Filter is a generic name for security mechanisms that attempt to intercept attack or invalid requests before a web server executes them. Filters discussed in this section include:
- Reverse Proxies
- Web Application Firewalls
- Anti-Virus Software & Intrusion Detection
For optimal performance and ease of implementation ESRI recommends not separating the following ArcGIS Server components with a Firewall:
- Application Development Framework (ADF)
- Server Object Manager (SOM)
- Server Object Container (SOC)
Web servers are commonly deployed within a Demilitarized Zone (DMZ) to provide internal systems a layer of protection from external Internet users. Because the ADF is deployed to a web server which communicates via DCOM to the ArcGIS Server components a common solution has been to deploy a reverse proxy web server in the DMZ which then points to a web server on the internal network that has the ADF installed and can communicate with other ArcGIS Server components without passing through an additional firewall.
With the introduction of clients that access the REST API without the need for the ADF, placing a web server in the DMZ does not require configuring the firewall for DCOM communication. This is more in-line with standard web server deployments and therefore many be appealing to a customer’s security team.
A reverse proxy helps obscure the details of the internal network, but obscurity does not necessary improve security. A reverse proxy can provide more security benefits by applying rules that filter out invalid requests. If customer demand is strong enough we will look into providing reverse proxy filtering rules in this Resource Center that can help lock down ArcGIS implementations.
As mentioned in the Firewall section, reverse proxy is a common implementation option for customers utilizing the ArcGIS Server ADF. ESRI now provides documentation for three reverse proxy solutions:
- Apache ArcGIS Reverse Proxy Setup Instructions
- IIS 7 (Windows 2008) ArcGIS Reverse Proxy Setup Instructions
- MS ISA Server ArcGIS Reverse Proxy Setup Instructions
Web Application Firewalls
Most traffic is able to pass through firewalls through HTTP port 80. A Web Application Firewall is optimized to read web traffic on port 80 and attempt to filter out invalid requests and attacks.
- Example of a WAF protecting users from a vulnerability
- Additional details on the benefits of a WAF as a best practice
ModSecurity is a common WAF utilized by organizations, and is compatible with use of Apache as the Reverse Proxy. If customer demand is strong enough we will look into providing ModSecurity WAF rules in this Resource Center that can help lock down ArcGIS implementations.
This should be installed on both your desktop and server systems-Period.
Anti-Virus caveats you should be aware of include:
Intrusion Detection / Prevention
Intrusion detection and prevention solutions have made great strides in reducing management overhead due to false-positive alerting. According to the Computer Security Institute over 50% of organizations now utilize these types of systems to help protect their environments.