Thread: privilege separation ?
View Single Post
  #8   (View Single Post)  
Old 8th April 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
  
Join Date: May 2008
Location: USA
Posts: 7,983
Default A holistic approach to security is required
Barti,

Some months ago, I designed and tested an infrastructure for a web application with dynamic content. Security considerations were part of the design. The server infrastructure -- web, application, load balancers, and database servers -- are designed to be geographically dispersed.

Some of the security decisions were:
  • Communication with client browsers are via HTTPS only.
  • Internet communication between servers are only via IPSec tunnels, further filtered via PF
  • Intranet communication between servers in one location are restricted by PF, and in addition via IPSec tunnels where packets are not on independent, secure (V)LANs.
  • The webservers PHP code resides on a read/only filesystem
  • Remote administrative access permitted only via two factor authentication -- implemented with ssh(1) PKA and a required passphrase.
OpenBSD was the platform of choice, but it was not a requirement. OpenBSD's implementations of nginx(8) for web server, relayd(8) for load balancing and intra-server routing, pf(4) for packet filtering, and ipsec(4) for network encryption are easy to configure and use but there are other OSes, and other solutions for the same problems.

Are there benefits to OpenBSD's implementations? Absolutely. For example:
  • nginx runs chrooted in /var/www and with privilege separation.
  • The application servers run php-fpm chrooted as well. Privilege separation is not needed as there is no requirement for superuser function.
Please note that privilege separation is just one component of many in this particular infrastructure. Its value? In the event of a successful attack on the nginx webserver, any arbitrary code executed in that attack will be limited to the capability of a standard user. More important to me is the arbitrary code cannot reach beyond /var/www on the webservers, as OpenBSD's implementation chroots nginx.

Combined, the two security features protect the OS and other applications on the webserver. They do not directly protect the nginx webserver daemons. It is other choices and other infrastructure decisions made in combination that provide the level of security required for the application as a whole.
Reply With Quote