Customizing Oracle Workflow A Technical Perspective

Download Report

Transcript Customizing Oracle Workflow A Technical Perspective

Securing the Internet Facing
E-Business Suite
John Peters
JRPJR, Inc.
[email protected]
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
1
• How many of you have an Internet Facing
Oracle Application Module? Or Considered
Buying one?
–
–
–
–
–
–
–
iStore
iCustomers
iSuppliers
iSupport
iRequitment
iReceivables
Others???
• How many of you have thought about
security?
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
2
What you should learn from this presentation:
• General Oracle Applications Security
(why this is not enough)
• Various Systems Configuration Options
• An Optimal Solution at This Time
• External Facing eBusiness Suite Functionality
Issues
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
3
General Oracle Applications Security
• Note 189367.1, 06-JAN-2005
Best Practices for Securing the E-Business Suite
*** An excellent starting point ***
• Covers each applications component:
–
–
–
–
–
–
SQL*Net Listener
Database
Applications Tier
eBusiness Suite
Desktop
OS
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
4
General Oracle Applications Security
• Note 189367.1, 06-JAN-2005
• But leaves many holes
– Does not provide a configuration overview
– Does not adequately address external
eBusiness Suite modules
– Just barely touches on OS Issues
– Does not address user registration issues
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
5
Typical OraApps Configuration
Internal Users Only
Router
Applications
Tier
Database
Tier
SAN Device
DB
User
Computers
• One or more physical servers for each Tier
• Typically a router between the servers and the user
• Connection between users and servers is typically
non-SSL HTTP:// (not HTTPS://)
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
6
Non-SSL vs SSL
For Internal Users Only
• SSL encrypts communications between users
and the Applications Tier
• Sometimes SOX pushes this as a requirement
• Possibly a 10-15% performance hit
• Hardware Accelerators are available
• Probably not required and overkill for internal
users running on a switched network
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
7
SSL Implementation
For Internal Users Only
• ‘A Guide to Understanding and Implementing SSL
with Oracle Applications 11i’, Note:123718.1
• This document changes so keep up to date with it
• There are issues associated with some modules
which call servlets:
– Configurator (even if you are not using it OM calls it for PTO
Kits)
– iPayment
– Fix requires running a non-SSL web listener
• Again SSL is probably not required for most sites
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
8
OraApps Internet Facing Configurations
• Example 1
No DMZ, Open Up Firewall
• Example 2
DMZ Application Server
• Example 3
DMZ Web Cache Server
• Example 4
DMZ Web Cache Server
Dedicated External Applications Server
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
9
Example 1: Non-DMZ Configuration
(do not do this)
Internet
Corporate Network
Corporate
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
Drawbacks
• With same ports open that internal users use, internal
functionality is exposed to the internet
• Without SSL between the Internet User’s Computer
and Applications Tier communications can be eave’s
dropped on
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
10
Example 2: DMZ Application Server Configuration
Internet
DMZ
Corporate Network
DMZ
Firewall
Corporate
Firewall
Router
DMZ
Applications
Tier
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• Internet Communication is done through SSL
• SSL End Point is not on Internal Applications Tier
• Communication between DMZ Applications Tier and
DB Tier are done through SQL*net
• DMZ must be compromised for a hacker to get in
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
11
Example 2: DMZ Application Server Configuration
Internet
DMZ
Corporate Network
DMZ
Firewall
Corporate
Firewall
Router
DMZ
Applications
Tier
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• DMZ Applications Tier exposes too much to a possible
hacker
• DMZ Applications Tier must be patched and monitored
• Not currently autoconfig and ad tools supported
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
12
Example 3: DMZ Web Cache Server
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• All the benefits of Example 2
• Ports are filtered, only http traffic between Internet and Applications Tier
• Minimize software components in DMZ
• Only one Applications Tier to patch
• Can change URL, masking the Oracle Application
URLs were  http://mysite.com/OA_HTML/
URLs can be  http://mysite.com/external/
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
13
Example 3: DMZ Web Cache Server
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• Applications Tier still exposes too much to a
possible hacker. You can deep link to JSP
pages if you know their names.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
14
What is Web Cache
• Web Cache is a component of Oracle iAS 10G (and
prior versions)
• Web Cache in my example is installed without Oracle
iAS 10G
(standalone installation)
• Minimal set of software
– No Infrastructure DB
– None of the other components of iAS
– Perfect for a DMZ deployment
• Please refer to the product documentation on OTN
Oracle Application Server 10g Release 2 (10.1.2)
• Please talk to your Oracle Sales Rep for licensing
information.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
15
What does Web Cache do?
