0

Given the following physical layout for a .NET web application:

  1. DB (sql server, windows) - No public route (no table access, only stored procs)

  2. Web Service DAL (iis, windows) - No public route (can be accessed by web server via port 80 and 443)

  3. Web Server (iis, windows) - Public route (only via port 80 and 443)

What type(s) / examples of attack could be used to compromise the public web server but would be blocked by the Web Service DAL? i.e. can you think of concrete attack types that the DAL stops?

Please note, I am interested only in the security aspect, not scaling / fault tolerance / performance / etc.

In my mind if the web server has been compromised using an attack over port 80/443, then the same attack would work over port 80/443 to the Web Service DAL box.

Jonno
  • 103
  • 1

1 Answers1

2

You gain the ability to exclude all incoming requests (on server two - the web service layer) except those from specific IP addresses - normally only those associated with the public-facing web server.

In that configuration, attacks on server two need to be staged on server three.

It's not impossible to get control of server three, then use it to launch attacks, but it's considerably more difficult than attacking from an independent machine.

Jeff Sternal
  • 136
  • 2
  • @Jeff - agreed, however if we assume that the DB, resources et al are not routable from the web - only server 3 - then could we agree that the attacker must stage _any_ type of attack from server 3? Thank you very much for your input Jeff. –  Jun 16 '10 at 13:07