Session Title
Download
Report
Transcript Session Title
Secure your iSeries Web
application
Jim Mason
ebt-now
www.ebt-now.com
[email protected]
508-888-0344
.
ebt-now QuickWebServices
WebSphere, WebSphere Studio, WebFacing, HATS
QuickWebDefinition - FREE plan
o
>> web definition, project summary, configuration, WebFacing code analysis
QuickWebApp - build
o
o
>> fixed price, custom, complete Web app integrating iSeries apps, data, xml
>> breaks e-business barriers: cost, risk, technical challenges, payback
QuickWebSupport - deploy
o
>> implement your apps on your WebSphere or Tomcat servers
QuickWebEducation – Web-based training o
>> the best iSeries WebSphere Development Studio courses
QuickWebWorkshop - combine QuickWebApp & Skills transfer
QuickWebWorkshop – complete package
o
>> CUSTOM QuickWebApp, implementation, course with ‘hands on’ labs
QuickWebSuccess on-demand seminars:
o
QuickWebSuccess - Rapidly web-enable iSeries applications and data
visit www.ebt-now.com or email [email protected] for more
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
E-business environment
Usage models: B2X = Business to X
o
o
B2E (employee)
B2C (consumer) B2B (business)
ISP (Internet Service Provider) connects your network to the Internet
Models: query, analysis, transactions, workflow, automation
o
o
XML allows applications to understand data and messages in B2B!
Web services, RMI allow B2B integration over Web without custom
networking!
E-business environment layers:
o
o
o
Applications, application services, servers, network
Common services reduce application work (data access, media, etc.)
Servers deliver services (WebSphere, WebFacing, HTTP, Domino,
BizTalk, etc.)
E-business platforms (applications often distributed):
o
Browsers, client workstations, wireless, servers
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Security threats
Sniffing - others steal data, etc.
o Impersonation - others steal user IDs, passwords
o Decryption - others see your data over encrypted network
o Denial of service - flooding a server with too many requests
o Ping of death - ping indicates more data in packet than there is
o Viruses - beware WINDOWS applications and e-mail!
o Spamming - mass e-mails sent in from outside
o Theft - misusing financial applications
o Destruction - malicious destruction of software
o Others?
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
E-business security questions
What is my e-business environment?
What are my security threats?
What are my security goals?
What are my security compliance issues?
What are the key security concepts?
What are the e-business security layers?
What are my options for Java Web security?
What are my security implementation strategies?
How do I get started building a plan?
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Security concepts
What are the key security concepts to address?
o Authentication
o
o
Authorization
o
Ensure that information is not changed unintentionally
Availability
o
Ensure that information is private based on authorization permissions
Integrity
o
Ensure that a user has the proper authorization to resources
Privacy
o
Validate that a user is who he claims to be
Ensure the authorized resources are available
Accountability
Ensure that transactions DO result in expected state changes with an audit trail
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Security trust models
Security trust models for Web environments allow both parties in a transaction to verify:
I am whom I claim to be
You are whom you claim to be
No one else can see or change the information shared between us
Any objects shared between us can be verified as to the source
You are allowed to perform selected operations only on specified objects on my
system
This is critical in many scenarios: B2B supply-chain ordering, buying a product over the
Web, online banking, shipment tracking, employee benefits and more.
While intuitively it may seem Web environments are inherently less secure than traditional
iSeries 5250 environment because of the additional threats, a Web application
environment can be made more secure than the average iSeries environment if a
company wants to make the effort.
What’s worse than finding out that the security of your iSeries applications or data have
been compromised? Having them compromised and NOT finding out! Not only is it
important to secure applications, data and resources in a Web environment to prevent a
security breech, but it’s also important to be able to monitor and recover from any security
breech.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web app security layers
Client
o
Client certificates, Signed files, certificate store, Java security
Network
o
Firewall port control, IP packet filters, NAT, DNS, DHCP, VPN, relay mail,
proxy servers, SSL reverse proxy server, Kerberos authentication
TCP server
o
HTTP aliases, virtual host mappings, URL redirects, URL rewrites, IP
address filters, resource authorizations, load balancers, server certificates,
Kerberos authentication, user authentication, user exit APIs
Web application server
o
o
User authentication, user-role mappings, role authorizations, Kerberos
authentication, Servlet filters.
With Java programming, security options include JGSS messages, JSSE,
certificates, key stores, JNDI, JAAS
iSeries host server
o
Server certificates, Kerberos authentication, user authentication, object
management rights, object data rights, user-group mappings, object
authorization lists, security monitoring tools, data journaling, user exit APIs
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Plan security by layers
Network
Network connections (IP)
o Network applications (TCP)
o
Computer
o
PC and iSeries base security features
Middleware
o
HTTP servers, Tomcat, WebSphere, Domino, LDAP
Application
o
Java application security
Users
o
User access to systems, applications (local, remote, external)
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
iSeries security layers
iSeries offers security features at all layers
iSeries security built in to platform and middleware
o Windows security less robust - high exposure to viruses, etc.
