Transcript Customizing Oracle Workflow A Technical Perspective
Securing the Internet Facing E-Business Suite
John Peters JRPJR, Inc.
john.peters@jrpjr.com
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
1
• How many of you have an Internet Facing Oracle Application Module? Or Considered Buying one?
– iStore – iCustomers – iSuppliers – iSupport – iRequitment – iReceivables – Others???
• How many of you have thought about security?
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
2
What you should learn from this presentation: • General Oracle Applications Security (why this is not enough) • Various Systems Configuration Options • An Optimal Solution at This Time • External Facing eBusiness Suite Functionality Issues 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
3
General Oracle Applications Security
• Note 189367.1, 06-JAN-2005 Best Practices for Securing the E-Business Suite *** An excellent starting point *** • Covers each applications component: – SQL*Net Listener – Database – Applications Tier – eBusiness Suite – Desktop – OS 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
4
General Oracle Applications Security
• Note 189367.1, 06-JAN-2005 • But leaves many holes – Does not provide a configuration overview – Does not adequately address external eBusiness Suite modules – Just barely touches on OS Issues – Does not address user registration issues 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
5
Typical OraApps Configuration
Internal Users Only Router Applications Tier Database Tier SAN Device DB User Computers • One or more physical servers for each Tier • Typically a router between the servers and the user • Connection between users and servers is typically non-SSL HTTP:// (not HTTPS://) 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
6
Non-SSL vs SSL
For Internal Users Only • SSL encrypts communications between users and the Applications Tier • Sometimes SOX pushes this as a requirement • Possibly a 10-15% performance hit • Hardware Accelerators are available • Probably not required and overkill for internal users running on a switched network 7 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
SSL Implementation
For Internal Users Only • ‘A Guide to Understanding and Implementing SSL with Oracle Applications 11i’, Note:123718.1
• This document changes so keep up to date with it • There are issues associated with some modules which call servlets: – Configurator (even if you are not using it OM calls it for PTO Kits) – iPayment – Fix requires running a non-SSL web listener • Again SSL is probably not required for most sites 8 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
OraApps Internet Facing Configurations
• Example 1 No DMZ, Open Up Firewall • Example 2 DMZ Application Server • Example 3 DMZ Web Cache Server • Example 4 DMZ Web Cache Server Dedicated External Applications Server 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
9
Example 1: Non-DMZ Configuration (do not do this) Corporate Network Internet Corporate Firewall Router Applications Tier Database Tier SAN Device DB User Computers non-SSL Internet User Computers Drawbacks • With same ports open that internal users use, internal functionality is exposed to the internet • Without SSL between the Internet User’s Computer and Applications Tier communications can be eave’s dropped on 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
10
Example 2: DMZ Application Server Configuration DMZ Internet Corporate Network Corporate Firewall DMZ Firewall Router DMZ Applications Tier Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Benefits • Internet Communication is done through SSL • SSL End Point is not on Internal Applications Tier • Communication between DMZ Applications Tier and DB Tier are done through SQL*net • DMZ must be compromised for a hacker to get in 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
11
Example 2: DMZ Application Server Configuration DMZ Internet Corporate Network Corporate Firewall DMZ Firewall Router DMZ Applications Tier Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Drawbacks • DMZ Applications Tier exposes too much to a possible hacker • DMZ Applications Tier must be patched and monitored • Not currently autoconfig and ad tools supported 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
12
Example 3: DMZ Web Cache Server DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Benefits • All the benefits of Example 2 • Ports are filtered, only http traffic between Internet and Applications Tier • Minimize software components in DMZ • Only one Applications Tier to patch • Can change URL, masking the Oracle Application URLs were http://mysite.com/OA_HTML/ URLs can be http://mysite.com/external/ 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
13
Example 3: DMZ Web Cache Server DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Drawbacks • Applications Tier still exposes too much to a possible hacker. You can deep link to JSP pages if you know their names.
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
14
What is Web Cache
• Web Cache is a component of Oracle iAS 10G (and prior versions) • Web Cache in my example is installed without Oracle iAS 10G (standalone installation) • Minimal set of software – No Infrastructure DB – None of the other components of iAS – Perfect for a DMZ deployment • Please refer to the product documentation on OTN Oracle Application Server 10 information.
g Release 2 (10.1.2) • Please talk to your Oracle Sales Rep for licensing 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
15
What does Web Cache do?
• Web Cache sits between the users and the origin servers (Applications Tier) • Web Cache stores or caches data into memory based on rules you specify • The primary purpose is to improve performance of web sites • Our purpose is to: – Provide an SSL termination point – Change the URL’s served up – Filter the URL’s (not available yet) • Web Cache can also provide an error page should the Application Tier be down for maintenance 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
16
Example 4: DMZ Web Cache & Dedicated Apps Tier DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router External Applications Tier Internal Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Benefits • External Applications Tier can have all of the components not required by the Internet Users removed. Thus preventing deep linking issues.
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
17
Example 4: DMZ Web Cache & Dedicated Apps Tier DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router External Applications Tier Internal Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL Drawbacks • External Applications Tier not supported by Oracle tools. You have to manually maintain this tier.
