In designing the BizTalk infrastructure, use the multitier character of the BizTalk architecture to put defense lines between the tiers.To make this type of security effective, you must prevent using synchronous communication between tiers. Unfortunately, this is not possible between the client and the Web site, since a connection between the two remains open until the Active Server Page (ASP) script is running. At a programming level, you should take care that the time these connections remain open is as short as possible, or that they time out within a reasonable amount of time. The Web site is technically vulnerable to a distributed denial of service (DDoS) attack, something that is hard to protect against, especially if you allow users to enter your Web site at an anonymous level. Now, let us look at the different security components.
The router is the device that actually connects your local infrastructure to the outside world. In our example, this "outside world" is the Internet. Depending on how you use it, this can be a dial-up or permanent connection. Let us assume this is a permanent line, a leased line, a Frame Relay, or an xDSL connection.The router can have an abundance of functionalities or hardly any, so first determine what functionality you need and which router fits the budget. In most cases, you do not need more than a router that routes; the firewall will handle other functions such as filtering and address translation. Performing the same functions at two places will only complicate administration, and has a negative effect on performance. However, if the router is used to connect more than just the BizTalk infrastructure to the Internet, packet filtering on the router might be useful for traffic separation.This is the case when you connect more than one network segment to the router, and the router then determines what data from the Internet is allowed to go to which network segment, or even what data can be exchanged between the segments. This implies that each segment has its own firewall. Extensive filtering can drastically decrease the router performance. In this book, we see security as protecting ourselves against disruptions in the BizTalk infrastructure; therefore, special attention must be given to how you want to protect yourself from losing the Internet connection if the router fails, or if the line to the Internet goes down. Remember, we are talking about "risk management." If Internet connectivity is important to your business or organization (and when is it not?), you definitely need a backup solution for the loss of the Internet connection. Drawing from experience, the chance that the line will go down is greater than that of the router failing. Let us assume that you have a leased line going from your router to your ISP.You will need a secondary line between the router and ISP in case your primary goes down. However, a second leased line can be an expensive solution. Instead, you can decide to use a standard ISDN line, also called Basic Rate ISDN, or BRI. Be sure to buy a router that has a BRI interface. Let the ISP deliver your connections for leased line and standard ISDN. You have to configure the router so that when the leased line goes down, the router automatically brings up the ISDN interface.Test to see if the ISP can transparently route traffic over both connections.
Having a second line will not solve the problem of a failed router; in this case, only a second router will do the trick. This will only happen transparently if the router supports fail-over configuration. Let's take a Cisco router as an example. Cisco routers, in general, support fail-over configuration by using the Hot-Standby Routing Protocol (HSRP).You can take two routers, activate HSRP, create a group that holds both routers, and make sure they share an HSRP group IP address. Although this is an original IP address, it does not specifically belong to any of the routers, as only the active router holds it to route traffic. It is important to remember that the group has at least two Cisco routers, one of which is active and the other which is on standby, waiting for the active router to go down so it can step in.When the standby router steps in, it takes over the HSRP group IP address and starts routing accordingly. The group can hold more than two routers; however, an HSRP protocol is used to decide which router becomes active, which are on standby, and which "stay in the wings."Without going into detail, it is only when both the active and the standby router are both offline that the additional routers in the wings will negotiate who becomes active and who will remain on standby. One strength of this protocol is that it does not require additional hardware or software.
The three different levels of security depicted in Figure 8.1 also show three different setups for the router. In the "Limited" (a) configuration, there are no special security measures taken for the router. In case of a line or router failure, you are left without an Internet connection.The next level,"Extended" (b), makes use of a backup Internet connection, so in case the line fails we have a second way of automatically connecting to the Internet. Be sure that your ISP connects this backup line to its network in a way that circumvents the situation in which a hardware failure at the ISP's end prevents the backup connection from coming online. The "Advanced" (c) security setup uses two routers, where each is a separate connection to the Internet. To enhance this setup it makes sense also to use different ISPs for each router, so in case one ISP runs into serious problems, the other router will be operational.
The next device in line is the firewall, which is the gatekeeper of your BizTalk infrastructure. Firewalls come in all types of forms and shapes, from a homegrown Linux box turned firewall to a plug-and-play firewall.You have a number of options for supplying the functions of firewall, each with its own pros and cons:
■ Microsoft ISA Server The Internet Security and Accelerator Server is more than just firewall software; it also contains Proxy Server software, Web-cache server, and Voice-over-IP (VoIP) server. In other words, it is packed with functionalities.The pros are that you can do a lot with this software. It can be managed from the Active Directory, and if your IT department only has Windows NT/2000 Server experience, you might feel inclined to use this software. The downside is that Windows 2000 Server is generally regarded as a platform vulnerable to attacks, and it takes a lot of tuning to harden the platform. Placing it at the edge of your environment poses risks. By placing the firewall in a Windows 2000 domain, you run the risk that if the ISA server is compromised, the attack might find its way into the domain using the same type of attack; hence, getting access to other servers in the domain, possibly including your BizTalk server. Security experts consider a firewall with no more than the basic firewall functionality a high security risk, since is it is then more difficult to harden the platform against attacks.