o
Application support for library, IFS systems
o
Object-level permissions granted to users, set by policy
Middleware: HTTP, Tomcat, WebSphere, other TCP
servers
Network support
Full range of TCP, IP security controls:
o VPN, NAT, Proxy servers, SSL and more
o
Users support
Simple policies and wizards to control security
o Good monitoring tools for most exposures, threats
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Outside security resources
ISPs offer many services and can help implement security
o Each scenario to secure is somewhat different
o Selecting a GOOD ISP to meet your needs is critical!
o ISPs can hide IP addresses, forward mail, etc.
o ISPs can host applications: mail, Web sites, Etc.
o Selecting a GOOD security consultant to help plan is key
o For iSeries, third parties offer security management software
o
Powertech, Pentasafe, SkyView Partners and others
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
iSeries security policies
For e-business, go to level 40 for system value: QSECURITY
o
Only authorized users can get to a command entry screen, etc.
Control IFS folders with public access
Control sensitive data with private physicals, public logicals
Use iSeries logs for monitoring authentication, authorization
failures and system changes
Follow backup plans for data and applications
Journal databases for recovery
Set usual controls on user ID expiration, password rules
Control library security with GRTOBJAUT, IFS security with
GRTAUT
Limit user access to command entry, QShell
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Network security features
Network security can be grouped in two general levels:
o
iSeries supports all of these network solutions
most are configurable via config files or thru Ops Nav
Network level technologies
- IP packet filtering
o - Network Address Translation (NAT)
o - IP Security (IPSec)
o
Application level technologies
- Proxy servers
o - SOCKS servers
o - Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)
o - Domain Name Servers
o - Mail relays
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Encryption & digital keys
Public key encryption
o
o
Data can be encrypted during transmission using keys and encryption
schemes
To send an encrypted message to you, the sender encrypts the
message by using your public key. When you receive it, you decrypt it
by using your private key. When you wish to send a message to
someone, you encrypt it by using the recipient's public key. The
message can be decrypted only with the recipient's private key.
X509 Public Key Infrastructure (PKI)
o
o
o
Public-key encryption requires only two keys per participant.
The need for secrecy is easily met. The only thing that needs to be
kept private is the private key, and since it does not need to be
shared, it is less vulnerable to theft in transmission than the shared
key in a private-key system.
Public keys can be published. This eliminates the need for prior
sharing of a secret key before communication. Anyone who knows
your public key can use it to send you a message that only you can
read.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Signed files and Kerberos authentication
Signed files
o Files can be “signed” with digital certificates to authenticate
who the author was. The recipient uses the public key of the
sender to decrypt the signature to identify who the sender was.
o
Kerberos authentication
o MIT created Kerberos as a network authentication protocol. It
provides strong authentication for client/server applications by
using secret-key cryptography. A free implementation of this
protocol is available from the Massachusetts Institute of
Technology. Kerberos is available in many software tools,
including open source and IBM iSeries software.
o Kerberos uses strong cryptography so that a client can prove
its identity to a server (and vice versa) across an insecure
network connection. After a client and server has used
Kerberos to prove their identity, they can also encrypt all of
their communications to assure privacy and data integrity.
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Digital certificates for authentication
A digital certificate is equivalent to an electronic ID card. It serves
two purposes:
o
o
To establish the identity of the owner of the certificate
To distribute the owner's public key
Certificates provide a way of authenticating users, referred to as
authentication by trusted third parties
Contents of a digital certificate
o
o
o
o
o
o
o
A certificate contains information about the owner of the certificate and
the issuing CA:
The distinguished name (DN) of the owner. A DN is a unique identifier,
a fully qualified name including not only the common name (CN) of the
owner but the owner's organization and other distinguishing
information.
The public key of the owner.
The date on which the certificate was issued.
The date on which the certificate expires.
The distinguished name of the issuing CA.
The digital signature of the issuing CA.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Authentication with certificates
Getting a certificate from a CA
o
The core idea of a certificate is that a CA takes the owner's public key,
signs the public key with the its own private key and returns this to the
owner as a certificate.
www.godaddy.com and others
Using a certificate to authenticate with another party
o
o
o
o
o
o
When the owner distributes the certificate to another party, it signs the
certificate with its private key.
The receiver can extract the certificate (containing the CA's signature)
with the owner's public key.
By using the CA's public key and the CA's signature on the extracted
certificate, the receiver can validate the CA's signature.
If it is valid, the public key used to extract the certificate is known to be
good.