• Web Cache sits between the users and the origin
servers (Applications Tier)
• Web Cache stores or caches data into memory
based on rules you specify
• The primary purpose is to improve performance of
web sites
• Our purpose is to:
– Provide an SSL termination point
– Change the URL’s served up
– Filter the URL’s (not available yet)
• Web Cache can also provide an error page should
the Application Tier be down for maintenance
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
16
Example 4: DMZ Web Cache & Dedicated Apps Tier
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• External Applications Tier can have all of the
components not required by the Internet
Users removed. Thus preventing deep linking
issues.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
17
Example 4: DMZ Web Cache & Dedicated Apps Tier
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• External Applications Tier not supported by
Oracle tools. You have to manually maintain
this tier.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
18
‘DMZ Reverse Proxy Server’
• Eliminates the need for Example 4’s External
Application Server
• WebCache Server in DMZ will filter URL’s
• External Product Teams will supply URL patterns
• Mitigating the “unnecessary code” problem
• Described in Oracle OpenWorld Paper
‘Oracle E-Business Suite Security Management’
by George Buzsaki, VP Applications Technology
Products at Oracle
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
19
My Recommendation
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
• Go with Example 3 for now.
• You can hack the Apache web server configuration to
provide some URL filtering
• Keep an eye open for Oracle’s ‘DMZ Reverse Proxy
Server’ filtering release
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
20
How does it work (step 1)
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
• Internet users go to:
https://mysite.com/external/login.jsp
• Connects using SSL to port 443 of the DMZ Web Cache
Server on NIC 1
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
21
How does it work (step 2)
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
• Web Cache reviews URL request to see if page/data is
cached in memory
• If so it serves up page/data
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
22
How does it work (step 3)
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
• Web Cache sends request out to the Application Tier (Origin
Server)
http://myserver.com:8000/OA_HTML/login.jsp
• Communication is through NIC 2 using non-SSL
• Notice the URL changes
• Application Tier responds, Web Cache relays page/data to the
Internet User
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
23
Web Cache Server HW
• My recommendation is a small server
like:
– Dell PowerEdge 2850 or 1850
– 2 CPU server
– 4GB of RAM
– Dual NICs
• Run Linux on this Server
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
24
Web Cache Server NIC Configuration
• Dual NIC’s allow us to configure them
– One NIC Internet Facing
– One NIC Application Tier Facing
• We are effectively using this server to
route traffic from one network to the
other
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
25
Hardening the Linux OS
• Reinstall the factory installed OS
• Install only the essential components
– Compilers
– Kernal Source
– X Windows/GNOME
• Install an intrusion detection product
like TripWire
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
26
TripWire
Creates a database of files on your server storing information like:
–
–
–
–
–
•
•
•
•
•
•
Inode number
Multiple Checksums
File Size
File Permission
File Ownership
You create the Policy file describing what directories/files to track
Reports can be run periodically to tell you if something changed and
are sent via email
TripWire DB and Policy Files are stored on another centralized server
This takes a while to setup and change the policy file to keep the noise
to a minimum
Was an Open Source product, included on older Linux distributions
Now is commercial, www.tripwire.com
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
27
Keep Linux Patched
• OS Security issues don’t just exist for
Microsoft products
• Subscribe to your Linux vendor’s
patching/support service
• Emails will alert you when fixes are
available and are tailored to your install
• The automated tools for patching the
OS are fairly easy to use
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
28
Don’t forget the TEST instance
PROD
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet
non-SSL
SSL
User
Computers
Internet User
Computers
DMZ
Corporate Network
TEST
Corporate
Firewall
DMZ
Web Cache
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
07/19/04 NorCal OAUG Training
Day, Paper 2.4
User
Computers
John Peters, JRPJR, Inc.
