I have a front end web server running over HTTPS - this is public facing - i.e. port is open.
I also have a backend API server that my webserver makes API requests to - this is public facing and requires authentication - port is open.
These 2 servers run over HTTPS.
Behind the API server, there are lots of other servers. The API server reverse proxies to these servers. Ports for these other servers are not open to incoming traffic. They can only be talked to via the API server.
My Question ... Do the "lots of other servers" need to run over HTTPS or, given that they cannot be accessed externally, can they run over HTTP safely instead?
I thought this would be a common question but I could not find an answer to it. Thanks. If this is a dupe please point me to the right answer.
TL;DR you should encrypt the traffic unless it's on the same host.
You can't trust your network. Malwares in your own network can intercept/modify http requests.
It's not theoretical attacks, but real life example:
Routers (probably hacked) inside the network of some websites injecting ads: https://www.blackhat.com/docs/us-16/materials/us-16-Nakibly-TCP-Injection-Attacks-in-the-Wild-A-Large-Scale-Study-wp.pdf
Indian network sniffing between cloudfare and back-end: https://medium.com/#karthikb351/airtel-is-sniffing-and-censoring-cloudflares-traffic-in-india-and-they-don-t-even-know-it-90935f7f6d98#.hymc3785e
The now famous "SSl Added and removed here :-)" from the NSA
The question is how much do you trust the connection between the public IP and the backend server?
If it is not your data center, at least any privileged employee of the ISP could see/change the data. I guess that's not something your customers would like to hear.
If it is your data center, meaning you are a kind of ISP still everybody who has physical access to the data center can potentially sniff the clear text traffic. Or in general, anybody who has access to the wire can see the traffic, it is much harder to implement a strict access control in your company.
Related
I was asked today if a website running on a secured LAN, really needs https protection? I could not give a satisfactory answer more than that the traffic can be intercepted and read on http but not on https. Something similar has been also answered here.
My question is could my response have been better? Are there more reasons to securing website running on LAN?
Regards,
HTTPS Protocol will only protect MITM (Man In The Middle) sort of attacks.
The meaning is that the hacker need a way to communicate with the server.
In public websites HTTPS is important because ANYONE can talk with the server but if the website is running on a secured LAN the hacker will first need to hack his way to the LAN network in order to eavesdropping to the traffic of the website.
So - HTTPS on LAN running website is another layer of defense in case the hacker find his way into the LAN network, but for my opinion it's total waste of resources and time.
If the hacker found his way inside the network he can do a lot of things that HTTPS will be his last concern.
This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...
I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-
All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
A IPsec/L2TPD VPN tunnel is established and working.
A working VPN tunnel.
A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
I cannot change my ISP, or bandwidth/download/upload speed.
I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.
Everything is now working, can't believe I've done it !
Anyway, my question is:-
Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.
I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.
So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you
I cannot install VPN clients on the cellphone and I may want to access
my app server through another cellphone provided by work so cannot
install apps on it but does have unfettered web access through a
browser.
Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.
An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/
so I have 0% experience with web programming, and the project I am working on doesn't have anything to do with it, but I hit a small roadblock and need to solve a small port problem.
So we want to build a cluster of GPU machines on Azure for some Deep Learning calculations, and want to install some applications on them and let our scientists use the app' GUIs to launch and monitor their jobs. The problem is that an app A for example runs on port 5050, but our firewall doesn't let us communicate to unusual ports. The problem is easy to fix from the Azure side, but our IT team won't let us modify our security policies.
That's why I need to find a hacky and fast solution to overcome this, I don't want to spend my whole internship doing something complicated for it, just something that does the job.
What I thought about was to have some kind of server running on the machines (let's say Machine A has public IP address ipbA and private IP ipvA) that when we type "http://ipba/app1" on our browser, the server on A will fetch the page "http://ipva:5050" (or "----://ipba/app2" -> "----://ipva:5051") and display it, but does this work if the page needs to be interactive because we would like to launch jobs?
I have no clue how to do this, if you could please just tell me what I should look into, google and read about, or if there is an easier way to handle it, (maybe some VPN stuff, which I don't prefer since we're moving towards a hybrid cloud architecture and I don't think we would want to VPN into all the different cloud platforms) that would be awesome :)
Two common solutions for your problem:
Set-up a reverse proxy on a standard port (such as 80 or 443 if you want some SSL certificates headaches).
All your domain names will point to the reverse proxy (single IP) but the reverse proxy will forward the traffic transparently to the real servers on their special ports.
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
For the technical details, in short: you keep in file(s) the configuration for each domain or subdomain and where they should be forwarded.