The owner's signature is then validated
If the validation succeeds, the owner has successfully authenticated to
the receiver.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
TCP addressing, DNS
TCP addresses
o
o
o
Old format 4b field ( 255.255.255.1) defined four classes of domains (A, B,
C, D)
Range of addresses reserved for private networks ( 10.x.x.x, 172.16.x.x.,
192.168.x.x)
New format 6b field (IP6)
DHCP - Dynamic Host Configuration Protocol
o
o
o
Any computer (host in TCP terms) can have a fixed address
Using a dynamic address allows a few addresses to be shared by many
computers
Client configures address as DHCP; DHCP server assigns temporary
address
DNS - Domain Naming Service
o
o
o
o
Addresses mapped to meaningful names (e.g. Masonlt3 = 10.0.0.9 )
Applications can use name vs. address
Names defined locally in hosts file OR in a DNS server
If using a DNS server, a client can specify a name and server finds address
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
LDAP Directory servers
o
o
o
This is a standard API defining the interface to standard directory
services. Directories are often used to store information on
authentication (user IDs and certificates) and authorization (who can
access what) in a central location on a network. Setting up and using
a central directory for all users and applications eliminates the need to
do redundant administration on multiple servers in your network
(iSeries, Windows, Linux and so on).
The versions of all common directory servers today support the LDAP
version 3 standard interface. Products, tools and applications that
access directory information using the LDAP interface only are,
therefore, portable across any common directory implementation. The
iSeries provides a built-in LDAP server at no charge. IBM also sells
other directory servers (Secureway) that you can buy for an iSeries.
Common directory servers in use in iSeries shops include the iSeries
LDAP server, OpenLDAP, Domino directory and Microsoft Active
Directory.
If you don’t use an LDAP directory for this information you are
probably storing the user and application security rules in a standard
database like many green-screen applications did.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Domain Name Server
Domain Name Servers help build a secure network.
Enable client to determine the IP address associated with host name (Masonlt3 = 10.1.1.9)
Domain name trees typically reflect the organization structure of a company.
DNS Threats
Because it is UDP-based, DNS replies are relatively easy to fake.
DNS can be used by an attacker to find out the client’s names and IP addresses.
Split DNS limits exposure using two DNS servers
o
o
o
The internal DNS for secure and private host names and the external
one for public names.
The external DNS is the only one visible from the Internet.
Only some hosts need to be known by Internet systems:
o
o
o
the e-mail relay, the public WWW servers, the external name server itself, others in DMZ.
You only need a public DNS server to advertise your public servers.
You can use the ISP as the primary public DNS and mail exchanger
for your company.
In summary, the objectives of the split DNS function:
Internet domain name and address resolution for users in the secure network.
Hide the secure network names and addresses from outside users.
Name and address resolution for your public Web servers in the DMZ
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Firewalls, DMZ
Firewall - iSeries can operate as a firewall
Most companies use a firewall to connect an internal network
safely to the Internet.
o A firewall provides a controlled single point of contact (called a
chokepoint) between your secure internal network and the
untrusted network.
o The firewall lets users in your internal network use authorized
resources the outside network and prevents unauthorized
outside users from using resources on your internal network.
o
DMZ - area between public network and private
network
Sits between the Internet and the private network
o Controls access to the private network
o For simple configurations, ISP may provide basic security
services to your firewall server creating a limited DMZ
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
IP Filters
IP packet filters
o
An IP packet filter discards denied traffic.
A packet filter has a set of rules with actions.
Every packet is compared against the filter rules, from top to bottom.
At the first match, the action in the matching filter rule (permit or deny) is
taken.
Most packet filters permit or deny packets based on the following:
· Source and destination IP addresses
· Protocol, such as TCP, UDP or ICMP
· Source and destination ports and ICMP types and codes
· Flags in the TCP header (whether a packet is a connect request, etc.)
· Direction (inbound or outbound)
· Which physical interface the packet is traversing
o
All packet filters share a problem -- the trust is based on IP addresses.
o
o
o
o
o
o
o
o
o
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Network Address Translation
NAT - Network Address Translation
o
Translates internal or private IP addresses to public or globally
routable IP addresses.
o
Some advantages of NAT:
o
Saves public IP addresses. (the pool of global addresses can be shared)
Hides the internal network's IP addresses.
Simplifies routing. Hosts accessed from public network addresses translated by NAT.
IF application uses the global IP address in the application, it won't work through NAT.
Is more efficient than SOCKS and proxy servers.
Some disadvantages of NAT:
Provides minimum logging services.
IP forwarding must be enabled.
Not as adept as either the SOCKS or proxy servers in detecting attacks.
Breaks some applications or (FTP) makes them harder to run.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
IPSec and VPN
IPSec and VPN (virtual private networking)
o
o
o
VPN is an extension of a company's private intranet across a public
network infrastructure such as the Internet. It is based on creating
virtual secure tunnels between hosts connected to the public network.
To participate in a secure tunnel or VPN connection, the VPN partners
or tunnel
End points must implement a compatible suite of VPN protocols.
(iSeries to iSeries, iSeries to Windows 2000, NT and later)
IPSec protocols:
o
o
o
Authentication Header (AH): data origin authentication, integrity and
replay protection.
Encapsulating Security Payload (ESP): data confidentiality, data origin
authentication, data integrity, and replay protection.
Internet Key Exchange (IKE): automatic key management.
Authentication, encryption, and integrity algorithms heavily depend on
secret keys that the VPN partners share.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Proxy servers
Proxy server: Protecting direct access
Proxy servers are deployed for two key purposes: security and performance.
Proxy servers can monitor and filter inbound and outbound requests, or as a single point of
access for communications with untrusted networks.
