1 March 15, 2022 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL Seattle
Dec 18, 2015
1April 18, 2023
Secure access to project budget information for OAR Principal
Investigators
Eugene F BurgerSylvia Scott
Tracey NakamuraJohn L Forbes
PMEL Seattle
NOAATech 2006, Silver Spring, MD 2April 18, 2023April 18, 2023
This presentation• Enable secure web access to budget
information for:– Scientists– PI’s– Non administrative folks
• Data are sensitive and covered by Privacy Act.
• Will describe how we developed this application to allow secure access to these sensitive data.
NOAATech 2006, Silver Spring, MD 3April 18, 2023April 18, 2023
FDMS• FDMS is the OAR Financial system
– Used by all the OAR labs– Maintained on FDMS servers located at
PMEL • Two separate database instances for
data storage• Hosted on:
– single database server– Production server (Citrix)
• OAR budget user access to the FDMS application though a Citrix Secure Gateway interface.
NOAATech 2006, Silver Spring, MD 4April 18, 2023April 18, 2023
What is PI Reports?• Web based application that allows OAR
Scientists to access detailed budget information on their projects
• User data access restricted down to either one of:– project code– lab division– project leader level – data type
• User management delegated to each lab• Only interface between PI Reports and FDMS
application is the data warehouse.
NOAATech 2006, Silver Spring, MD 5April 18, 2023April 18, 2023
Design guidelines• Web based application• Apache Web server on Linux platform• Reports contain data from FDMS Data
warehouse• Had to isolate DB server
authentication information from web server
• Completely isolate DB server from web server, to protect the DB even if web server compromised
NOAATech 2006, Silver Spring, MD 6April 18, 2023April 18, 2023
Implementation challenge
• FDMS servers hosted on a single subnet
• Web presence a new component for FDMS project– Bad idea to have a web server on
the same subnet as data servers• Wed servers usually well exposed
• Required a rethink of FDMS subnet topology.
NOAATech 2006, Silver Spring, MD 7April 18, 2023April 18, 2023
Implementation challenge (cont.)
• Even if Web server hosted in a DMZ– Two tier application implies you must have
db authentication information on web server
– Compromise web server and you have access to the database.
• Potential platform incompatibilities– Data assets on a windows platform– Required to use Linux/Apache web platform
• Some type of messaging/middleware required
NOAATech 2006, Silver Spring, MD 8April 18, 2023April 18, 2023
Implementation
• Different aspects to consider:– Secure the FDMS network– Isolate high risk components from
high value components– Ensure proper user authentication– Application level security– Database security– Data transport encryption
NOAATech 2006, Silver Spring, MD 9April 18, 2023April 18, 2023
ImplementationNetwork
• NetScreen firewall• Three separate subnets
– Public: Web server– Application: Application server– Secure: Database server
• Deny-all policy– incoming and outgoing– with only select ports between
network zones open to selected IP addresses
NOAATech 2006, Silver Spring, MD 10April 18, 2023April 18, 2023
FDMS subnet - before
Databaseserver
Applicationserver
Certificateserver
FDMS UsersCitrix connection
•Application access controlled by
•IP address•user authentication
FDMS subnet
Citrix
con
ne
ction
NOAATech 2006, Silver Spring, MD 11April 18, 2023April 18, 2023
FDMS subnet after
Web
Application
Secure
Port 80 & 443
Port c
Port d
Web server
XML Web ServicesApp. server
DB server
Citrix CSGserver
•Application access •CSG server
• No direct access to “Secure” zone
Applicationserver
NOAATech 2006, Silver Spring, MD 12April 18, 2023April 18, 2023
Implementation: Isolate high value components from high risk
components
• Separate functions, separate servers – Web server – tier 1– Add an XML web services middle tier.
• Web services allows interoperability between Linux/Apache/PHP & Windows.
• Web services hosted on dedicated server– Windows Server 2003– Web Services implemented in C#.Net– Allows efficient DB connectivity (ADO .Net)
– Database server - tier 3
NOAATech 2006, Silver Spring, MD 13April 18, 2023April 18, 2023
ImplementationUser authentication
• Authentication is done against user information in database– Username, password and lab
• By default users have no data access
NOAATech 2006, Silver Spring, MD 14April 18, 2023April 18, 2023
Implementation: Application level security
• Web Server– Linux/Apache/PHP– PHP NuSOAP Library for SOAP
messaging
• Secure web server coding practices– Input verification
• SQL injection not possible
NOAATech 2006, Silver Spring, MD 15April 18, 2023April 18, 2023
Implementation: Application level security
• XML Web Services application server– Session tokens a parameter in all web
methods– Verify legitimacy of web service method
invoker• Valid requestor• Session still valid• Get user identifier
– No in-line SQL for db interactions.– All application server to web server
messaging using SOAP messages
NOAATech 2006, Silver Spring, MD 16April 18, 2023April 18, 2023
Implementation: Database
• All business rules are embedded in database
• Minimum permission database users• DB user access defined in DB roles
– Each role only has execute permission to select stored procedures
• Authentication• User administration• Data querying
• DB user access– Stored procedures only– No direct access to data tables
NOAATech 2006, Silver Spring, MD 17April 18, 2023April 18, 2023
ImplementationEncrypted transport
• Web client to web server– SSL
• Web server to application server– SSL
NOAATech 2006, Silver Spring, MD 18April 18, 2023April 18, 2023
Implementation Server & messaging platform
• Web– Red Hat Linux– Apache– PHP
• Middleware– Windows Server 2003
• Database server platform– Windows Server 2003
NOAATech 2006, Silver Spring, MD 19April 18, 2023April 18, 2023
Implementationsoftware
• Middleware messaging– XML Web Services– Written in C# .Net
• Web– NuSOAP PHP soap library
• Database servers– SQL Server– Stored procedures for business rules
(Transact sql)
NOAATech 2006, Silver Spring, MD 20April 18, 2023April 18, 2023
Schematic
Web
Application
Secure
Port 80 & 443
Port 1423
Port 1203
Port 80 & 443
Port 1423
Port 1203
user
Web server
App. Server
DB Server
https request
XML Web service request
ADO.Net DB request
ADO.Net DB response
XML Web service response
https response
NOAATech 2006, Silver Spring, MD 21April 18, 2023April 18, 2023
Our experience
• Disadvantages– More network infrastructure– More server infrastructure– More software infrastructure– Performance compromise due to
overhead• but it’s fast anyway because CPUs are
faster
– PHP Web services support not mature
NOAATech 2006, Silver Spring, MD 22April 18, 2023April 18, 2023
Our experience• Advantages
– Hides high value db assets• Isolated network environment
– Effort to compromise significantly increased
• Two LAN zones and two firewall zones to breach
– Function separation• Presentation• Site functionality• Business rules
– Development benefit– Maintenance benefit