This is a topic which I’ve spent many hours on before working on with different customer sites, how can we enhance the security on our public facing web services or web sites? For me personally it was not so much on what could be done on the application or service from code perspective which was the angle but more the supporting services surrounding it and what can we use utilize to ensure a high level of security.
All services or applications from a high-level perspective has the same traffic flow. End-user initiates traffic from an browser and then, is routed to where the service is located using a certain set of protocols (Web based traffic is using TCP/HTTP, but the reason I included UDP is because Google is developing HTTP/3 which will use QUIC which is based upon UDP) Then based upon level of encryption and connection to a TCP socket port on a web server or front-end load balancer then the browser will download the code and render it for the end-user.
On each layer here there are multiple attacks that can be leveraged to bring down an application. The first one is essentially DDoS to force down an service, where we either have TCP/UDP or even ICMP based DDoS. Or where someone is decrypting TLS or SSL based communication (which ensures encrypted traffic) by leveraging a weakness in the protocol stack. Or even leveraging weaknesses in the application itself to get access to data or information inside the application.
Looking at the bottom-level and move upwards what kind of configuration or services can we use to adjust the security of our application or service? Can our service handle a DDoS attack? one of the first things to consider is how we are exposing the service, are we using a cloud service or do we require this service to have a strict SLA for availability?
The first item of the list would to look at DDoS protection mechanims or front-door solutions from Azure, AWS or GCP. For my blogpost all traffic for my website is essentially handled trough Cloudflare where they provide rate limiting, support for only secure protocols and DDoS Protection.
How can I see what kind of secure protocols my website is using? the best way to look at security on a website would be to use ssllabs.com or even better Mozilla Observatory https://observatory.mozilla.org Mozilla Observatory can also provide valuable insight on a HTTP level what kind of security mechanisms that are in place such as HSTS and also automation redirection of end-users from HTTP to HTTPS for instance.
As part of Cloudflare (which is free for a single site) since they sit between user requests and the server itself, they handle all front-end traffic and act as a proxy. Therefore they can handle TLS, Ciphers usage and support for modern protocols suchs as TLS 1.3 and HTTP/2 and they then proxy traffic to my backend webserver.
Now regardless if you use Cloudflare or not there are many ways to ensure that your webservers use only secure protocols and ciphers suites. Secondly is to not give away any information on the servers itself, so that in a recon attack any information that can be uncovered provides some insight into if you are running an old version of a non-secure web server application.
Also if your service has features such as IP Reputation or Geo Blocking you can also use this to block out unknown traffic from access your service. This is particullary useful to block out access from for instance ToR Networks as such. This is something that load balancers and NGFW vendors provide. https://docs.citrix.com/en-us/netscaler/12/reputation/ip-reputation.html
Then have a look at the application level, we have now many options to provide WAF ( Web Applicaiton Firewall ) filters and protection policies which ensure that only such as only predefined formats are allowed for instance when users are inserting information to a website or that only certain URL’s are allowed to be access from the end-user side. WAF is also easily accessable from most cloud services such as AWS, Azure and Cloudflare. This should not be mistaken as a mitigation for having a secure lifecycle management policy for your services or application.
Lastly when looking at the application and or service itself. From a development perspective I don’t have to much to say, but I tend to mention the designing principles that Microsoft uses called STRIDE as a set of guidelines when developing secure applications –> https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-getting-started