Proxy servers can improve HTTP response times by serving documents from a local cache.
Forward proxy
o
A forward proxy fetches from another server, allowing clients to reach
a network to which they wouldn't otherwise have access.
Reverse proxy and proxy chaining
o
o
o
Two other forms of proxy support are available with the HTTP Server
(powered by Apache).
One is reverse proxy, which is the same as a forward proxy, except
that requests from outside of the firewall to the proxy are allowed.
The other is proxy chaining, which requires two or more proxy servers
and can be used to balance server workloads or network traffic.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
SOCKS server
o
o
o
o
o
o
A SOCKS server is another TCP/IP application that re-sends requests
and responses between clients and servers. The SOCKS server handles
all (HTTP, Telnet, FTP and so on) protocols.
The purpose of the SOCKS server is the same as a proxy: to break the
TCP/IP connection and hide internal network information.
Client must be SOCKS-enabled, that is, it must support the SOCKS
protocol. Some applications (such as popular Web browsers) support
SOCKS.
There are some products such as Hummingbird SOCKS that “socksify”
the Microsoft TCP/IP stack
There are also some systems (such as OS/400) that support a SOCKS
client in their TCP/IP protocol stack (versatile clients) so that all client
applications can use a SOCKS server. The client configuration gives the
name of the SOCKS server to use and rules for when it should be used.
Socks servers have no knowledge of the application protocol that they
are using. They don't distinguish Telnet from HTTP. As a result, they can
be written in a more efficient manner than a proxy. The down side is that
they can't perform such tasks as caching or log URLs that are accessed.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
SSL – Secure Sockets Layer
SSL (now TLS) protocol provides privacy over the Internet.
SSL-enabled client and server applications prevent eavesdropping, tampering or message
forgery.
These protocols provide, encryption, integrity and authentication.
TLS includes some new features and clarifications of protocol flows for areas ill-defined by the
SSL protocol definition.
The SSL/TLS protocol consists of two separate protocols: the record protocol and the
handshake.
SSL handshake establishes an SSL session on TCP/IP for a client and a server application.
During the handshake, the client and server agree on encryption algorithms and the encryption
keys
The client will authenticate and verify the identity of the server.
The server can optionally authenticate and verify the identity of the client.
After the SSL handshake, information exchanged between the client and server is encrypted
SSL negotiates unique encryption keys for each SSL session between a client and a server
During the SSL handshake, the server sends a digital certificate to the client.
Digital certificates provide information that enable the client and server to identify each other.
Digital certificates are issued by trusted third parties called certificate authorities.
An SSL client must trust the certificate authority that issued the server's certificate to
communicate
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Mail relay server
o
o
iSeries SMTP can be local mail server (local Mail Transfer Agent (MTA)), a mail relay, or both.
Mail sent from user mail queue thru mail transfer agents to user mailbox
Relays mail between the internal mail server and Internet mail servers.
iSeries (post office protocol (POP) 3 server) stores the mail for user retrieval.
Spam - if relay allows, outside mail sender sends many mail pieces
through relay
Summary for the flow of mail from the sender to the receiver using
SMTP:
User [email protected] sends an e-mail from her PC client Netscape mail to user
[email protected].
The Mail User Agent (MUA) program in the mail application is invoked.
The MUA passes the mail to the Mail Delivery Agent (MDA),
MDA transfers it to the local Message Transfer Agent (MTA) for delivery.
The local MTA client in mycompany.com sends the mail to the company's mail relayMTA.
The mail relay in mycompany.com sends the mail to the mail relay MTA in yourcompany.com.
The mail relay MTA in yourcompany.com passes the mail to the local MTA in the SMTP server.
The local MTA at yourcompany.com delivers the mail to the receiver's mail box.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
VPN or SSL?
Running services over SSL provides encryption and, therefore, confidentiality.
Data and passwords do not flow in the clear.
Only a few clients and servers provide SSL client authentication. If valid iSeries user IDs
and passwords were compromised, they can be used to remotely access your SSL servers.
Secure Sockets Layer (SSL) is in the transport layer (TCP/UDP) and requires changes for
applications. Only those TCP/IP server and client applications written to SSL can use this
protocol.
IPSec (for iSeries VPN support) is implemented in the network layer (IP) of the TCP/IP
stack.
Network-layer security protocols protect the upper-layer application without requiring
modification of the upper-layer applications that use the secure tunnel.
Once a host supports IPSec, all TCP/IP applications are protected without any changes to
the application. This provides the virtual network view of the interconnected VPN hosts.
SSL offers more granularity than VPN. With SSL, you can decide to protect only some
applications while VPN protects all the traffic between the data endpoints.
When client authentication is supported, SSL authenticates each application with different
digital certificates or even the same application (for example HTTP server) with different
certificates depending on the server requirements.
VPN authenticates the VPN server.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Single sign-on
The goal for single sign-on is to let a user authenticate only
once to your network and then access multiple applications on
different servers without signing on again in the session.
o In a single sign-on environment a user (client) connects to a
company’s network and receives an authentication challenge.
