Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL."— Presentation transcript:

1 1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL Seattle

2 June 1, 2015 NOAATech 2006, Silver Spring, MD 2 June 1, 2015 This presentation Enable secure web access to budget information for: –Scientists –PI’s –Non administrative folks Data are sensitive and covered by Privacy Act. Will describe how we developed this application to allow secure access to these sensitive data.

3 June 1, 2015 NOAATech 2006, Silver Spring, MD 3 June 1, 2015 FDMS FDMS is the OAR Financial system –Used by all the OAR labs –Maintained on FDMS servers located at PMEL Two separate database instances for data storage Hosted on: –single database server –Production server (Citrix) OAR budget user access to the FDMS application though a Citrix Secure Gateway interface.

4 June 1, 2015 NOAATech 2006, Silver Spring, MD 4 June 1, 2015 What is PI Reports? Web based application that allows OAR Scientists to access detailed budget information on their projects User data access restricted down to either one of: –project code –lab division –project leader level –data type User management delegated to each lab Only interface between PI Reports and FDMS application is the data warehouse.

5 June 1, 2015 NOAATech 2006, Silver Spring, MD 5 June 1, 2015 Design guidelines Web based application Apache Web server on Linux platform Reports contain data from FDMS Data warehouse Had to isolate DB server authentication information from web server Completely isolate DB server from web server, to protect the DB even if web server compromised

6 June 1, 2015 NOAATech 2006, Silver Spring, MD 6 June 1, 2015 Implementation challenge FDMS servers hosted on a single subnet Web presence a new component for FDMS project –Bad idea to have a web server on the same subnet as data servers Wed servers usually well exposed Required a rethink of FDMS subnet topology.

7 June 1, 2015 NOAATech 2006, Silver Spring, MD 7 June 1, 2015 Implementation challenge (cont.) Even if Web server hosted in a DMZ –Two tier application implies you must have db authentication information on web server –Compromise web server and you have access to the database. Potential platform incompatibilities –Data assets on a windows platform –Required to use Linux/Apache web platform Some type of messaging/middleware required

8 June 1, 2015 NOAATech 2006, Silver Spring, MD 8 June 1, 2015 Implementation Different aspects to consider: –Secure the FDMS network –Isolate high risk components from high value components –Ensure proper user authentication –Application level security –Database security –Data transport encryption

9 June 1, 2015 NOAATech 2006, Silver Spring, MD 9 June 1, 2015 Implementation Network NetScreen firewall Three separate subnets –Public: Web server –Application: Application server –Secure: Database server Deny-all policy –incoming and outgoing – with only select ports between network zones open to selected IP addresses

10 June 1, 2015 NOAATech 2006, Silver Spring, MD 10 June 1, 2015 FDMS subnet - before Database server Application server Certificate server FDMS Users Citrix connection Application access controlled by IP address user authentication FDMS subnet Citrix connection

11 June 1, 2015 NOAATech 2006, Silver Spring, MD 11 June 1, 2015 FDMS subnet after Web Application Secure Port 80 & 443 Port c Port d Web server XML Web Services App. server DB server Citrix CSG server Application access CSG server No direct access to “Secure” zone Application server

12 June 1, 2015 NOAATech 2006, Silver Spring, MD 12 June 1, 2015 Implementation: Isolate high value components from high risk components Separate functions, separate servers –Web server – tier 1 –Add an XML web services middle tier. Web services allows interoperability between Linux/Apache/PHP & Windows. Web services hosted on dedicated server –Windows Server 2003 –Web Services implemented in C#.Net –Allows efficient DB connectivity (ADO.Net) –Database server - tier 3

13 June 1, 2015 NOAATech 2006, Silver Spring, MD 13 June 1, 2015 Implementation User authentication Authentication is done against user information in database –Username, password and lab By default users have no data access

14 June 1, 2015 NOAATech 2006, Silver Spring, MD 14 June 1, 2015 Implementation: Application level security Web Server –Linux/Apache/PHP –PHP NuSOAP Library for SOAP messaging Secure web server coding practices –Input verification SQL injection not possible

15 June 1, 2015 NOAATech 2006, Silver Spring, MD 15 June 1, 2015 Implementation: Application level security XML Web Services application server –Session tokens a parameter in all web methods –Verify legitimacy of web service method invoker Valid requestor Session still valid Get user identifier –No in-line SQL for db interactions. –All application server to web server messaging using SOAP messages

16 June 1, 2015 NOAATech 2006, Silver Spring, MD 16 June 1, 2015 Implementation: Database All business rules are embedded in database Minimum permission database users DB user access defined in DB roles –Each role only has execute permission to select stored procedures Authentication User administration Data querying DB user access –Stored procedures only –No direct access to data tables

17 June 1, 2015 NOAATech 2006, Silver Spring, MD 17 June 1, 2015 Implementation Encrypted transport Web client to web server –SSL Web server to application server –SSL

18 June 1, 2015 NOAATech 2006, Silver Spring, MD 18 June 1, 2015 Implementation Server & messaging platform Web –Red Hat Linux –Apache –PHP Middleware –Windows Server 2003 Database server platform –Windows Server 2003

19 June 1, 2015 NOAATech 2006, Silver Spring, MD 19 June 1, 2015 Implementation software Middleware messaging –XML Web Services –Written in C#.Net Web –NuSOAP PHP soap library Database servers –SQL Server –Stored procedures for business rules (Transact sql)

20 June 1, 2015 NOAATech 2006, Silver Spring, MD 20 June 1, 2015 Schematic Web Application Secure Port 80 & 443 Port 1423 Port 1203 Port 80 & 443 Port 1423 Port 1203 user Web server App. Server DB Server https request XML Web service request ADO.Net DB request ADO.Net DB response XML Web service response https response

21 June 1, 2015 NOAATech 2006, Silver Spring, MD 21 June 1, 2015 Our experience Disadvantages –More network infrastructure –More server infrastructure –More software infrastructure –Performance compromise due to overhead but it’s fast anyway because CPUs are faster –PHP Web services support not mature

22 June 1, 2015 NOAATech 2006, Silver Spring, MD 22 June 1, 2015 Our experience Advantages –Hides high value db assets Isolated network environment –Effort to compromise significantly increased Two LAN zones and two firewall zones to breach –Function separation Presentation Site functionality Business rules –Development benefit –Maintenance benefit

23 June 1, 2015 NOAATech 2006, Silver Spring, MD 23 June 1, 2015 In Conclusion We have been able to secure PI Reports with this architecture. Same infrastructure and architecture will be used to develop other FDMS products.

Download ppt "1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL."

Similar presentations

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Information Technology Registry Services Security LDAP-based Attributes and Authentication.

Information Technology Registry Services Security LDAP-based Attributes and Authentication.
Web Services, SOA and Security May 11, 2009 Michael Burnett.

Web Services, SOA and Security May 11, 2009 Michael Burnett.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.

Asper School of Business University of Manitoba Systems Analysis & Design Instructor: Bob Travica System architectures Updated: November 2014.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
The Architecture of Transaction Processing Systems

The Architecture of Transaction Processing Systems
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.

Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.

Similar presentations

Ads by Google