User authentication and Server protection

A common confusion

Dorai Ashok S A
4 min readAug 8, 2020

It is common to misunderstand adding user authentication as a way for securing the servers. While a layer of authentication can protect the web application from unauthorized users, the technology stack itself may not be protected. This results in a significantly large attack surface, depending on how deep the authentication goes into the technology stack.

In such a setup, it becomes essential to keep every part of the technology stack updated with the latest security fixes, and pray for a zero-day vulnerability not affecting you, since there will always be a delay in the release of a security fix. This approach is not practical, as it can significantly affect business and increase costs. Hence, one of several blanket solutions are usually adopted for internal web applications to keep the attack surface at a minimum.

The confusion arises with the additional steps for user authentication that improve security. Having Multi-Factor Authentication (MFA), Web Authentication (WebAuthn) or a custom solution with Web Cryptography API (WebCrypto) will not improve server-side security. They only make the authentication system more robust in identifying the user.

Some of the common solutions adopted to secure the platform and the technology stack of internal web applications are (i) creating a Virtual Private Network, (ii) requiring a TLS Client Certificate and (iii) isolating the authentication function to a separate proxy.

Virtual Private Network (VPN)

VPN has been the traditional go to technology for protecting internal resources. It works at a lower-level, the IP network, where once a device is authenticated, the device gets assigned a private IP address to access the internal resources of the organization, with the traffic between the device and the organization encrypted.

However, it can be complex to deploy and maintain, resulting in increased costs. As the web has evolved and become the dominant technology for building applications, most of an organization’s internal resources are now web applications. And, web applications can be secured with easier and simpler solutions. VPN has its place in cyber security, however it is not the best solution for web applications.

Isolated Authentication Proxy

One of the emerging trends in securing web applications, is by isolating the authentication functionality to a separate system which proxies the requests to origin servers on successful authentication and authorization. This approach reduces the attack surface. And, It is also relatively easier to maintain and secure the proxy. There are also several vendors who provide this as a service.

The downside to this approach, is a single layer of security. Once the authentication layer is breached, all internal web applications will become open to attack. Considering that user requests at the web application layer are allowed after verifying the access token, which are stored in cookie or local storage, security is defined by the confidentiality of the access token. And, it is not uncommon for web browsers to have vulnerabilities which expose cookies.

TLS Client Certificate

As the world is moving towards HTTPS, or HTTP/TLS, the TLS server certificates are the standard way of accessing a website securely. When a connection is established to the web server, it presents the TLS certificate for the web browser to verify. And, the browser uses the chain of trust to verify the certificate before sending any request to the server.

The little known fact is, the web server can also request the web browser to present a TLS certificate for it to verify, this certificate is called the client certificate. And, only on successful verification can the server process the request. This approach is also used by organizations to secure internal web applications, as it adds an additional layer of security without any overheads. However, the lack of popularity of the approach is primarily due to the difficulties in certificate management.

0th Root Secure Network — 0SNet, is a solution which uses TLS client certificate verification, along with authentication and authorization, for a triple layer security of internal web applications. It provides a certificate manager for seamless management of TLS certificates, a user manager for authentication and a role based access controls system for authorization.

Kindly check out our product at, www.0snet.com

--

--

Dorai Ashok S A
Dorai Ashok S A

Written by Dorai Ashok S A

Engineer, at heart! Founder of 0th Root. I write on topics related to Internet Architecture and Security

No responses yet