After successfully logging on to the network, the client is
associated with a special Kerberos digital ticket for the duration
of the session.
o With Kerberos, when a user requests access to an application
on a secured server (say Order Entry on an iSeries), the user’s
identity is checked in a central directory to see if he has a valid
ID for the requested server. If the ID is found for the user, the
digital ticket for that server is retrieved and passed
automatically to the iSeries server. The server authenticates
the ticket. If it’s validated, the user is given access to the Order
Entry application on the iSeries.
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Java Web application security APIs
o
JNDI – Java Networking and Directory Interface
o
JCE – Java Cryptography Extensions
o
The secure sockets support allows a Java application to directly use SSL/TLS encryption over a
TCP socket. I’m writing an application for a company to check credit automatically over a secure
Internet connection. Normally, you’d use TCP applications that do this automatically. Sometimes,
you must write an application to do this using this package.
JGSS – Java Generic Security Services
o
This Java package enables an application to authenticate users and grant authorization to
resources. Web application servers such as WebSphere have administration tools that use this
support to set up users, groups, roles and authorizations to resources.
JSSE – Java Secure Sockets Extensions
o
Encryption algorithms let you encrypt or decrypt messages using any of the supported algorithms
in the JCE (Java Cryptography Extensions) : RSA, DES, IDEA, MAC and more.
JAAS – Java Authentication and Authorization
o
JNDI provides application access to any LDAP-compliant directory in your network. Your
application looks up a resource by name in the LDAP directory.
JGSS provides secure messaging between applications using Kerberos V5 authentication and
encryption algorithms.
JCP – Java Certification Path
Java applications can build and validate certification paths (chains) on certificates. There is
support for key stores and certificate stores to manage keys and certificates. In the latest release
(J2SE v1.4.2), applications can build and analyze certification paths for a certificate.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Middleware security features
Dependent on middleware products:
LDAP server - Local Directory Access Protocol
o
Directory server built in to iSeries for application objects, users
Apache Http Server
o
IBM Apache HTTP server supporting WebSphere, Tomcat
WebSphere
o
IBM J2EE application server for Java Web apps (multiple
versions)
Domino
o
Application server for document Web serving, Notes apps
Tomcat
Open source J2EE application server for Java Web apps
o Included free with IBM Apache HTTP server
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
WebSphere Express runtime
o
Web app servers provide J2EE middle tier 2 support
Web applications run in Web container, EJB applications in EJB container
Web components = servlets, JSPs, Java beans and other resources in WAR files
Tier 1
browser
wireless
app
client
ebt-now QuickWebWorkshop
HTTP
Server
Tier 2
Web application
server
servlets
- control
JSP output
pages
Java
beans logic,
data
Tier 3
5250 apps
server apps
data
Enterprise Java
Bean container
Copyright ebt-now, 2004. All rights reserved.
WebSphere Express v6 features
Server Feature
Web server plug-in
Application messaging
Supports
lets WebSphere receive requests for web pages,
servlets, JSPs and EJB from an Http server
Runs apps that are servlets, JSPs or Enterprise
Java Beans. Manages configurations, directories
and security. Track user web sessions, objects
Servlet 2.2: Run servlets, search, load classes
JSP 1.1: dynamically compiling and loading
JSPs as servlets.
XML docs -- a parser, translator and generator
manage database & services connections
supports WSDL, SOAP, UDDI services to create,
publish, run web services
JMS application messages by queue or topic
EJB - Enterprise Java Beans
WebSphere Admin Server
Manager
EJBs - Entity, Session and Message Driven bean
Admin server to run application servers. -- Java
console interface or browser interface
Application server
Servlets
JSP (Java Server Pages)
XML
Connection Manager
Web services
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
LDAP features
o
o
o
o
o
The Lightweight Directory Access Protocol (LDAP) is a directory
service protocol that runs over Transmission Control Protocol/Internet
Protocol (TCP/IP).
LDAP is a directory service with descriptive, attribute-based
information.
The LDAP directory service model is based on entries (also referred
to as objects). Each entry consists of one or more attributes, such as
a name or address, and a type.
Types are mnemonic strings, such as cn for common name or mail for
e-mail address
Directory Services, the files are located at
o
Distinguished names ordered: e.g. is
o
o
/QIBM/UserData/OS400/DirSrv.
cn=Tim Jones, o=IBM, c=US o = organization, c = class and cn = common name above..
Relative Distinguished Name (RDN) of the entry. The entry above a
given RDN is called its parent Distinguished Name. For example,
cn=Tim Jones names the entry, so it is the RDN. o=IBM, c=US is the
parent DN for cn=Tim Jones.
Can import, export entries in ldif format using QShell or use Ops Nav
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
WebSphere security features
o
WebSphere (WAS) features
o
IBM's family of WebSphere servers are J2EE-compliant Web application servers.
WebSphere version 5 has three iSeries versions: Express, Application Server, Network
Deployment
All WAS servers support full J2EE: servlets, JSPs, XML, Web services, EJB, JMS
Express v6 is free on new i5 servers – call your IBM rep to find out if you qualify
WebSphere security can be set for server instances and customized for applications and
resources.
