Building Secure Systems with ArcGIS Server

4,243
-1

Published on

Slides from my 2010 ESRI Developer Summit presentation on Building Secure Systems with ArcGIS Server. Discusses the MARC application and discusses vulnerabilities with long-life tokens

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,243
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Building Secure Systems with ArcGIS Server

  1. 1. Building Secure Apps Dave Bouwman http://www.flickr.com/photos/heraklit/169566548
  2. 2. NOT Server Configuration 101
  3. 3. Emergency Response workflow application multi-service “mash-up” ESRI JS API + Dojo ArcGIS Server 9.3 REST
  4. 4. Report!
  5. 5. Human Impacts http://www.flickr.com/photos/pedrosimoes7/393217457
  6. 6. Material Impacts http://www.flickr.com/photos/kenneth_hynek/3844780152
  7. 7. Wx Events
  8. 8. Real-Time Wx
  9. 9. Plume Modeling
  10. 10. Ad-Hoc Incidents
  11. 11. Data Catalog
  12. 12. Standard Layers Incident Layers Local or Remote AGS Local or Remote AGS Tiled or Dynamic Dynamic Bitmap or Geometry Geometry Public or Secured Public or Secured All configured via admin tools.
  13. 13. Security:
  14. 14. Secrets
  15. 15. Place Server Here
  16. 16. Identity Access
  17. 17. LOGIN: dave PASSWORD: ******
  18. 18. Get Config JS Starter Kit Config.json IIS
  19. 19. Identity Matters
  20. 20. Get Config JS Starter Kit* Config ASP.NET MVC
  21. 21. Locking up ArcGIS Server
  22. 22. A AD B AD CAD Multi-Agency
  23. 23. Windows Authentication AGS IIS AD
  24. 24. HTTP Basic/Digest dave ******* AGS IIS AD
  25. 25. Token-based Authentication Credentials AGS Token Request + Token Response Store
  26. 26. HTTP is stateless Zen of Tokens Credentials Credentials Credentials Credentials Credentials Credentials Credentials Credentials
  27. 27. Zen of Tokens dave ******* = long risk high life
  28. 28. Zen of Tokens dave ******* T + Expiration + stuff*
  29. 29. “HTTP Referer”
  30. 30. Get Page Html Get Config Config + Token Request + Token Response WARNING! ----------DO NOT DO THIS! ------- WARNING !
  31. 31. Zen of Tokens T = dave *******
  32. 32. HTTP is stateless Zen of Tokens Token Token Token Token Token Token Token Token
  33. 33. Spoofing Referer Headers 101 1) Setup a simple JSAPI Page 2) Configure it to force all requests through a proxy 3) Get the PHP Proxy for ArcGIS Server 4) Change two lines
  34. 34. proxy.php $serverUrls = array( array( 'url' => 'http://server.arcgisonline.com/ArcGIS/rest/services/', 'matchAll' => true, 'token' => ''), array( 'url' => 'http://maps.mysite.com/ArcGIS/rest/services', 'matchAll' => true, 'token' => 'someBigUGLYlongStringThatIsYourTOKENYo') );
  35. 35. proxy.php $options = array( CURLOPT_URL => $targetUrl, CURLOPT_HEADER => false, CURLOPT_HTTPHEADER => array( 'Content-Type: ' . $_SERVER['CONTENT_TYPE'], 'Referer: ' . ‘http://mysite.com/maps.html’), CURLOPT_RETURNTRANSFER => true );
  36. 36. Zen of Tokens Exposed tokens MUST quickly! expire
  37. 37. Hiding Tokens behind a Proxy
  38. 38. PROXY Credentials AGS Request Token Response Request + Token Response Credentials
  39. 39. Out of the Box Get Token From Config File Add Token to URI Proxy Logic Create WebRequest Return output stream <!-- serverUrl options: url = location of the ArcGIS Server, either specific URL or stem matchAll = true to forward any request beginning with the url Not Implemented! token = (optional) token to include for secured service dynamicToken = if true, gets token dynamically with username and password stored in web.config file's appSettings section. -->
  40. 40. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  41. 41. EMSAM Check Authentication (cookies) Proxy Logic Check Server is “known” (db) Check if server is secured (db) If YES Get credentials (config) Get Token (1 second expiry) Append Token to URI Create WebRequest Return Output stream
  42. 42. PROXY++ Credentials AGS Request Token Response Request + Token Response Credentials
  43. 43. https://
  44. 44. PROXY E Request D D Response E
  45. 45. KC AGS KC AGS HTTPS KC AGS ArcGIS Online PROXY E Request D D Response E
  46. 46. End user does not know AGS credentials Check List No Exposed Tokens (spoofing) User Short Term Tokens (one request) Limited AGS Security Accounts All client transactions across HTTPS Access to remote, secured AGS over HTTPS All “Easily” Configured
  47. 47. Secure!
  48. 48. % 90 increase
  49. 49. Everything is a tradeoff. http://www.flickr.com/photos/ericmcgregor/103895441
  50. 50. Think like a hacker.
  51. 51. https://
  52. 52. Questions?
  53. 53. It’s not secure until it’s secure.
  54. 54. Credentials Token PROXY Credentials Token Credentials Token
  55. 55. Remote AGS Service Harvesting
  56. 56. Remote AGS PROXY E Request D D Response E
  57. 57. HTTP 404: Resource Not Found
  58. 58. The best laid plans… http://www.flickr.com/photos/ericmcgregor/103895441
  59. 59. http://attcv-agsms.esri.com/ArcGIS/rest/services/CoverageMap/MapServer/export? token=dnLqp8eAGIGdr7IZN0vSPYAqjCVMCG8P9faDPgDucR5OHgxBbBdJjqqLvjnk9B6p
  60. 60. http://www.wireless.att.com/coverageviewer/js/com/esri/app/esriConfig.js
  61. 61. Referer Header
  62. 62. ArcGIS Server
  63. 63. GIS Application Request Response ArcGIS Server Request Response
  64. 64. Geo-Enabled Web App… Request ArcGIS Server Response Request Web App Server Response
  65. 65. Default: Open
  66. 66. Dude… I’s tryin to be cool here - where are tokens??
  67. 67. Locking the Door
  68. 68. What’s the secret?
  69. 69. http://www.flickr.com/photos/nige_mar/4322149444
  70. 70. Locking it up.
  71. 71. Windows Authentication HTTP Basic/Digest Token-based Authentication
  72. 72. Request Response
  73. 73. Credentials Token Request + Token Response
  74. 74. Get Page Html Get Config.js Config + Token Request + Token Response

×