Post on 22-Dec-2015
transcript
AgendaAgenda
Sample Enterprise ArchitectureSample Enterprise Architecture Example of how University Apps Example of how University Apps
uses Defense in Depth to manage uses Defense in Depth to manage connections to the database from the connections to the database from the application servers.application servers.
Enterprise ArchitectureEnterprise Architecture
FirewallWeb Server
Applcation ServersDatabase Server
Firewall
SECURING THE APPLICATION
Input ValidationAuthenticationAuthorizatoinConfiguration ManagementSensitive Data
Session ManagementCryptographyParameter ManipulationException ManagementAuditing and Logging
Securing the Network
RouterFirewallSwitch
SECURING THE HOST
Patches and UpdatesServicesProtocols
AccountsFiles and DirectoriesShares
PortsRegistryAuditing and Logging
SOURCE: MICROSOFT
Managing ConnectionsManaging Connections
FirewallWeb Server
Applcation ServersDatabase Server
Firewall
SECURING THE APPLICATION
Input ValidationAuthenticationAuthorizatoinConfiguration ManagementSensitive Data
Session ManagementCryptographyParameter ManipulationException ManagementAuditing and Logging
Securing the Network
RouterFirewallSwitch
SECURING THE HOST
Patches and UpdatesServicesProtocols
AccountsFiles and DirectoriesShares
PortsRegistryAuditing and Logging
SOURCE: MICROSOFT
Security - Defense in Security - Defense in DepthDepth
SOURCE: MICROSOFT
Problem: Where to hide the database connection string used by the application to connect to the database?
Connection ManagerConnection Manager
Solution: Use a middle tier Solution: Use a middle tier component to run a stored component to run a stored procedure in a secured “locked procedure in a secured “locked down” database to obtain the down” database to obtain the connection string for the application.connection string for the application.
How it worksHow it works
Incoming Web Request
Middle Tier Component
Stored Procedure Call
Connection String Returned
to Calling Application
Connection made to database
Application Call to Component
4
2
1
3
5
Web Application
Servers
Production Database Server
Secured Database
Server
BenefitsBenefits Connection string is stored in secure Connection string is stored in secure
database and not in clear text on web database and not in clear text on web server.server.
Database table containing connection Database table containing connection strings is locked down. No strings is locked down. No Select/Insert/Update/Delete permissions.Select/Insert/Update/Delete permissions.
Only stored procedure allowed to run Only stored procedure allowed to run using middle tier component with its own using middle tier component with its own user id and password.user id and password.
Developers need only know application Developers need only know application name.name.