A Cold Fusion Programmers Guide to Secure Networking

12500 Fair Lakes Circle, Suite 150Farifax, VA

703.815.2500www.edgewater.com

A Cold Fusion Programmers Guide to Secure NetworkingA Cold Fusion Programmers Guide to Secure Networking

By: Jeremy Brodie, Sr. Developer

2

Server Environment Best Practices

NAT/Firewalls

IP Environment

Email/Spam/Black Hole Lists

OverviewOverview

3

Why Bother (Care)?Why Bother (Care)?

Networking provides the communication allowing your applications to be accessible

Do it wrong and you place your company and your applications at risk

Possible Legal Risks?

- Documented legal cases of organizations sued for poor security

- Can affect your organization’s/department’s reputation

- Can affect any/all Internet projects

4

Typical EnvironmentTypical Environment

Three-tired environment

- Production

- Staging

- Development

Source Control (Development)

Email Relay Server for CF Mail

Several Servers Networked Together

5

Typical EnvironmentTypical Environment

Typical Environment Diagram

Internet

Router Firewall

Database Server

JRUN Serverw/ Cold Fusion

DMZ Internal

Email Server

Network Server

Development Env.

DNS Server

6

Network EnvironmentNetwork Environment

Your network may include the following items as well One or more switches to facilitate communication

within the DMZ or Internal Zones

Network Address Translation within the Firewall

Port blocking within the Firewall

Load Balancers (for high traffic sites)

Storage Area Network

Internal DNS

Often several employees/ departments will control the functioning of these network areas. Each will have their own areas of expertise. As a developer, you need to balance their technical concerns with the business requirements of your application.

Your Corporate Network Will Have Many of These Components

DiagramOverview

Challenge

7

Diagram Technical OverviewDiagram Technical Overview

Networking Definitions

Internal

- Workstations

- File and Print Servers

- Outbound communication with outside. Can pull information from DMZ computers

DMZ or Production

- Location of Servers (web, database, mail)

Hosted

- Location of some production application. Communication with network available through FTP and programs such as Terminal Services

8

Business ChallengeProvide communication to servers via a non-routable IP address

Internal and DMZ networks are on separate subnets

Network Address TranslationNetwork Address Translation

Definitions

Use Non-Routeable Addresses to communicate behind the firewall- Example: 192.168.10.3 for a DMZ Server- Example: 192.168.100.3 for a Workstation on

the Internal network- Addresses Reserved for Internet networking

Prevent Outsiders from Knowing the True Address of Servers.- Servers will have non-routable addresses

only.- NAT Table provides reference

Only Exposes to Outside servers needing Exposing

9

192.168.100.2 64.23.122.2192.168.100.3 64.32.122.3192.168.100.4 65.32.122.4192.168.100.5 65.32.122.5

Routing Table ExampleRouting Table Example

10

NAT: In PracticeNAT: In Practice

Packet arrives with IP address

Firewall asks for location of DNS to translate name

Firewall translates IP address acceptable list located in DMZ

Server IP address contain Non-Routable IP address only

Internal users access NAT through Internal DNS server containing non-routable IP information.

Business ChallengePrevent outsiders from reaching internal network resources.

Reality CheckInsiders need to have access to corporate resources on the road. A VPN solution allows specified laptops to have access to Internal resources.

11

Business ChallengeWith a limited pool of Internal addresses, allow employees to access resources on the Internet.

Set up DHCP, or a dynamic pool of internal address with right to access resources outside the Firewall.

NAT: Other ToolsNAT: Other Tools

Things to Know

Resources

All internal machines communicate via Non-routable IP address configured by DHCP

DHCP uses Internal DNS to locate router

Internal DNS acts as a gateway between the Internal and DNZ networks

RFC 1631 (http://www.faqs.org/rfcs/rfc1631.html)

NAT Overview (http://computer.howstuffworks.com/nat1.htm)

12

Business ChallengeYou need to send email to external customers using your application. You don’t want to spam, however.

TechnologyNAT can be used to specify who relays and who does not

Email Spam: Risks and ChallangesEmail Spam: Risks and Challanges

The Challenge

CFMAIL Requires a Relay Server

Spam is a huge problem on the open Internet

- 30-50% of all traffic is spam

- Spammers use unethical methods to send email

- Spam/Virus link?

- Legal Liability?

Black hole list can prevent your email from being routed to the right place

13

Successful CFMAILSuccessful CFMAIL

Business ChallengeProvide the ability to use CFMAIL for external applications, while preventing spammers from having access to Mail servers.

FactoidThe new versions of Outlook do not by default allow customer to see HTML email. Spammers were using external pictures to validate email addresses.

Goals of System

Goal 1: Prevent Outsiders from using Email Server. If not blocked then black hole list could shut down entire subnet

Goal 2: Only allow Cold Fusion Server to send out Email

Goal 3: Use an Opt –in Mail list collected from your site to send public email

Resources

14

The Black Hole ListThe Black Hole List

Reasons WhyBlack hole lists allow administrators to block email from known places. Employees could be liable if they did not filter.

FactoidAlthough the MAPS RBL allows users to be removed, some systems do not have a way to be removed from a list.

If you receive a new IP block, check to see if it has been listed.

What is a Black Hole List

Resources

Email ends up in a black hole: It gets sent out, but customers never receive email

Used by spam filters to reduce the flow of spam to inboxes

Administrator subscribed

Realtime Black Hole List (http://www.mailabuse.org)

Spamcop (http://www.spamcop.net)

15

Example in IISExample in IIS

Internet

Router Firewall

IIS Web/ Mail Server192.168.10.6Only allows 192.168.10.5 and other DMZ servers to relay

JRUN Serverw/ Cold Fusion192.168.10.5

SQL Server192.168.10.7

Business SolutionOnly internal servers can relay. Since mail server accepts only Internal addresses, one must be located in the DMZ to relay.

Separate server allows corporate email server never to relay

16

Solution for Sending CFMAILSolution for Sending CFMAIL

ResultsSuccessfully deliver CFMAIL to your customers.

Opt-In ListsOne way of ensuring successful mail is through the use of Opt-in Maillists. In this case, you specifically ask for the permission of the person before sending out email from an application.

New regulations require companies to only send out email for public applications using this method.

Create a Win-Win Situation

Use a separate server for relaying mail from applications- Relay server only accepts internal IP

addresses from DMZ siubnet- Emails are logged by Cold Fusion

Corporate email server never relays

Configure corporate server to allow HTML email only from Internal Applications

External Emails Should be Reviewed With Privacy Policy in Mind- Should be Opt-in list only- Should be text only for external customers

17

Communication is the number one reasons why projects fail

- The stakes are often higher for the System admins that your project

- IT pros are naturally conservative outside their boundaries. IT is the one saying “no”

Your organization requires better communication or an improved process

- The implementation boundary is stretched

What are your experiences?

Other PointsOther Points