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
18
‘DMZ Reverse Proxy Server’
• Eliminates the need for Example 4’s External Application Server • WebCache Server in DMZ will filter URL’s • External Product Teams will supply URL patterns • Mitigating the “unnecessary code” problem • Described in Oracle OpenWorld Paper ‘Oracle E-Business Suite Security Management’ by George Buzsaki, VP Applications Technology Products at Oracle 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
19
Internet
My Recommendation
DMZ Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers • Go with Example 3 for now.
non-SSL SSL • You can hack the Apache web server configuration to provide some URL filtering • Keep an eye open for Oracle’s ‘DMZ Reverse Proxy Server’ filtering release 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
20
How does it work
(step 1) DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL • Internet users go to: https://mysite.com/external/login.jsp
• Connects using SSL to port 443 of the DMZ Web Cache Server on NIC 1 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
21
How does it work
(step 2) DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL • Web Cache reviews URL request to see if page/data is cached in memory • If so it serves up page/data 22 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
How does it work
(step 3) DMZ Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB User Computers non-SSL Internet User Computers SSL • Web Cache sends request out to the Application Tier (Origin Server) http://myserver.com:8000/OA_HTML/login.jsp
• Communication is through NIC 2 using non-SSL • Notice the URL changes • Application Tier responds, Web Cache relays page/data to the Internet User 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
23
Web Cache Server HW
• My recommendation is a small server like: – Dell PowerEdge 2850 or 1850 – 2 CPU server – 4GB of RAM – Dual NICs • Run Linux on this Server 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
24
Web Cache Server NIC Configuration
• Dual NIC’s allow us to configure them – One NIC Internet Facing – One NIC Application Tier Facing • We are effectively using this server to route traffic from one network to the other 25 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
Hardening the Linux OS
• Reinstall the factory installed OS • Install only the essential components – Compilers – Kernal Source – X Windows/GNOME • Install an intrusion detection product like TripWire 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
26
TripWire
Creates a database of files on your server storing information like: – Inode number – Multiple Checksums – File Size – File Permission – File Ownership • You create the Policy file describing what directories/files to track • Reports can be run periodically to tell you if something changed and are sent via email • TripWire DB and Policy Files are stored on another centralized server • This takes a while to setup and change the policy file to keep the noise to a minimum • Was an Open Source product, included on older Linux distributions • Now is commercial, www.tripwire.com
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
27
Keep Linux Patched
• OS Security issues don’t just exist for Microsoft products • Subscribe to your Linux vendor’s patching/support service • Emails will alert you when fixes are available and are tailored to your install • The automated tools for patching the OS are fairly easy to use 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
28
Don’t forget the TEST instance
DMZ PROD Internet Corporate Network Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers Internet DMZ User Computers non-SSL SSL Corporate Network TEST Corporate Firewall DMZ Web Cache DMZ Firewall Router Applications Tier Database Tier SAN Device DB Internet User Computers User Computers non-SSL SSL 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
29
Support Issues
• Down time for patching is now a bigger deal with External Users • Web Cache can serve up “System Down For Maintenance” messages to External Users, rather than no server found browser errors • What was 6am to 6pm support, now turns into 24x7 • Who do external users contact for support?
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
30
User Registration Issues
• All External Facing eBusiness Suite Applications utilize FND_USER • All of these non-company resources have accounts on your system – iStore Users – iReceivables Users – iSupplier Users – iRecruitment Users 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
31
How to know who is who
• Come up with a Userid Standard for both classes of users: – Internal Users – External Users • Internal Users
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
32
Internal vs External
• They are different • Internal and External differences – Password aging – Handling of Password reset requests – Responsibility requests – Responsibility verifications – End date • Also eBusiness Suite Record History is instantly visible and identifiable.
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
33
User Registration Page Issues
• iStore’s user registration page inserts FND_USER records – User records can not be purged – Internal and External Users are mixed together (use a convention of email address for external users) – They are routed for approval but if denied they are unusable forever – Approval process is really insufficient for most business cases 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
34
User Registration Page Issues
(cont.) • iStore’s user registration page requests the Party Number from the customer registering.
– How many customers know they are 123456 – If they enter 123465 they are linked to a completely different customer – Once incorrectly linked it is almost impossible to correct in CRM, FND_USER, TCA – FND_USER record is lost for further use 35 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
User Registration Page Issues
(cont.) • Soution: – Create a custom form and table – External userids request are stored in the custom table for review – Data is reviewed and if okay entered by internal resources into the Oracle Applications registration processes to ensure it’s accuracy • Denial of Service attacks will fill this custom table which we can delete records from. This object can be created with no redo log actions to minimize impact on archive logs if required.
07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
36
Summary
• External Facing eBusiness Suite modules bring Security issues to light • You might ask, Why do this to yourself?
• There are legitimate business reasons to use External Facing eBusiness Suite modules • Just go into them with open eyes and an understanding of what you are getting into 07/19/04 NorCal OAUG Training Day, Paper 2.4
John Peters, JRPJR, Inc.
37
Additional References
• Note:189367.1, 06-JAN-2005 Best Practices for Securing the E-Business Suite • Note:243324.1, 08-JUL-2003 Securing Oracle E-Business Suite for Internet Access by Suppliers • Note:229335.1, 19-MAY-2004 Best Practices for Securing Oracle E-Business Suite for Internet Access 07/19/04 NorCal OAUG Training Day, Paper 2.3
John Peters, JRPJR, Inc.
38
Additional Book References
• Linux Security Cookbook – by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes O'Reilly • Real World Linux Security: Intrusion
Prevention, Detection and Recovery
– by Bob Toxen Prentice Hall PTR 39 07/19/04 NorCal OAUG Training Day, Paper 2.3
John Peters, JRPJR, Inc.
• My contact information: John Peters john.peters@jrpjr.com http://www.jrpjr.com
• Additional reference papers can be found at: http:// www.norcaloaug.org
http://www.jrpjr.com
40 07/19/04 NorCal OAUG Training Day, Paper 2.3
John Peters, JRPJR, Inc.