12500 Fair Lakes Circle, Suite 1 Farifax, 703.815.25 www.edgewater.c A Cold Fusion Programmers Guide to Secure Networking By: Jeremy Brodie, Sr. Developer
Jan 12, 2016
12500 Fair Lakes Circle, Suite 150Farifax, VA
703.815.2500www.edgewater.com
A Cold Fusion Programmers Guide to Secure NetworkingA Cold Fusion Programmers Guide to Secure Networking
By: Jeremy Brodie, Sr. Developer
2
Server Environment Best Practices
NAT/Firewalls
IP Environment
Email/Spam/Black Hole Lists
OverviewOverview
3
Why Bother (Care)?Why Bother (Care)?
Networking provides the communication allowing your applications to be accessible
Do it wrong and you place your company and your applications at risk
Possible Legal Risks?
- Documented legal cases of organizations sued for poor security
- Can affect your organization’s/department’s reputation
- Can affect any/all Internet projects
4
Typical EnvironmentTypical Environment
Three-tired environment
- Production
- Staging
- Development
Source Control (Development)
Email Relay Server for CF Mail
Several Servers Networked Together
5
Typical EnvironmentTypical Environment
Typical Environment Diagram
Internet
Router Firewall
Database Server
JRUN Serverw/ Cold Fusion
DMZ Internal
Email Server
Network Server
Development Env.
DNS Server
6
Network EnvironmentNetwork Environment
Your network may include the following items as well One or more switches to facilitate communication
within the DMZ or Internal Zones
Network Address Translation within the Firewall
Port blocking within the Firewall
Load Balancers (for high traffic sites)
Storage Area Network
Internal DNS
Often several employees/ departments will control the functioning of these network areas. Each will have their own areas of expertise. As a developer, you need to balance their technical concerns with the business requirements of your application.
Your Corporate Network Will Have Many of These Components
DiagramOverview
Challenge
7
Diagram Technical OverviewDiagram Technical Overview
Networking Definitions
Internal
- Workstations
- File and Print Servers
- Outbound communication with outside. Can pull information from DMZ computers
DMZ or Production
- Location of Servers (web, database, mail)
Hosted
- Location of some production application. Communication with network available through FTP and programs such as Terminal Services
8
Business ChallengeProvide communication to servers via a non-routable IP address
Internal and DMZ networks are on separate subnets
Network Address TranslationNetwork Address Translation
Definitions
Use Non-Routeable Addresses to communicate behind the firewall- Example: 192.168.10.3 for a DMZ Server- Example: 192.168.100.3 for a Workstation on
the Internal network- Addresses Reserved for Internet networking
Prevent Outsiders from Knowing the True Address of Servers.- Servers will have non-routable addresses
only.- NAT Table provides reference
Only Exposes to Outside servers needing Exposing
9
192.168.100.2 64.23.122.2192.168.100.3 64.32.122.3192.168.100.4 65.32.122.4192.168.100.5 65.32.122.5
Routing Table ExampleRouting Table Example
10
NAT: In PracticeNAT: In Practice
Packet arrives with IP address
Firewall asks for location of DNS to translate name
Firewall translates IP address acceptable list located in DMZ
Server IP address contain Non-Routable IP address only
Internal users access NAT through Internal DNS server containing non-routable IP information.
Business ChallengePrevent outsiders from reaching internal network resources.
Reality CheckInsiders need to have access to corporate resources on the road. A VPN solution allows specified laptops to have access to Internal resources.
11
Business ChallengeWith a limited pool of Internal addresses, allow employees to access resources on the Internet.
Set up DHCP, or a dynamic pool of internal address with right to access resources outside the Firewall.
NAT: Other ToolsNAT: Other Tools
Things to Know
Resources
All internal machines communicate via Non-routable IP address configured by DHCP
DHCP uses Internal DNS to locate router
Internal DNS acts as a gateway between the Internal and DNZ networks
RFC 1631 (http://www.faqs.org/rfcs/rfc1631.html)
NAT Overview (http://computer.howstuffworks.com/nat1.htm)
12
Business ChallengeYou need to send email to external customers using your application. You don’t want to spam, however.
TechnologyNAT can be used to specify who relays and who does not
Email Spam: Risks and ChallangesEmail Spam: Risks and Challanges
The Challenge
CFMAIL Requires a Relay Server
Spam is a huge problem on the open Internet
- 30-50% of all traffic is spam
- Spammers use unethical methods to send email
- Spam/Virus link?
- Legal Liability?
Black hole list can prevent your email from being routed to the right place
13
Successful CFMAILSuccessful CFMAIL
Business ChallengeProvide the ability to use CFMAIL for external applications, while preventing spammers from having access to Mail servers.
FactoidThe new versions of Outlook do not by default allow customer to see HTML email. Spammers were using external pictures to validate email addresses.
Goals of System
Goal 1: Prevent Outsiders from using Email Server. If not blocked then black hole list could shut down entire subnet
Goal 2: Only allow Cold Fusion Server to send out Email
Goal 3: Use an Opt –in Mail list collected from your site to send public email
Resources
14
The Black Hole ListThe Black Hole List
Reasons WhyBlack hole lists allow administrators to block email from known places. Employees could be liable if they did not filter.
FactoidAlthough the MAPS RBL allows users to be removed, some systems do not have a way to be removed from a list.
If you receive a new IP block, check to see if it has been listed.
What is a Black Hole List
Resources
Email ends up in a black hole: It gets sent out, but customers never receive email
Used by spam filters to reduce the flow of spam to inboxes
Administrator subscribed
Realtime Black Hole List (http://www.mailabuse.org)
Spamcop (http://www.spamcop.net)
15
Example in IISExample in IIS
Internet
Router Firewall
IIS Web/ Mail Server192.168.10.6Only allows 192.168.10.5 and other DMZ servers to relay
JRUN Serverw/ Cold Fusion192.168.10.5
SQL Server192.168.10.7
Business SolutionOnly internal servers can relay. Since mail server accepts only Internal addresses, one must be located in the DMZ to relay.
Separate server allows corporate email server never to relay
16
Solution for Sending CFMAILSolution for Sending CFMAIL
ResultsSuccessfully deliver CFMAIL to your customers.
Opt-In ListsOne way of ensuring successful mail is through the use of Opt-in Maillists. In this case, you specifically ask for the permission of the person before sending out email from an application.
New regulations require companies to only send out email for public applications using this method.
Create a Win-Win Situation
Use a separate server for relaying mail from applications- Relay server only accepts internal IP
addresses from DMZ siubnet- Emails are logged by Cold Fusion
Corporate email server never relays
Configure corporate server to allow HTML email only from Internal Applications
External Emails Should be Reviewed With Privacy Policy in Mind- Should be Opt-in list only- Should be text only for external customers
17
Communication is the number one reasons why projects fail
- The stakes are often higher for the System admins that your project
- IT pros are naturally conservative outside their boundaries. IT is the one saying “no”
Your organization requires better communication or an improved process
- The implementation boundary is stretched
What are your experiences?
Other PointsOther Points