Monday, April 7, 2008

Bad Architecture Diagrams: N-Tier, where N is an imaginary number

N-Tier? The good news is that this design doesn't require clients!

A lot of security work is based on understanding architecture design, and how systems interact. To that end, I ask for diagrams - and I typically receive the diagrams that vendors include in their documentation. Much to my chagrin, they often look like this recent example.

What's missing here? A lot.

I normally look for:
  • Directionality of traffic - which system initiates a connection, and to which other system(s).
  • Ports and protocols - at least a destination port or range of ports, and details on which ports are TCP and which are UDP.
  • Real tiering, and the ability to separate functions - a favorite question for vendors is "in your claim of an n-tier architecture, what values of N do you mean?" Often, you'll find that the system hasn't been tested with a true 3 tier model, or that the vendor recommends a monolithic installation.
  • Administrative interfaces - How do you control the system?
I also ask about operating systems, software versions, and firewall rules.

What's the worst architecture diagram you've seen recently?

No comments: