Table of Contents
- Security in dept
- What has been left out
More and more today is important to define new applications architecture with security in mind to be able to reduce the area of possible attacks and to be as efficient as possible in the detection and reaction to intrusions.
I am describing here a possible secure architecture that can be implemented to protect a JEE application and the Database where data are stored from malicious users and external subjects that want to get access to sensible data.
While I am not an information security expert, this paper is the result of my personal experience in designing and configuring security for JEE systems.
The main concept I tried to apply is to apply several security layers that are indipendent from each others, thus providing:
- the ability to use a different set of layers, depending of the project type and environment
- the ability to detect and block intrusion attempts that may have passed a more external security layer
This approach is useful while building a new application but also when securing an existing application that can be secured incrementally adding security features based on the threats and risks assessment and budget related considerations.
The following figure describes the architecture and the component that are part of it. Oracle product are in red while non Oracle product are in blue.
The main components of the application are WebLogic Server and Oracle Database. I first require that that users connect to WLS via HTTPS only and that must authenticate providing a digital certificate (doc, blog) configuring Two-Ways SSL and X.509 Identity Provider.
An appropriate configuration of WebLogic Identity Assertion Provider and Authentication Provider will enable the application to get the user identity from the X.509 Certificate and to map it to user name stored in the user repository, hereby defined as an LDAP registry. Note that the Security Provider architecture in WebLogic gives a lot of freedom to the developers: they can write their application using Java standard security API's (JAAS) whatever provider will be user later on. (doc)
Application security is configured using WebLogic Custom Roles model; this means that developers modify the deployment descriptor to define which resources have to be protected and the names of roles that can access them. WebLogic administrator will configure the roles mapping to map users or groups to roles. (doc)
Although the use of JPA does not guarantee from SQL Injection, it makes easier to protect the application from such types of attacks: the web is full of resources that can help the developer to get familiar with these techniques.
Now we get closer to the data layer; since we are using Oracle Database, we can configure the JDBC provider to make use of CLIENT_IDENTIFIER. In this way the JDBC driver will open a pool of connection using a pre-configured user and (encrypted) password, but when the application makes use of a connection, the driver will pass the application user name in the CLIENT_IDENTIFIER parameter. Oracle Database can then use it for security and accounting operation that I'll describe later on. (doc)
Between WebLogic and Database I setup an instance Oracle Database Firewall (full name: Audit Vault and Database Firewall, ie. AVDF) that will inspect the SQL through its SQL grammar analysis engine. It is a choice of the administrator to configure AVDF with a Black List (block or alert when something matches the rules in the list) or White List (block or alert when something does not match the rules in the list). In my opinion the White List is more secure but it is harder to configure. AVDF also provides more filters and features; please refer to the documentation for a complete list. (doc)
The database is implementing a set of Option in order to protect the data from inappropriate access and usage.
As the user identity is sent from the application server to the database with the CLIENT_IDENTIFIER parameter, the database is able to map it to the same user repository used by WebLogic Server. To do this it is necessary to configure Enterprise User Security.
The data can be protected from unwanted access at a very fine granularity using security labels (eg. Top Secret, Secret, etc) applied to each table or line that requires it. Oracle Label Security will verify if the label defined on the database object and the credential owned by the user match before delivering the data. (doc)
An additional barrier to data leak is the ability to implement some Separation of Duty rules on database users. Normally database administrators are able to see and change the data. I thus suggest the use of Database Vault to implement preventive controls on privileged user access to application data. (doc)
While I assume the Operating Systems has been hardened, it is a good rule to encrypt the data at rest ie. on the physical media. This can be done with Oracle Transparent Data Encryption. The data is encrypted by the database engine transparently to the client protecting the data files and the backup files from malicious access by operationg systems users. (doc)
Since I focused on single application eg. a department application, I did not cover many important components of an enterprise architecture, here I list three of them: Access Manager, Identity Manager and User Repository.
Oracle Access Manager is used to add a perimetral access control layer that can authenticate users using multiple schems, implement a Single Sign On infrastructure and define coars-grained authorization.
Oracle Identity Manager can be added to manage the lifecycle of identities and roles, regulatory compliance, auditing.
Finally, the architecture shows a LDAP user repository but of course the implementation choice is important. Oracleuser repository is called Oracle Internet Directory.