■ Windows 2000-based firewall application There are a number of firewall applications available that run on a Windows 2000 platform; for example, Symantec (AXENT) Raptor and Check Point FireWall-1. The pros are that they run on Windows 2000, so you probably will not need extra knowledge and experience to run the firewall software. Second, it is a pure firewall application, with no additional functionality. Third, you are able to manage the firewall server from the Active Directory, although keeping the server stand-alone and not letting it join a domain is more secure. Cons are that Windows 2000 Server is generally regarded as a vulnerable OS, and placing it on the edge of your infrastructure poses additional risks to your infrastructure for being compromised.
■ Unix-based firewall software This is a Unix system/server on which a firewall application is installed. Examples are Check Point Firewall-1
and Symantec/AXENT Raptor.The pros are that Unix can be hardened at installation time, since you have more control over what is installed on the system. For example, you will not be installing a Windows system, but stick instead to command-line interface. Second, Unix is a more open and simpler operating system, so turning it into a bastion server is easier.Third, even if the Unix firewall is compromised, the attacker needs another type of attack to force his or her way into the Windows 2000 server. Generally, a firewall running on a UNIX platform has better performance than an ISA Server, if both are running on the same type of hardware platform. The cons are that you need UNIX experience within your IT department, and if the firewall is going to be the only UNIX system, this may be a problem to acquire.
■ Internet-appliance firewall Also called a "plug-and-play" firewall, this is a hardware platform with a hardened (embedded) operating system, nowadays often based on Linux, and with a tailor-made firewall application preinstalled. The pro side is that you only need to know how to work with the firewall application, so it does not take special knowledge. These platforms are much harder to compromise because the operating system has been stripped of all unnecessary code. Even when it is compromised, attackers are not able to access your Windows 2000 servers. On the negative side, it might be the odd system in your infrastructure, and not all Internet-appliance firewalls can be placed in a fail-over configuration.
■ Homegrown firewall This is an Intel-based platform on which you install a Linux-flavor or BSD (OpenBSD/FreeBSD), harden it, and use the filtering tools that come with the OS to build a firewall.The real plus in this option is that it is the cheapest firewall solution possible, with all the firewall functionality you need. Additionally, if it is compromised, your Windows 2000 server will be protected until the attacker can come up with another method of attack. Linux and OpenBSD are open source operating systems, meaning that the code is freely available, so the security of the code is under a lot of scrutiny and vulnerabilities are quickly solved. The biggest drawback is that you need sufficient knowledge of Linux or OpenBSD to harden it and manage it.There also is no administration tool to manage the firewall.
Configuring & Implementing...
Security experts will advise you to install the ISA Server as a stand-alone server, just as you would do with a firewall that runs on a UNIX-based platform. Firewalls especially, but also proxy servers, are the barriers to protect you from attacks from the outside. As depicted in Figure 8.1, the outside is not only the Internet but also the parts of the local network where the users access the network. For reasons of additional security, firewalls and proxy servers should be installed as bastion servers. When installing a server as a bastion server, remember:
■ The system should be fully operational as a stand-alone server, and not part of a distributed system.
■ When installing the operating system, you must only install the core components.
■ Only install additional software when necessary, like the ISA server software.
■ All certified security fixes and patches must be installed.
■ All Windows services or Unix daemons that are active but do not need to be used must be permanently disabled and preferably removed from the system.
■ Deactivate all well-known IP ports.
■ Remove all users from the system that are not used, and do not allow anonymous login.
■ Restrict user access to an absolute minimum.
■ Use security analysis tools—for example, ISS System Scanner—to determine if all security leaks are closed and all known vulnerabilities have been eliminated.
Before you make a decision on the firewall solution you will implement, weigh the pros and cons. Let security prevail, but always feel comfortable with your choice. In a majority of the situations, use an Internet-appliance firewall. In case you choose to use a Windows 2000 Server platform, try to avoid placing it in a domain by installing it standalone. Be careful with placing two-way trust between this server and other Windows servers.These can become an easy path for malicious attacks traversing from the firewall into your protected network. Since your BizTalk environment is based on Microsoft technology, it would be a good decision to choose a different operating system for this outer firewall, preferably a Unix-based OS.
Whatever type of firewall you choose, its function is to let in "good data" and keep out "bad data" by using data filtering.You enter rules into the firewall software that tell the firewall what to do with packets entering the firewall.
The first firewall rule should be something like:"ANY data from ANY source to ANY destination is DROPPED," meaning that the firewall by default denies all access. From that position, you start inserting rules that let specific data through. In our example, this would mean data that is addressed to the IIS server, SMTP server, or FTP server. Actually, you need to be more specific. For the IIS server, this means that only data is let through the firewall if it complies with the following criteria:
■ You should only accept HTTPS connections, which respectively communicate by default over IP port 443. HTTP connection uses IP port 80.
■ The destination can only be the outside IP address of the IIS server.
■ The source can only be the IP addresses that originate from the customer sites.
