S 5.169 System architecture of a web application

Initiation responsibility: Persons responsible for individual applications

Implementation responsibility: Administrator

Web applications generally use several IT system components such as web servers, web application servers, and background systems, for example. The selection of a suitable system architecture forms the basis for securely operating a web application.

When designing the system architecture of the web application and networking the involved IT systems, the following points should be taken into consideration.

Separation according to server roles

The server services of the web application (e.g. web server, application server, database server) should each be operated on separate IT systems. If this approach allows for exploiting a weakness in the system of an exposed component (e.g. in the web server), the data stored on other system components (e.g. the database) is not affected by the aforementioned.

Server virtualization can also be used for server role separation. If server virtualization is used, module S 3.4 Virtualization must be taken into consideration during implementation.

Limited accounts for server processes of the system components

Separate accounts should be used for the different server processes of the system components (e.g. a separate system user for the web server process). Here, the rights of these service accounts must be restricted at an operating system level to an extent that access is only possible to the required resources and files of the operating system. This way, an attacker only has restricted rights even after having successfully compromised a server process so that access to the operating system level is made more difficult.

Multi-tier network architecture

The IT system components of the web application should be isolated within the security gateway in demilitarised zones (DMZ) according to the protection requirements (see S 2.73 Selecting suitable basic structures for security gateways).

The network architecture should pursue a multi-tier approach. In this, at least the following security zones should be taken into consideration:

It should not be possible to access systems in the intranet from the zones mentioned above. If, for example, a directory service is used for authentication at the web application, a separate domain on dedicated hardware should be used here, when possible.

The data traffic should be filtered by separated filter components (e.g. packet filters). In the event of high protection requirements, the filter components should be superseded or complemented by systems with filter functions at higher protocol levels (e.g. Application Level Gateway). In this case, the Application Level Gateway should be integrated into a separate security zone accepting the queries of the users even upstream of the web tier systems.

Use of Web Application Firewalls

When filtering at higher protocol levels, the Web Application Firewalls (WAF) may be used. Since a WAF analyses the HTTP protocol and the data transmitted using this protocol, attack patterns can already be filtered at the WAF at an application level. This way, attempted attacks are detected prematurely and no longer forwarded to the web application.

Normally, filtering at the WAF may be performed in two ways.

Review questions: