Solved

IIS in Cloud

Posted on 2015-01-27
11
169 Views
Last Modified: 2015-02-01
https://www.cloudflare.com/resources-downloads

Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
0
Comment
Question by:sunhux
  • 8
  • 2
11 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 20 total points
Comment Utility
depends upon the 3rd party and what the module does.. normally I'd say that it isn't a security item
0
 

Author Comment

by:sunhux
Comment Utility
Just to elaborate further what I'm looking for:

a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
     time on top of Apache's vulnerabilities.  So does this IIS module also add on this extra
     potential vulnerability that we have to address from time to time?

b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
     Any special handling needed?

c) is there any VA scanner like Nessus (or Outpos  in our case) that could scan for this
    module's vulnerability?

d) does any IIS & Windows 2008 R2 hardening affect this module in any way?
0
 

Author Comment

by:sunhux
Comment Utility
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.

This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.


Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:

,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"Nov
ember 21, 2007"

,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vulnerability,N/A,CVE-200
7-0048,5.0,"January 17, 2008"

1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Exploit,N/A,CVE-2010-2755,10.0,"Aug 11, 2010"

1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
0
 

Author Comment

by:sunhux
Comment Utility
Is this module (given by the CDN provider) some sort of plugin?

Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.
0
 

Author Comment

by:sunhux
Comment Utility
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it;  if it's uncommon, our IPS products may not produce signatures for it.

If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 26

Accepted Solution

by:
Dan McFadden earned 480 total points
Comment Utility
OK, this is not a plug-in... it is an IIS ISAPI Filter.  Here is an overview of the IIS ISAPI Filter system:

Link:  http://www.iis.net/configreference/system.webserver/isapifilters

What this 3rd party filter appears to do is to solve the issue of using IIS servers behind a Load Balancer.  The issue is that in this configuration, the c-ip (client IP) in the IIS http logs will always be the inside interface of the LB, not the actual user coming in from somewhere on the Internet.  This ISAPI Filter is a shim between the IIS base system and the IIS logging system, that allows you to extract the X-Forwarded-For header is inject it into the local IIS http logs.

Reference link:  https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

As for introducing security issues into your infrastructure, all software can introduce vulnerabilities.  Its one of the jobs a Sysadmin must attend to.  Only you can ascertain if the additional software installation is acceptable in your environment.

The ISAPI Filter is not necessary if you are using something like 3rd party analytics (Google Analytics, piwik, etc.) to track user activity on your website(s).  In this situation, you would normally turn off http logging on the site using the JavaScript based analytics.  This shim is only necessary if you are activity consuming and analyzing the IIS http logs and want to be able to see the real client IP behind the http request.

IMO, I would research the vendor/distributor of the 3rd party software to figure out how trustable they seem for your taste.  Deploy the software into a dev/test environment to ascertain the affect on the system and to see if it meets your needs and/or expectations.  After a test phase, if you and your management find the risks (if any) are acceptable, then schedule a deployment into PROD.

I've used 3rd party ISAPI Filters in the past, in production for intranet use as well as on a few relatively high volume websites.  I have used logging shims similar to what this one does and hadn't experienced any issues.  I only had to keep track of the developer's progress on the current version and keep up on updates.  I would recommend purchasing a support/maintenance contract (if its pay for software) in order to keep the software current, especially if it makes it into your production environment.

Dan
0
 

Author Comment

by:sunhux
Comment Utility
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"November 21, 2007"Gee, that was a very insightful response.

I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.


Curious if the IPS filter I listed earlier has any relation to this Isapi module:
0
 

Author Comment

by:sunhux
Comment Utility
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom
0
 

Author Comment

by:sunhux
Comment Utility
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong.   If so we wont need this Isapi filter
0
 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 480 total points
Comment Utility
There is a discussion about this topic in the IIS.NET forums.  Reference link below.

link:  http://blogs.iis.net/deanc/archive/2013/07/08/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs.aspx

Basically Microsoft has support for grabbing the real c-ip by utilizing a function inside ARR (Application Request Routing) to enable getting the desired c-ip into your http logs.  You'd be interested in looking at the ARR Helper.

For IIS 7/7.5 (Server 2008/@008 R2) you will need ARR 2.5.

But all of this comes back to how your infrastructure is configured.  The F5 forum has a discussion that specifically addresses the network configuration issues that lead to not seeing the origin client ip.  I would read thru the following link to get an insight to the issues and compare them to your network config.

Link:  https://devcentral.f5.com/questions/get-clientip-address-behind-loadbalancer

Dan
0
 

Author Comment

by:sunhux
Comment Utility
Excellent
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cloud Infrastructure 5 83
How setup ip cams with cloud 7 71
ip / url redirect 13 56
Exchange 2013 where are images stored? 2 18
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This Micro Tutorial will explain how to export DynamoDB tables in Amazon Web Services.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now