Since you have decided that you only accept HTTPS connections from known sites, it is strongly recommended not to use the default port, but choose a unique port number, from 2000 and up, for each site. Now you will only accept a connection if the IP address and IP port match. For the customer, this means that the Web address looks like https://order.company.com:8080.
This is not viable if you have a Web site that allows users in on an anonymous basis. In this case, you cannot filter based on the IP address of the client, and therefore, you cannot assign a special port, especially if the number of possible customers is unlimited. In this case, you need to accept all HTTP traffic to your Web site using default port 80.
For the SMTP server you can keep using the default ports.This is port 25 to retrieve mail from a mail server on the Internet, and port 110 to send mail to the mail server. Since your mail server sets up the connection, the firewall rule should be "IP data over ports 25 and 110 with source IP address is the external IP address of the local mail server, and destination is the IP address of the remote mail drop is ACCEPTED." In the case of the FTP server, that uses IP ports 20 and 21, you can also choose to change these port numbers. For both the SMTP
and FTP server, you have to tell your customers on which ports they have to communicate.
There is a second important function for the firewall in protecting your BizTalk infrastructure, Network Address and Port Translation (NAPT).You have probably heard of Network Address Translation, or NAT.The principle of NAT and NAPT is that the firewall substitutes the original IP address of a system with another IP address that is physically not in your network. Using this, you can obscure the IP addressing structure of your local network and make it difficult for direct attacks on your servers. It has also another function; namely, the number of IP addresses that you get from an ISP is very limited, so you need to share these limited IP addresses, say six, with all the systems that need Internet access.
In the case of the firewall, you are faced with the question of what to do if the firewall goes on the blink.The type of firewall is important, since most firewalls retain information regarding connections that are allowed to pass the fire-wall.This session information is part of what is called stateful inspection. Some firewalls can be set up in a load-balancing configuration, and some in active-passive fail-over configuration.The latter means that one firewall is actually doing the work, and the passive one checks frequently to ensure the other one is still alive. If the active firewall no longer responds, the passive firewall takes over.To do this, the active firewall sends session information to the passive firewall so it is synchronized at all times. In case of load-balancing firewalls, the sessions are divided between the firewalls, which synchronize with the session information of the other firewall.
Again, three different firewall configurations are depicted in Figure 8.1.The "Limited" (a) configuration connects the internal network to the router (external network). Although you only let traffic destined for the Web server through, you enable direct contact between the internal and external network. The "Extended" (b) configuration uses a third leg of the firewall as a "demilitarized zone," where the Web server is residing. In this setup, only the Web server has contact with the internal network. The "Advanced" (c) solution is a firewall in fail-over mode, and creates a double-firewalled DMZ. For the internal firewall, the Microsoft ISA server is depicted, although this could be any other firewall.The strength of this solution is that if the outer firewall is compromised, there is still no direct access to the internal network.
The next line of defense can be formed by the Internet Security and Accelerator Server (ISA Server), the successor of MS Proxy Server 2.0. Although you could decide to substitute it with a Unix-based firewall, the advantage of the ISA server is the proxy component. Instead of the IIS server setting up a connection with the MSMQ server, it sets up a connection with the ISA server, and the ISA server sets up a connection with the MSMQ server. This has a slight negative effect on performance, but enhances security. The network between the firewall and the ISA server is a demilitarized zone, a neutral zone that forms a buffer between your company network; in this case, the BizTalk environment and the outside world. Nobody can have direct access to your servers in the DMZ. Besides proxying, the ISA server also does data filtering, since all you need is access to the MSMQ server, which uses IP port 1801.
The ISA server runs on a Microsoft Windows 2000 platform, so it can make use of the load balancing or Cluster Services ofWindows 2000. For you to use the Cluster Service, you need to have Windows 2000 Advanced Server installed.
Only the "Advanced" (c) solution in Figure 8.1 makes use of a proxy server; annex firewall, in this case. Since the ISA server can do both proxying and fire-walling, it is a budget-friendly solution. Symantec Enterprise Firewall (formerly known as AXENT Raptor) is a firewall that does application proxying. The strength of the proxy is that it is not transparent to the connection. In fact, the connection ends in the proxy server, and a new connection—in this case, to the MSMQ Server—is set up. Depending on the implementation, the proxy can also directly contact the BizTalk server. Take notice of the fact that the proxy server should always have at least two network connections, one for the internal network and one for the external network. It works with one network card, but this is considered less secure. A nice feature of the Microsoft Proxy Server is reverse proxying, also called reverse hosting. If you really want to protect your Web server, you could place a proxy between the firewall and the Web server. By reverse proxying, you advertise to the world that the proxy server is your Web server when in fact, IIS is running on the proxy server. However, the proxy indeed acts like a Web server, only it redirects the requests through the backdoor to the actual Web server. This gives you an additional barrier between an attacker and the information on the Web server.
There is no actual defense line between the BizTalk server and the SQL server, although you can add another firewall or ISA server.You can also rely on network security, assuming that the risk of somebody forcing access to the SQL server is low.
Was this article helpful?