WebSphere security
The WebSphere security system enables the administrator to define security
policy to establish control of resources. The system provides security services to
enforce the policy.
Authentication is the process of verifying that users are who they say they are
Authentication generally requires two steps:
1. The user sends to an authentication service (LDAP directory or OS/400 System
Dist Directory)
2. The service validates the information. If valid, the server authenticates user.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
WebSphere security
o
o
o
o
o
o
Authorization is the process of determining what a user is permitted to do.
Different classes of users and groups are associated with roles, which give
them privileges, such as the ability to Read, Write, or Execute (Run) an app
Security managed through the administration console
SSL can be configured for Web applications easily
"Run As" option - Delegation allows an intermediary to perform a task
initiated by a client under an identity set by the associated security policy.
Use the Application Assembly Tool (AAT) to set the SecurityIdentity value in
the deployment descriptor.
Securing applications with WebSphere product security involves:
o
o
o
Tasks that create a set of policies that define which users have access to
which methods or operations in which applications.
Example: you can establish policies to specify whether the user Jim is
permitted to use the company's inventory application to perform a write
operation, such as changing the number of units of merchandise recorded in
the company's inventory database.
The security server works with the selected user registry or directory product
to enforce the policies
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Express authentication options
For a WebSphere Express application, you can specify one of
several user authentication mechanisms:
Basic authentication
The realm name is sent from the server to the browser, and the
user name and password are sent by the browser as part of
the HTTP request
Client certficate authentication
Each client has a valid digital certificate that credentials are
sent from over an SSL (Secure Sockets Layer encryption)
connection to the server. While very secure, it can be
cumbersome to set up for many types of clients
Form authentication
The values a user supplies for user ID and password are
transmitted in clear text as part of the HTTP request. SSL
connections are required to ensure this information is secure.
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Domino features
o
o
o
o
An application server for mail, Notes applications, documents
internally and over the Web
Can plug in into Apache HTTP server (version 6) or Old IBM HTTP
server (version 5)
Premier solution for e-mail, collaboration
Can access iSeries resources via LotuScript or Java
Domino offers VERY fine-grained security and control easily!
o
o
o
o
o
o
o
o
o
Network
Domino server
User authentication
Database
View / Forms
Document
Section editor
Hidden paragraphs
Edit fields
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server
Open-source HTTP server code from Apache Software
Foundation
o "It must be called the HTTP Server (powered by Apache) with
the parenthetical phrase as a bold reminder of the power and
value of the integration with OS/400."
o Requires 3 LPPs: 5722-DG1 (Http), 5722-JV1 (Java), 5722TC1 (TCP)
o A Web server to receive HTTP requests, send HTTP
responses to clients
o Supports "plug-ins" to handle requests: WebSphere, Tomcat
etc
o Has configurable routing rules to process different types of
requests
o Is administered thru Ops Nav or browser
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server features
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Persistent connections - for a single client between requests for
objects
Virtual hosts - multiple Web sites hosted through one server
Dynamic virtual hosting - adds Web site address, host to HTTP
headers
Proxy caching - faster page response to internal users
SSI - server side includes to process page responses before returning
CGI - calls to CGI programs allowed
LDAP support for directory names, authentication
Web server search engine - text searches on Web pages
WebDAV - collaboration on documents over the web supported
Plug-ins supported: Domino, WebSphere, Tomcat, more
APR - Portable runtime libraries added - ILE service programs
TRCTCPAPP command for tracing
FRCA - Fast response cache architecture for cached pages
Clustering of HTTP servers for load balancing
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server security
o
User authentication - thru LDAP or OS/400, authentication by
password or digitial certificates
o
Specifiy which profiles are used for which realms (resource
pools)
o
Access control - configuration controls which resources are
served to which users.
o
Supports allow, deny directives in order with requires for user
for a resource name
o
Encryption - SSL supported using a virtual host configuration
o
Proxy server - can be a proxy hiding internal addresses,
forward, reverse and proxy chains
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Apache Tomcat server security
Tomcat is a J2EE Web application server
o
o
o
o
o
o
Runs Java Web applications well: Servlets 2.3, JSPs 1.2, Java beans
Supports the Web container applications but NOT EJB (Enterprise
Java Beans)
Uses Java toolkit or local Java support to access iSeries objects,
services
On iSeries, it's packaged with IBM Apache HTTP Server (5722-DG1)
Configurable through Web browser on HTTP Server administration
Available for free from www.apache.org for other platforms
Tomcat architecture
o
o
o
o
Class Loaders
Tomcat 4 installs a variety of class loaders to allow different portions
of the container, and the Web applications running on the container, to
have access to different repositories of available classes and
resources
SSL Config - Secure Sockets Layer
SSL can be configured in Tomcat by installing JSSE, creating a
certificate key store and configuring SSL in conf/server.xml file.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Tomcat controls
o
JNDI Resources - Java Network Directory Interface
o
Manager App - allows a client to control Tomcat processing.
o
Tomcat applications can request proxy access to requester's original server name & port.