non-SSL
SSL
29
Support Issues
• Down time for patching is now a bigger deal
with External Users
• Web Cache can serve up “System Down For
Maintenance” messages to External Users,
rather than no server found browser errors
• What was 6am to 6pm support, now turns
into 24x7
• Who do external users contact for support?
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
30
User Registration Issues
• All External Facing eBusiness Suite
Applications utilize FND_USER
• All of these non-company resources
have accounts on your system
– iStore Users
– iReceivables Users
– iSupplier Users
– iRecruitment Users
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
31
How to know who is who
• Come up with a Userid Standard for both
classes of users:
– Internal Users
– External Users
• Internal Users
<first name initial><last name>
<windows login>
jsmith
• External Users
<email address>
[email protected]
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
32
Internal vs External
• They are different
• Internal and External differences
–
–
–
–
–
Password aging
Handling of Password reset requests
Responsibility requests
Responsibility verifications
End date
• Also eBusiness Suite Record History is
instantly visible and identifiable.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
33
User Registration Page Issues
• iStore’s user registration page inserts
FND_USER records
– User records can not be purged
– Internal and External Users are mixed together
(use a convention of email address for external users)
– They are routed for approval but if denied they
are unusable forever
– Approval process is really insufficient for most
business cases
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
34
User Registration Page Issues (cont.)
• iStore’s user registration page requests the
Party Number from the customer registering.
– How many customers know they are 123456
– If they enter 123465 they are linked to a
completely different customer
– Once incorrectly linked it is almost impossible to
correct in CRM, FND_USER, TCA
– FND_USER record is lost for further use
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
35
User Registration Page Issues
(cont.)
• Soution:
– Create a custom form and table
– External userids request are stored in the custom
table for review
– Data is reviewed and if okay entered by internal
resources into the Oracle Applications registration
processes to ensure it’s accuracy
• Denial of Service attacks will fill this custom
table which we can delete records from. This
object can be created with no redo log
actions to minimize impact on archive logs if
required.
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
36
Summary
• External Facing eBusiness Suite modules
bring Security issues to light
• You might ask, Why do this to yourself?
• There are legitimate business reasons to use
External Facing eBusiness Suite modules
• Just go into them with open eyes and an
understanding of what you are getting into
07/19/04 NorCal OAUG Training
Day, Paper 2.4
John Peters, JRPJR, Inc.
37
Additional References
• Note:189367.1, 06-JAN-2005
Best Practices for Securing the E-Business
Suite
• Note:243324.1, 08-JUL-2003
Securing Oracle E-Business Suite for Internet
Access by Suppliers
• Note:229335.1, 19-MAY-2004
Best Practices for Securing Oracle E-Business
Suite for Internet Access
07/19/04 NorCal OAUG Training
Day, Paper 2.3
John Peters, JRPJR, Inc.
38
Additional Book References
• Linux Security Cookbook
– by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
O'Reilly
• Real World Linux Security: Intrusion
Prevention, Detection and Recovery
– by Bob Toxen
Prentice Hall PTR
07/19/04 NorCal OAUG Training
Day, Paper 2.3
John Peters, JRPJR, Inc.
39
• My contact information:
John Peters
[email protected]
http://www.jrpjr.com
• Additional reference papers can be found
at:
http://www.norcaloaug.org
http://www.jrpjr.com
07/19/04 NorCal OAUG Training
Day, Paper 2.3
John Peters, JRPJR, Inc.
40