Table
of Contents
- Summary
- Security in dept
- Description
- What has been left out
Summary
More and more today is important to
define new applications architecture with security in mind to be able
to reduce the area of possible attacks and to be as efficient as
possible in the detection and reaction to intrusions.
I am describing here a possible
secure architecture that can be implemented to protect a JEE
application and the Database where data are stored from malicious
users and external subjects that want to get access to sensible data.
While I am not an information
security expert, this paper is the result of my personal experience
in designing and configuring security for JEE systems.
Security in dept
The main concept I tried to apply is
to apply several security layers that are indipendent from each
others, thus providing:
- the ability to use a different set of layers, depending of the project type and environment
- the ability to detect and block intrusion attempts that may have passed a more external security layer
This approach is useful while
building a new application but also when securing an existing
application that can be secured incrementally adding security
features based on the threats and risks assessment and budget related
considerations.
Description
The following figure describes the
architecture and the component that are part of it. Oracle product
are in red while non Oracle product are in blue.
The main components of the
application are WebLogic Server and Oracle Database. I first require
that that users connect to WLS via HTTPS only and that must
authenticate providing a digital certificate (doc,
blog)
configuring Two-Ways SSL and X.509 Identity Provider.
An appropriate configuration of
WebLogic Identity Assertion Provider and Authentication Provider will
enable the application to get the user identity from the X.509
Certificate and to map it to user name stored in the user repository,
hereby defined as an LDAP registry. Note that the Security Provider
architecture in WebLogic gives a lot of freedom to the developers:
they can write their application using Java standard security API's
(JAAS) whatever provider will be user later on. (doc)
Application security is
configured using WebLogic Custom Roles model; this means that
developers modify the deployment descriptor to define which resources
have to be protected and the names of roles that can access them.
WebLogic administrator will configure the roles mapping to map users
or groups to roles. (doc)
Although the use of JPA does not
guarantee from SQL Injection, it makes easier to protect the
application from such types of attacks: the web is full of resources
that can help the developer to get familiar with these techniques.
Now we get closer to the data
layer; since we are using Oracle Database, we can configure the JDBC
provider to make use of CLIENT_IDENTIFIER. In this way the JDBC
driver will open a pool of connection using a pre-configured user and
(encrypted) password, but when the application makes use of a
connection, the driver will pass the application user name in the
CLIENT_IDENTIFIER parameter. Oracle Database can then use it for
security and accounting operation that I'll describe later on. (doc)
Between WebLogic and Database I
setup an instance Oracle Database Firewall (full name: Audit Vault
and Database Firewall, ie. AVDF) that will inspect the SQL through
its SQL grammar analysis engine. It is a choice of the administrator
to configure AVDF with a Black List (block or alert when something
matches the rules in the list) or White List (block or alert when
something does not match the rules in the list). In my opinion the
White List is more secure but it is harder to configure. AVDF also
provides more filters and features; please refer to the documentation
for a complete list. (doc)
The database is implementing a set of
Option in order to protect the data from inappropriate access and
usage.
As the user identity is sent from the
application server to the database with the CLIENT_IDENTIFIER
parameter, the database is able to map it to the same user repository
used by WebLogic Server. To do this it is necessary to configure
Enterprise User Security.
The data can be protected from
unwanted access at a very fine granularity using security labels (eg.
Top Secret, Secret, etc) applied to each table or line that requires
it. Oracle Label Security will verify if the label defined on the
database object and the credential owned by the user match before
delivering the data. (doc)
An additional barrier to data
leak is the ability to implement some Separation of Duty rules on
database users. Normally database administrators are able to see and
change the data. I thus suggest the use of Database Vault to
implement preventive controls on privileged user access to
application data. (doc)
While I assume the Operating
Systems has been hardened, it is a good rule to encrypt the data at
rest ie. on the physical media. This can be done with Oracle
Transparent Data Encryption. The data is encrypted by the database
engine transparently to the client protecting the data files and the
backup files from malicious access by operationg systems users. (doc)
What has been left out
Since I focused on single application eg. a
department application, I did not cover many important components of
an enterprise architecture, here I list three of them: Access
Manager, Identity Manager and User Repository.
Oracle Access Manager is used to add a perimetral
access control layer that can authenticate users using multiple
schems, implement a Single Sign On infrastructure and define
coars-grained authorization.
Oracle Identity Manager can be added to manage the
lifecycle of identities and roles, regulatory compliance, auditing.
Finally, the architecture shows a LDAP user
repository but of course the implementation choice is important.
Oracleuser repository is called Oracle Internet Directory.
Very interesting!. Welcome Guido
ReplyDelete