The Apache HTTP server can operate as a proxy server to Tomcat forwarding requests.
This is an option to the normal configuration "plugging" Tomcat in to the HTTP server.
Realm - a set of users & the roles they have for applications.
o
Tomcat can be stopped, started using commands. Also deploy and reload an application using
commands.
Proxy Support
o
Tomcat 4 provides a JNDI InitialContext implementation instance to Web applications running
under it. Tomcat applications use JNDI to access directories like LDAP server.
There are three realms an application can connect to for authentication: JDBCRealm, JNDIRealm,
MemoryRealm
Security Mgr
Tomcat can have a security manager installed to control application access and user access to
resources. Tomcat's security not as tested as WebSphere's.
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Sample security scenarios
Web scenario 1: mail, Web browsing, external Web
serving
o
Assumes a 270 running on a LAN with PC users
Web scenario 2: mail, Web browsing, Web serving,
WebFacing
o
Assumes a 270 running on a LAN with PC users
Web scenario 3: mail, Web browsing, Wweb serving,
WebFacing, XML, FTP, Web services
o Assumes a front-end 270 Web server and an application server
820 running on a LAN with PC users
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Make decisions on how to secure…
.
Security
option
Access
control
Encryption
Authentication
Integrity
checking
Address
concealment
IP filtering
Yes
No
No
No
No
NAT
Yes
No
No
No
Yes
VPN
Yes
Yes
(packet)
Yes (packet)
Yes
(packet)
Yes
SSL
Yes
Yes (data)
Yes
(system/user)
Yes
No
Reverse
proxy
Yes
normally no
Yes (user)
Yes
Yes
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Simple network
.
Ethernet network running TCP
Not connected to Internet
iSeries has dial port
standalone pc for ISP access
PC
iSeries
Primary threats
internal abuse
viruses from Internet files
PC server
Internet link
Net
router
ebt-now QuickWebWorkshop
standalone
FTP to ISP
Copyright ebt-now, 2004. All rights reserved.
Web 1: browsing, email
.
Added
Internet connection thru
iSeries proxy server to router
Primary threats
external attacks: DoS etc
privacy on message traffic
exposure of internal addresses
abuse of TCP applications
(ftp, smtp, http)
viruses especially for Windows
PC
iSeries
PC server
Internet link
Net
router
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web 1 plan
Provides basic mail services, Web browsing to internal users and allows
external users access to an outsourced company Web site
On iSeries:
o
Simple e-mail using SMTP, POP mail servers, a Web gateway for
internal users, DNS, DHCP for internal clients
ISP services:
o
Forwards e-mail to iSeries servers, assigns one IP, resolves external
DNS queries, has external Web site
Scenario benefits:
o
o
o
o
o
One IP address needed
Eliminates need for added security device
ISP provides dynamic public IP address for iSeries so internal address
not known
iSeries only does routing, filtering and mail serving
Internal users protected by iSeries from outside
Scenario risks:
o
o
Configuration errors impact security
Denial of service attack on iSeries gateway
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web 2: Web site, Web apps, WebFacing
.
Added Domino, Http, Tomcat,
WebFacing servers
Primary threats
external attacks: DoS etc
privacy on message traffic
exposure of internal addresses
abuse of TCP applications
(ftp, smtp, http)
viruses especially for Windows
limited access to IFS
security for database, objects,
users
PC
iSeries
PC server
Internet link
Net
router
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web 2 plan
Provides browsing, SMTP mail server, WebFacing for browser access to 5250 applications
and integrated Web site running Java Web applications in Tomcat
o
On iSeries:
o
On ISP:
o
Forwards e-mail to iSeries servers, assigns one IP (one for HTTP server), resolves external DNS
queries
Scenario benefits
o
SMTP server, HTTP server with Tomcat for Web serving, a Web gateway for internal users, DNS,
DHCP for internal clients, WebFacing server, virtual hosts, VPN, NAT, SSL, LDAP
One IP address needed: HTTP server, SMTP server
ISP provides dynamic public IP addresses for iSeries so internal address not known
iSeries does only routing, filtering and mail serving, application serving of all types
Internal users protected by iSeries from outside
Remote users can also access mail, all applications
Internal and remote users have SAME interface to applications (browser)
External users can access applications if authorized (WebFacing, mail, Java Web)
Scenario risks
Denial of service attack on iSeries gateway. Availability risk IF SMTP mail relay task not
constrained
Requires higher skills to implement internal servers
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web 3: Add XML, Web services
.
