typical kind of Firewall (security device) which inspects the traffic which is coming from internet and hitting our Web based applications, i.e., any Http/https-based application which you have hosted over the internet should be protected by a “Web Application firewall”. The traditional firewalls which we have discussed earlier have certain limitations while checking the content of the packets which are passing through them, they are called state-full firewalls which will only check the source IP address, Destination IP address and destination Port number of a packet and allow the packet, they would not be interested in the Payload (actual data content of the packet), when there is data transmission happening the data is basically broken into packets and transferred over the network, a normal firewall would only read these packets and would not try to assimilate these packets and convert these packets back into actual data and verify that it is not some kind of script or malicious code in the data. Just a disclaimer here, nowadays you get “Next Gen Firewalls” which can also inspect the data part of it.

So, reading the actual Data in the packet and deciding whether it needs to be allowed or not allowed is done by the “Web Application Firewall”, a WAF in most cases would be more interested in the actual data to inspect rather than IP address and port numbers

This WAF would always sit somewhere on the Edge of the incoming internet network, probably below your DMZ firewall and every Https request (yes, I wrote Https as all applications which are hosted on the internet should be Https based only) would pass through the WAF before hitting the business web servers.

Nowadays you have WAF functionality available on the cloud so any traffic originating from the End-user systems on internet would first hit the WAF on the service provider cloud, get scanned and based on the policies the connection would be allowed or disallowed.

IPS

Intrusion Prevention system, this is another security device which is scanning all incoming network traffic and blocking any malicious or non-genuine connections.

Here one would feel why would we go for an IPS when we already have firewalls, we already have WAFs then why need another overhead in the mix, well there is a difference, IPS has a typical way of scanning traffic and understanding malicious connections, it’s not a statefull firewall to check source, destination and Port numbers, its not a WAF too where its only checking for Malicious codes or scripts in the Payload.

Let me give you some gyan about security, We build security because we know there are hackers outside on the Internet who are continuously trying to Intrude into our corporate network to get their hands on corporate data but the story doesn’t end there as this is not the only intent of hackers and mind you this will not be the only method to hack into the network, what I am trying to say is, it's not necessary that the hacker wants to get access to your Web server, it may be possible that the intent is to bring down the server, in this case the method would be different and efforts would be less, for e.g. a malformed TCP packet, or a half formed syn packets sent in bulk from multiple systems; these kinds of attacks are hard to detect by normal firewall and you need specialized intelligence to track and tackle such types of attacks, hence we need a IPS device which can sit in-line to your Internet pipe at the very entry of the internet network and continuously scan all incoming traffic

The way a firewall normally works is that it allows traffic based on what's allowed from outside based on IP and Port number or return traffic on the same session which an internal user has initiated but IPS works differently it just scans each and every kind of traffic coming from outside and detects malicious content, some of the methods used by an IPS are:

Signature match: It does deep packet inspection for each packet to find out a match to any of the malicious signatures and if there is a match it blocks the traffic and sends a log to the internal security team.

Anomaly detection: It scans every packet and tries to find a pattern which matches with an anomaly such as “half formed TCP sessions” in bulk can be an attack and based on a threshold value its blocked.

Protocol anomaly: If packets are deviating from the TCP/IP standards of communication then also it prevents the packets from passing and sends the alerts to the Security team.

Note: By now, you must have figured out that in my graphical diagrams, I am only showing the relevant components to the topic and omitting the unwanted components, for e.g. in this diagram I am showing IPS inline before the web server but in the previous diagram at the same place there was a WAF, so don’t get confused by comparing those 2 diagrams, in the actual environment IPS would be placed before WAF or vice cersa and all traffic would be passing through IPS but only Web servers related traffic would be passing through WAF

Web Gateway (Forward Proxy)

This is an era where Information is abundantly available, and the primary source of Information is Internet (Infact this information abundance is nothing but information overload where you have so much information available that you are always confused as to which should be gulped and which should be avoided). So, Internet access is very much required by every organization not only by the users but your applications as well. Now do remember that I am only talking about the Internet connections which are initiated from within your organization and going outside and not the ones which are initiated from internet and hitting our Internet based Web servers.

