1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1April 18, 2023

Secure access to project budget information for OAR Principal

Investigators

Eugene F BurgerSylvia Scott

Tracey NakamuraJohn L Forbes

PMEL Seattle

NOAATech 2006, Silver Spring, MD 2April 18, 2023April 18, 2023

This presentation• Enable secure web access to budget

information for:– Scientists– PI’s– Non administrative folks

• Data are sensitive and covered by Privacy Act.

• Will describe how we developed this application to allow secure access to these sensitive data.

NOAATech 2006, Silver Spring, MD 3April 18, 2023April 18, 2023

FDMS• FDMS is the OAR Financial system

– Used by all the OAR labs– Maintained on FDMS servers located at

PMEL • Two separate database instances for

data storage• Hosted on:

– single database server– Production server (Citrix)

• OAR budget user access to the FDMS application though a Citrix Secure Gateway interface.

NOAATech 2006, Silver Spring, MD 4April 18, 2023April 18, 2023

What is PI Reports?• Web based application that allows OAR

Scientists to access detailed budget information on their projects

• User data access restricted down to either one of:– project code– lab division– project leader level – data type

• User management delegated to each lab• Only interface between PI Reports and FDMS

application is the data warehouse.

NOAATech 2006, Silver Spring, MD 5April 18, 2023April 18, 2023

Design guidelines• Web based application• Apache Web server on Linux platform• Reports contain data from FDMS Data

warehouse• Had to isolate DB server

authentication information from web server

• Completely isolate DB server from web server, to protect the DB even if web server compromised

NOAATech 2006, Silver Spring, MD 6April 18, 2023April 18, 2023

Implementation challenge

• FDMS servers hosted on a single subnet

• Web presence a new component for FDMS project– Bad idea to have a web server on

the same subnet as data servers• Wed servers usually well exposed

• Required a rethink of FDMS subnet topology.

NOAATech 2006, Silver Spring, MD 7April 18, 2023April 18, 2023

Implementation challenge (cont.)

• Even if Web server hosted in a DMZ– Two tier application implies you must have

db authentication information on web server

– Compromise web server and you have access to the database.

• Potential platform incompatibilities– Data assets on a windows platform– Required to use Linux/Apache web platform

• Some type of messaging/middleware required

NOAATech 2006, Silver Spring, MD 8April 18, 2023April 18, 2023

Implementation

• Different aspects to consider:– Secure the FDMS network– Isolate high risk components from

high value components– Ensure proper user authentication– Application level security– Database security– Data transport encryption

NOAATech 2006, Silver Spring, MD 9April 18, 2023April 18, 2023

ImplementationNetwork

• NetScreen firewall• Three separate subnets

– Public: Web server– Application: Application server– Secure: Database server

• Deny-all policy– incoming and outgoing– with only select ports between

network zones open to selected IP addresses

NOAATech 2006, Silver Spring, MD 10April 18, 2023April 18, 2023

FDMS subnet - before

Databaseserver

Applicationserver

Certificateserver

FDMS UsersCitrix connection

•Application access controlled by

•IP address•user authentication

FDMS subnet

Citrix

con

ne

ction

NOAATech 2006, Silver Spring, MD 11April 18, 2023April 18, 2023

FDMS subnet after

Web

Application

Secure

Port 80 & 443

Port c

Port d

Web server

XML Web ServicesApp. server

DB server

Citrix CSGserver

•Application access •CSG server

• No direct access to “Secure” zone

Applicationserver

NOAATech 2006, Silver Spring, MD 12April 18, 2023April 18, 2023

Implementation: Isolate high value components from high risk

components

• Separate functions, separate servers – Web server – tier 1– Add an XML web services middle tier.

• Web services allows interoperability between Linux/Apache/PHP & Windows.

• Web services hosted on dedicated server– Windows Server 2003– Web Services implemented in C#.Net– Allows efficient DB connectivity (ADO .Net)

– Database server - tier 3

NOAATech 2006, Silver Spring, MD 13April 18, 2023April 18, 2023

ImplementationUser authentication

• Authentication is done against user information in database– Username, password and lab

• By default users have no data access

NOAATech 2006, Silver Spring, MD 14April 18, 2023April 18, 2023

Implementation: Application level security

• Web Server– Linux/Apache/PHP– PHP NuSOAP Library for SOAP

messaging

• Secure web server coding practices– Input verification

• SQL injection not possible

NOAATech 2006, Silver Spring, MD 15April 18, 2023April 18, 2023

Implementation: Application level security

• XML Web Services application server– Session tokens a parameter in all web

methods– Verify legitimacy of web service method

invoker• Valid requestor• Session still valid• Get user identifier

– No in-line SQL for db interactions.– All application server to web server

messaging using SOAP messages

NOAATech 2006, Silver Spring, MD 16April 18, 2023April 18, 2023

Implementation: Database

• All business rules are embedded in database

• Minimum permission database users• DB user access defined in DB roles

– Each role only has execute permission to select stored procedures

• Authentication• User administration• Data querying

• DB user access– Stored procedures only– No direct access to data tables

NOAATech 2006, Silver Spring, MD 17April 18, 2023April 18, 2023

ImplementationEncrypted transport

• Web client to web server– SSL

• Web server to application server– SSL

NOAATech 2006, Silver Spring, MD 18April 18, 2023April 18, 2023

Implementation Server & messaging platform

• Web– Red Hat Linux– Apache– PHP

• Middleware– Windows Server 2003

• Database server platform– Windows Server 2003

NOAATech 2006, Silver Spring, MD 19April 18, 2023April 18, 2023

Implementationsoftware

• Middleware messaging– XML Web Services– Written in C# .Net

• Web– NuSOAP PHP soap library

• Database servers– SQL Server– Stored procedures for business rules

(Transact sql)

NOAATech 2006, Silver Spring, MD 20April 18, 2023April 18, 2023

Schematic

Web

Application

Secure

Port 80 & 443

Port 1423

Port 1203

Port 80 & 443

Port 1423

Port 1203

user

Web server

App. Server

DB Server

https request

XML Web service request

ADO.Net DB request

ADO.Net DB response

XML Web service response

https response

NOAATech 2006, Silver Spring, MD 21April 18, 2023April 18, 2023

Our experience

• Disadvantages– More network infrastructure– More server infrastructure– More software infrastructure– Performance compromise due to

overhead• but it’s fast anyway because CPUs are

faster

– PHP Web services support not mature

NOAATech 2006, Silver Spring, MD 22April 18, 2023April 18, 2023

Our experience• Advantages

– Hides high value db assets• Isolated network environment

– Effort to compromise significantly increased

• Two LAN zones and two firewall zones to breach

– Function separation• Presentation• Site functionality• Business rules

– Development benefit– Maintenance benefit

NOAATech 2006, Silver Spring, MD 23April 18, 2023April 18, 2023

In Conclusion

• We have been able to secure PI Reports with this architecture.

• Same infrastructure and architecture will be used to develop other FDMS products.