Added WebSphere, XML, B2B
services
Primary threats
external attacks: DoS etc
privacy on message traffic
exposure of internal addresses
abuse of TCP applications
(ftp, smtp, http)
viruses especially for Windows
limited access to IFS
security for database, objects,
users
PC
iSeries
iSeries
PC server
Internet link
Net
router
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Web 3 plan
Delivers Web browsing, Domino mail & document server, WebFacing, WebSphere Express for Java
web applications, XML content, Web services for B2B connections
o
On iSeries:
o
On ISP:
o
Forwards e-mail to iSeries servers, assigns two IPs ( one for Domino, one for HTTP server),
resolves external DNS queries
Scenario benefits
o
Domino application server, HTTP server with WebSphere Express for Web serving, a Web
gateway for internal users, DNS, DHCP for internal clients, WebFacing server, virtual hosts, VPN,
SSL, NAT, LDAP
Two IP address needed: Domino application server, HTTP server
ISP provides dynamic public IP addresses for iSeries, so internal address not known
Internal users protected by iSeries from outside
Internal and remote users have SAME interface to applications (browser)
External users can access applications if authorized (WebFacing, Domino, Java web)
Scenario risks
Denial of service attack on iSeries gateway. Availability risk IF Domino mail router task not
constrained
Requires higher skills to implement internal servers, WebSphere partner link needs to be secure
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Seven steps to secure your e-business
Define a clear e-business plan
o Define potential security threats
o Set a security plan
o Set security policies
o Implement security procedures and controls
o Monitor security performance
o Audit security performance
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Seven steps (cont)
E-business plan defined
Define e-business objectives and metrics
o Review help needed for design, implementation, support
o Map existing application services, infrastructure
o Set application services needed to meet objectives
o Review implementation alternatives for services
o Review user access points and methods for services
o Define infrastructure design for services
o Define ISP services needed
o
Security threats defined
What is your environment?
o What are your threats?
o What is the potential damage from these threats?
o How can these threats be controlled?
o What are the costs, risks associated with a control method?
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Seven steps (cont)
Security plan defined
o
o
o
o
o
o
o
o
What are the business objectives our plan supports?
What areas of security does our plan address?
What are the primary threats our plan mitigates?
What are the strategies for managing security?
What controls do we want?
What are the procedures we want?
What resources do we have/need to control security?
Where do we get relevant security training?
Security policies
o
o
o
What controls do we need for each security layer (network to user)?
What are the security policies we need, given our control strategies?
How do we implement the policies in different tools, software?
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Security policy delivers:
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Guidelines on required and preferred security features of new products
Privacy policy for e-mail, keystrokes recording, files stored on company's media
Which messages must be displayed, warning users that they might be monitored and
informing them that only authorized access is permitted
An Acceptable Use Policy (AUP) that clearly defines the purposes for which the
company's systems and networks may be used
Responsibilities of users, IT staff, and management, and how they should handle a
security incident
Which connections are allowed to external networks and systems
What services are permitted from the internal network to the Internet, who is authorized
to access those services, and what restrictions apply
Same as above, but from the Internet to the company's network
How configuration of systems, networks can change and who may change them all
Who’s allowed to access what systems and in which ways they access those systems
How to authenticate users, passwords requirements; local and remote user
authentication guidelines
Availability of resources, performance and how to measure and monitor deviations for
the service level
Who is authorized to perform maintenance of systems and networks
How to report policy violations, including contact information
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Security procedures and controls
What security procedures do we need for our control
strategies, policies?
o What specific controls are we implementing as part of security
procedures?
o
Sample procedures
Job timeouts without user input
o Session timeouts without user input in Java
o Password not equal to user id
o Password expiration
o Hide internal addresses from external users
o Set FTP timeouts for no-activity
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Monitoring and audits
Security monitoring
o
o
o
o
o
o
o
o
How do we monitor the effectiveness of security controls, procedures?
Firewall logs for intrusions on IP addresses, etc.
Network traffic logs for TCP on connection and application layer
services
iSeries QHST
iSeries Joblogs
Disabled user profiles
Password controls
Object access logs for invalid authorizations
Security audit
o
o
How do we audit the effectiveness of security controls, procedures?
What are the highest impact security exposures to audit?
Who audits and how?
o
o
Big 5 accounting firms traditionally have real technology challenges to
face
IBM services -- can they really audit themselves?
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Key security points
Review your security plan, issues, challenges by layer
o Get good outside help to plan, review e-business security
o
Use iSeries ONLY business partners versus standard e-business providers
Don't ask one expert (even IBM), get a second and third opinion even if you have to
pay
Coordinate with ISP security services needed
o Focus on common security models based on standards
o
Avoid "custom" solutions vs. standard solutions that can be customized
Balance security exposure impact to plans and results
o Leverage iSeries security runtime built-in free!
o Check resources for more details on specific areas
o
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges
E-business security concepts
Security services in Java Web environments
WebSphere Express security
Sample security scenarios
Seven steps to securing your e-business solution
Resources
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.
Resources
IBM iSeries Web site
o
http://www.ibm.com/software/ad/wds400/
IBM WebSphere Web site
o
http://java.sun.com/
Search400.com Web site
o
www.search400.com
Apache software organization for open source software
o
http://www.apache.org/
iSeries security advisor
o
http://www.redbooks.ibm.com/tstudio/secure1/advisor/secwiz.ht
m
ebt-now QuickWebWorkshop
Copyright ebt-now, 2004. All rights reserved.