Chain of events:
User types http://interface-1.company.com
Browser resolves interface-1.company.com (DNS: IP Reverse Proxy)
Browser connects on reverse proxy (port 80)
Reverse proxy reads configuration which says where to forward
Proxy forwards request to realserver.company.com:5050
Realserver relays response to reverse proxy
reverse proxy relays response to browser
I think that is what you are trying to achieve.
Set-up a VPN service which will be connectible through the proxy of your company and provide VPN clients to the end-users. OpenVPN clients can use an HTTPS proxy connection (your company proxy) to establish connexion to a remote VPN.
Once connected on the VPN, everyone uses the VPN's IP address + firewall policy, and are therefore no more restricted by the company's firewalling policy. Any kind of traffic can also be forwarded. This is harder to set up and your security team might not accept it. However, it's a fully functional solution and it can also offer additional security features if implemented properly.
I do not recommend going this way for all the paperwork that would involve.
I'm writing a network application for enterprises wherein I intend to run an HTTP server on almost all hosts within a LAN. Some people have told me that this is a huge security hole because HTTP is often allowed through corporate firewalls and therefore by running an HTTP server on every node I'll potentially expose all of them to the outside. Is this a genuine risk?
As per my understanding the firewall exception for HTTP is generally based on the port number 80, not based on the inspection of packet contents. Therefore, if I run my HTTP server on a port other than 80 then the firewall will not allow access to it and hence I should be fine. Is this understanding correct?
I know there are application firewalls, but I'm not quite able to fathom how they operate within a typical corporate network or how common they are in the enterprise world. Any information on this will be helpful.
Update
The application referred to above is a P2P content sharing application whose operation is entirely confined within a subnet. I wish to use HTTP for the transfer for content from one node to another. The reason for choosing HTTP is that it is simple to implement and provides many application level features such as PUTs and DELETEs out of the box. My concern here is if choosing HTTP automatically puts all nodes at a security risk because typically corporate firewalls (by which I mean NATs) typically allow inbound HTTP traffic from outside the network.
If your only concern is attackers being able to directly connect to your HTTP server from outside of the corporate network, then this is unlikely due to NAT, as roelofs commented.
But is this truly your only concern? You have not specified what your application does, but is it acceptable to you (and to your users) that people inside the corporate network will be able to sniff your application's traffic? Is it acceptable that attackers who penetrate the network (and this happens all the time) can intercept, replay, and tamper with the traffic?
Why would you not use HTTPS?
Do not assume that you're secure just because you're behind a firewall.
If Web browsers inside the firewall can access both internal and external sites, an external site can probe the internal sites and convince the browsers to send requests to them.
This is an extremely common problem; the simplest example is the attacks against home DSL router administrative interfaces.
I have a windows server 2012 VPS running a web app behind Cloudflare. The app needs to initiate outbound connections based on user actions (eg upload image from URL). The problem is that this 'leaks' my server's IP address and increases risk of DDOS attacks.
So I would like to prevent my server's IP from being discovered by setting up a forward proxy. So far my research has shown that this is no simple task, and would involve setting up another VPS to act as a proxy.
Does this extra forward proxy VPS have to be running windows ? Are their any paid services that could act as a forward proxy for my server (like cloudflare's reverse proxy system)?
Also, it seems that the suggested IIS forward proxy plugin, Application Request Routing, does not work for HTTPS.
Is there a solution for both types of outgoing (HTTPS + HTTP) requests?
I'm really lost here, so any help or suggestions would be appreciated.
You are correct in needing a "Forward Proxy". A good analogy for this is the proxy settings your browser has for outbound requests. In your case, the web application behaves like a desktop browser and can be configured to make the resource request through a proxy.
Often you can control this for individual requests at the application layer. An example of doing so with C#: C# Connecting Through Proxy
As far as the actual proxy server: No, it does not need to run Windows or IIS. Yes, you can use a proxy service. The vast majority of proxy services are targeted towards consumers and are used for personal privacy or to get around network restrictions. As such, I have no direct recommendations.
Cloudflare actually has recommendations regarding this: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/.
Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server.
This may be a more comfortable risk mitigator, as it wouldn't depend on a third party proxy service. A request for upload could be handled as a web service call to a dedicated "file downloader" server. Keep in mind that if you have a queued process for another server to do the work, and that server is hosted in the same infrastructure, both might be impacted by a DDoS, depending on the type of DDoS.
Your question implies that you may be comfortable using a non-windows server. Many softwares exist that can operate as a proxy(most web servers), but suffer from the same problem as ARR - lack of support for the HTTP "CONNECT" verb, which is used by modern browsers to start an HTTPS connection before issuing a "GET". SQUID is very popular, open source, and supports everything to connect to.. anything. It's not trivial to set up. Apache also has support for this in "mod_proxy_connect", but I have no experience in that and the online documentation isn't very robust. It's Apache, though, so it may be worth the extra investigation.