These outgoing connections can be initiated by users/employees or servers which require internet access, if we talk about users, they may want to access several types of websites such as:

• Google ofcourse

• Other Competitor web sites

• Regulatory websites

• Business Applications on SaaS

• Support based website for technical support

• Many more genuine websites

So far so good that we have genuine users who are going to access only legitimate websites, but we all know that in today’s world if you provide open access to the users then they would definitely misuse it by accessing websites which they shouldn’t be during work hours such as Social Networking Websites, Job Portals, Porn, etc. Another major risk of having the internet access open is to open the floodgates for the Malware and viruses to enter.

So how do we control this ?, the answer is a Web gateway or another name for it is "Forward proxy", a forward proxy is an appliance (physical or virtual depending upon how you have designed it) which sits in the DMZ and all your user connections initiated by the browser and going towards the internet has to pass through this Web gateway, the web gateway has all the policies and categories configured which only allow genuine websites and block the malicious ones, for e.g. a competitor website may be allowed but a social networking website may be blocked, all these policies are configured by the Web-gateway administrator.

Some light on the architecture, all user laptops / desktops are governed by a Global Windows Group policy which enters your Web Gateway address into every users browser settings such that whenever you type any address in the address bar the browser would not try to directly connect to the Website on internet but would hit the proxy and then connect, since this value is hard coded in the browser if the user carries the laptop home also, still it would not connect to the websites directly via his home internet but would actually connect to the Organizations proxy and then the website would open

This device gets the name "Proxy" because it does a proxy job, for e.g. all the connections which are going to any outside URL are terminated by the proxy at its level and a new connection is initiated from proxy on behalf of the user and once the proxy gets the content It presents it to the end user on the previous session between user and proxy, so even if by any chance a malicious website is surfed the return connection from the malicious website would be terminated on the proxy and would not be allowed to pass to the user machine directly

I took examples of user connections above but there may be scenarios where Servers within our datacenter may want to connect outside on the internet, for e.g., Accessing partner API, downloading security patches, downloading Security signatures by security devices, etc. The architecture would be the same, these servers would be pointing to the Web gateway to reach to the internet and the Proxy (Web Gateway) would be proxying connections to the internet, please note that on a user machine we do it via browser using group policy which is a standard across the world but on servers there are specific applications in which the Proxy IP address and Port numbers have to be entered for routing all internet requests to proxy.

Also note that if a user from inside the organization somehow manages to remove the proxy IP address and directly try to access the internet, he will not be able to do that as its blocked on the firewall devices.

One more point to note is that the Web gateway instance for user connections and the web gateway instance for server connections would always be different.

Reverse Proxy

We already looked into the forward proxy, and we now know how a proxy functions, it basically does not allow direct connections from a user’s laptop to the internet website but in fact it terminates the user connections on itself and initiates a new connection from itself to the internet and downloads the content and displays it on the initial user connection, basically a proxy job (making connections on behalf of the source (user laptop / desktop)

The Reverse proxy is no different but as the name suggests the direction is "Reverse". So here we are talking about the web servers which we are hosting on the internet for customers to access, for e.g. it may be your corporate website or probably your transaction based website such as "Internet Banking", so while hosting these websites on the internet, the actual "Application servers" cannot be directly hosted on the internet, you need a Web layer in the DMZ to do a reverse proxy job (terminate the incoming connections on itself and then request the content internally from the application server and display it on the user session on the internet), probably if you have a look at the diagram simultaneously when you are reading, you may get a better understanding

So, to reiterate the architecture the Reverse proxy is actually nothing but a Web server, some popular ones are IIS, IHS, OHS, Apache Web server, Ngnix, etc

These would be ideally placed in HA in the DMZ sitting in between the internet customers and the actual application server, separated by firewall on both sides.

Do remember every application hosted on the internet has to have web servers in the DMZ as the landing servers for internet-based connections, you cannot allow direct internet connections to penetrate deep onto your application servers in the Application Zone.