Re: 2 Tier vs 3 Tier



In today's world you can implement 2-3 filtered tiers using a single firewall, as many of them support much more than two network interfaces and they support traffic filtering on each interface. So you can allow only web (HTTP/HTTPS) traffic into the web tier, then only allow the web tier to run application-specific traffic into the app tier, and then only allow the app tier to run DB-specific traffic into the DB tier. When I use the term 'single firewall' I kinda mean a fault-tolerant, load-balanced pair, at minimum. Hacks and everything else aside, if you only have one hardware firewall and it has some hardware problem then your tiers of servers will basically be out of commission while you scramble to get new hardware and a new firewall built.

I can't really speak to any security benefits of a 2-tier architecture over a 3-tier architecture, and could only make that 2-tier argument over a completely flat architecture where everything runs on the same box or the same network segment.
Well, I can offer you one weak argument. You can always make the case that it will be easier to keep a single box patched and hardened than multiple boxes in split tiers, which will also save your organization money on hardware and sys-admin maintenance costs.

I did a pen-test on a vendor one time where they ran the app and DB tiers on a single system behind a firewall (it wasn't HTTP-based). They thought their implementation was secure and that no one could break out of the app and into the DB. They were very, very wrong. Of course you can have an insecure multi-tier architecture that allows the same level of exploitation across multiple hosts, but there are a lot of benefits to keeping the tiers physically and logically separate. I'm just saying.

As for compensating controls do some basic traffic filtering at your Internet-facing router. You can drop/blackhole a lot of junk traffic there. Harden each tier, both from an OS and application viewpoint. Keep everything patched (network devices, operating systems, applications, etc.). Scan your servers for security compliance, and scan your web apps for code vulnerabilities. Implement both HIDS and N-IPS, if you can. Network-based IPS can knock down a lot of attacks that make it past your screening router.

You mentioned host-based firewalls, and I'd advise to stay away from them unless you're talking about running firewall software on dedicated hardware. Running your firewall on the same box(es) as your web app isn't advisable. Suppose you have a vulnerability in your web app and someone sends it a string command (a la xp_cmdshell for example) that shuts off the firewall? Then you're running wide open. WAFs are in style now, and they have some benefit. But you can accomplish the same thing with a standard firewall and IPS device, if using a decent IPS product.

Sorry there's not much detail above. I'm pressed for time so that's just some brief thoughts to consider. What I forgot to ask or mention up front that your security control requirements should be somewhat based on the value of information, time, reputation, etc. that might be lost if your system(s) is compromised. I know nothing about your specific goal, and you could be talking about running your own personal system to get you remote access to some generally value-less data of your own (your personal calendar, web bookmarks, etc.). But since you said "we are building" I assume you are asking as a representative of your employer, and that there might be more at stake.

Peace,
Vic

----- Original Message -----
From: "Thugzclub Thugzclub" <thugzclub@xxxxxxxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Tuesday, January 3, 2012 10:50:31 AM
Subject: 2 Tier vs 3 Tier

All,

We are building a system and despite the security benefits of a 3 tier
architecture, I feel that a 2 Tier architecture will suffice.
1 - Any argument for the security benefits of the 2 Tier architecture
2 - Any compensating controls that I can deploy to protect my web
server/application server? I am looking at HIDS and Host based
firewalls as a starter....

thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



Relevant Pages

  • Re: Another option for keeping application tiers independent
    ... Detailed information on levelization of an architecture, the mastering of the physical rather than the logical structure of the application can be obtained easily in a .Net context using nDepend. ... The Unavoidable Dependency between the User Interface and the Data ... The most well-known approach to tier separation is known as the three ... domain can be given an instance of a data object. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Security architecture for (non) Windows domain users
    ... this architecture ... We will build multi tier applications and want to be able to authorise the end user on all tiers. ... Ideally we would also include the roles that this user has in the ticket. ...
    (microsoft.public.dotnet.security)
  • Re: considering i386 as a tier 1 architecture
    ... EA> and replace it with the ARM architecture as Tier 1. ... not every Intel Atom platform is 64bit capable (it depends on CPU, ...
    (freebsd-hackers)
  • Re: considering i386 as a tier 1 architecture
    ... I am writing this email to discuss the i386 architecture in FreeBSD. ... and replace it with the ARM architecture as Tier 1. ...
    (freebsd-hackers)
  • Re: considering i386 as a tier 1 architecture
    ... EA> and replace it with the ARM architecture as Tier 1. ... not every Intel Atom platform is 64bit capable (it depends on CPU, ...
    (freebsd-arch)