9.2 Gatekeeper (Service Firewall)
Protect services by validating and sanitising incoming requests in a limited environmentThis pattern is based Service Firewall by Rotem-Gal-Oz [13, p. 35] and Gatekeeper by Microsoft [160]. It can be seen as a variation of Firewall Proxy by Buschmann et al. [54].
This work adopts the newer Gatekeeper name to provide a distinction between traditional firewalls.
9.2.1 Context
A service or a resource needs to be secured from malicious requests from external clients, as a vulnerability could potentially give an attacker access to sensitive internal resources or disrupt the service.
9.2.2 Solution
This situation can be improved by deploying a gateway service to a limited, isolated environment. This service acts as an intermediary between the clients and the internal services, handling all incoming requests (see fig. 26).
The gatekeeper validates and sanitises the requests, depending on the requirements. It does not perform any additional processing. When encountering a problematic request, it can be audited and logged for later analysis.
If the gatekeeper gets breached, the environment limits the blast radius of the attack, as the internal services and resources are shielded from direct access.
9.2.3 Potential issues
The gatekeeper introduces additional complexity and latency to the system, which can decrease performance, depending on the implemented functions. It can also act as a single point of failure or bottleneck if no additional measures are taken to ensure its availability.
9.2.4 Example
ExampleEshop allows users to create accounts or post reviews. This means accepting and storing user-generated content, which can lead to security risks. To address this, the system uses gatekeeper services to validate all content entering the system. For instance, it sanitises all text to defend against XSS attacks1, or checks for known vulnerabilities in uploaded files.
It also includes a rate limiter to prevent abuse and a honeypot2. Since it exists in an isolated environment and sees only a limited number of (secured) endpoints, the gatekeeper acts as a first line of defence against attacks. This limited environment can be easily monitored and audited, so the attacker does not automatically get access to secrets or sensitive data in the event of a breach.
9.2.5 Related patterns
- This pattern can be seen as a specialisation of Offload to Gateway or Ambassador
Cross-site scripting (XSS) is a (slightly confusing) name for a type of security vulnerability that enables JavaScript injection, thereby being able to manipulate the content of a web page or access sensitive data [161]↩︎
A honeypot is a security mechanism designed to look like a vulnerable part of the system to attract attackers and log their actions [162]↩︎