Solved

IIS in Cloud

Posted on 2015-01-27
11
181 Views
Last Modified: 2015-02-01
https://www.cloudflare.com/resources-downloads

Referring to the (3rd party) IIS Module, is it a safe security practice to install it in a tenant's
VM in cloud environment?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 2
11 Comments
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 20 total points
ID: 40572597
depends upon the 3rd party and what the module does.. normally I'd say that it isn't a security item
0
 

Author Comment

by:sunhux
ID: 40573200
Just to elaborate further what I'm looking for:

a) in the case of Struts for Apache, we'll need to address Struts vulnerabilities from time to
     time on top of Apache's vulnerabilities.  So does this IIS module also add on this extra
     potential vulnerability that we have to address from time to time?

b) does Windows 2008 R2 and IIS patches that are released by MS affect this module?
     Any special handling needed?

c) is there any VA scanner like Nessus (or Outpos  in our case) that could scan for this
    module's vulnerability?

d) does any IIS & Windows 2008 R2 hardening affect this module in any way?
0
 

Author Comment

by:sunhux
ID: 40573215
In the case of plug-ins, I've seen Firefox introducing vulnerabilities.

This module appears to be F5 (loadbalancer) related: we do use F5 but I'm uncertain how does it interact
or what is its impact on F5.


Some of the Firefox & IIS "plugins" related vulnerabilities that our IPS has reported:

,,,1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,Web
Server IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"Nov
ember 21, 2007"

,,,1001256 - Mozilla Firefox Acrobat Reader Plugin Universal Cross Site Scripting,
Web Client Mozilla FireFox,2 - Normal,Medium,Prevent,Vulnerability,N/A,CVE-200
7-0048,5.0,"January 17, 2008"

1004331 - Mozilla Firefox Plugin Parameter Array Dangling Pointer,Web Client Mozilla
FireFox,2 - Normal,Critical,Prevent,Exploit,N/A,CVE-2010-2755,10.0,"Aug 11, 2010"

1005329 - Foxit Reader Plugin For Browsers URL Processing Buffer Overflow
Vulnerability, Web Client Mozilla FireFox,2 - Normal,Critical, Prevent,Vulnerability,
N/A,N/A,10.0, "Feb 13, 2013"
0
Percona Monitoring and Management and Grafana

Proactive monitoring is vital to a highly-available environment. We have a quick start guide on Experts Exchange for Grafana users.

 

Author Comment

by:sunhux
ID: 40573237
Is this module (given by the CDN provider) some sort of plugin?

Java/JRE plugins is another concern that we have to patch & apply IPS signatures from time to time.
0
 

Author Comment

by:sunhux
ID: 40573254
In the case of Java/Firefox & some common plugins, we can still get patches from Oracle/Firefox but
I'm concerned that if this module is not well-supported & one day has a vulnerability, there's no
vendor to produce patch for it;  if it's uncommon, our IPS products may not produce signatures for it.

If it's not a plugin nor some add-ons that will give rise to security risk, then do let me know how it's
being assessed as such so that we'll proceed to have the tenant install it
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 480 total points
ID: 40575392
OK, this is not a plug-in... it is an IIS ISAPI Filter.  Here is an overview of the IIS ISAPI Filter system:

Link:  http://www.iis.net/configreference/system.webserver/isapifilters

What this 3rd party filter appears to do is to solve the issue of using IIS servers behind a Load Balancer.  The issue is that in this configuration, the c-ip (client IP) in the IIS http logs will always be the inside interface of the LB, not the actual user coming in from somewhere on the Internet.  This ISAPI Filter is a shim between the IIS base system and the IIS logging system, that allows you to extract the X-Forwarded-For header is inject it into the local IIS http logs.

Reference link:  https://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html

As for introducing security issues into your infrastructure, all software can introduce vulnerabilities.  Its one of the jobs a Sysadmin must attend to.  Only you can ascertain if the additional software installation is acceptable in your environment.

The ISAPI Filter is not necessary if you are using something like 3rd party analytics (Google Analytics, piwik, etc.) to track user activity on your website(s).  In this situation, you would normally turn off http logging on the site using the JavaScript based analytics.  This shim is only necessary if you are activity consuming and analyzing the IIS http logs and want to be able to see the real client IP behind the http request.

IMO, I would research the vendor/distributor of the 3rd party software to figure out how trustable they seem for your taste.  Deploy the software into a dev/test environment to ascertain the affect on the system and to see if it meets your needs and/or expectations.  After a test phase, if you and your management find the risks (if any) are acceptable, then schedule a deployment into PROD.

I've used 3rd party ISAPI Filters in the past, in production for intranet use as well as on a few relatively high volume websites.  I have used logging shims similar to what this one does and hadn't experienced any issues.  I only had to keep track of the developer's progress on the current version and keep up on updates.  I would recommend purchasing a support/maintenance contract (if its pay for software) in order to keep the software current, especially if it makes it into your production environment.

Dan
0
 

Author Comment

by:sunhux
ID: 40575622
1000192 - Indexing Service ISAPI Extention Buffer Overflow Vulnerability,WebServer IIS,2 - Normal,Critical,Prevent,Vulnerability,N/A,CVE-2001-0500,10.0,"November 21, 2007"Gee, that was a very insightful response.

I personally prefer to use software developed by big players like MS n Oracle as they are seen as frequently developing patches for the likes of IIS, .Net, Java/Jre.


Curious if the IPS filter I listed earlier has any relation to this Isapi module:
0
 

Author Comment

by:sunhux
ID: 40575635
Sorry the formatting was out in my last post: the first 3 and a half lines was supposed to be at the bottom
0
 

Author Comment

by:sunhux
ID: 40575646
I recall there is a way to configure in F5 LB such tt the clients source IP is logged in IIS logs : correct me if I m wrong.   If so we wont need this Isapi filter
0
 
LVL 28

Assisted Solution

by:Dan McFadden
Dan McFadden earned 480 total points
ID: 40577660
There is a discussion about this topic in the IIS.NET forums.  Reference link below.

link:  http://blogs.iis.net/deanc/archive/2013/07/08/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs.aspx

Basically Microsoft has support for grabbing the real c-ip by utilizing a function inside ARR (Application Request Routing) to enable getting the desired c-ip into your http logs.  You'd be interested in looking at the ARR Helper.

For IIS 7/7.5 (Server 2008/@008 R2) you will need ARR 2.5.

But all of this comes back to how your infrastructure is configured.  The F5 forum has a discussion that specifically addresses the network configuration issues that lead to not seeing the origin client ip.  I would read thru the following link to get an insight to the issues and compare them to your network config.

Link:  https://devcentral.f5.com/questions/get-clientip-address-behind-loadbalancer

Dan
0
 

Author Comment

by:sunhux
ID: 40582469
Excellent
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is no doubt that cloud is gaining importance. Many of you must have read about this technology and its growing importance. More and more organisations are embracing this technology not forgetting start-ups. The process begins by dipping …
Cloud-based technologies and services will continue to grow in popularity in 2017 thanks to the simple, scalable and cost-effective solutions they deliver. Here are three areas where cloud adoption is poised to really take off.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question