OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 1
Securing the Internet Facing
E-Business Suite
John PetersJRPJR, Inc.
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 2
• There have been changes to this presentation since the copy was provided to OAUG.
• The most recent revision to both the presentation and white paper are on my web site:http://www.jrpjr.com/
• This information will be repeated at the end of the presentation
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 3
• How many of you have an Internet Facing Oracle Application Module?
• Or Considered Buying one?iSupplier Portal iSupportiStore iRecruitmentOracle Sourcing Oracle MarketingiLearning iReceivablesiSurvey TransportationPartner Relationship Management Service
ContractsOracle Learning ManagementOthers???
• How many of you have thought about security?
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 4
• General Oracle Applications Security (and why this is not enough)
• Various Systems Configuration Options
• An Optimal Solution at This Time
• Oracle’s Recent Developments in This Area
• External Facing eBusiness Suite Functionality Issues
What you should learn from this presentation:
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 5
• Note 189367.1, 06-JAN-2005 Best Practices for Securing the E-Business Suite~ 66 pages in length
*** An excellent starting point ***
• Covers each applications component:– SQL*Net Listener– Database– Applications Tier– eBusiness Suite– Desktop– OS
General Oracle Applications Security
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 6
• Note 189367.1, 06-JAN-2005• But leaves many holes
– Does not provide a configuration overview
– Does not adequately address external eBusiness Suite modules
– Just barely touches on OS Issues– Does not address user registration issues– Does not address functional issues
General Oracle Applications Security
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 7
Typical OraApps ConfigurationInternal Users Only
• One or more physical servers for each Tier• Typically a router between the servers and the user• Connection between users and servers is typically
non-SSL HTTP:// ( not HTTPS:// )
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 8
• SSL encrypts communications between users and the Applications Tier
• Sometimes SOX pushes this as a requirement
• Possibly a 10-15% performance hit• Hardware Accelerators are available
• Probably not required and overkill for internal users running on a switched network
Non-SSL vs SSLFor Internal Users Only
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 9
• ‘A Guide to Understanding and Implementing SSL with Oracle Applications 11i’, Note:123718.1, 21-FEB-2005
• This document changes so keep up to date with it
• There are issues associated with some modules which call servlets: – Configurator (even if you are not using it OM calls it for
PTO Kits)– iPayment– Fix requires running a non-SSL web listener
• Expect to spend some dedicated time to get this working, and test, test, test, ….
• Again SSL is probably not required for most sites
SSL ImplementationFor Internal Users Only
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 10
Arranged worst to best in terms of security• Example 1
No DMZ, Open Up Firewall• Example 2
DMZ Application Server• Example 3
DMZ Web Cache Server• Example 4
DMZ Web Cache ServerDedicated External Applications Server
• Example 5
Oracle’s Deployment Option 1
OraApps Internet Facing Configurations
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 11
Example 1: Non-DMZ Configuration (!!! do not do this !!!)
Drawbacks• With same ports open that internal users use,
internal functionality is exposed to the internet• Without SSL between the Internet User’s Computer
and Applications Tier, the Internet User’s communications can be eave’s dropped on
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
Internet UserComputers
CorporateFirewall
Corporate NetworkInternet
non-SSL
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 12
Example 2: DMZ Application Server Configuration
Benefits• Internet Communication is done through SSL• SSL End Point is not on Internal Applications Tier• Communication between DMZ Applications Tier
and DB Tier are done through SQL*net• DMZ must be compromised for a hacker to get in
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZApplications
Tier
DMZ Corporate NetworkInternet
SSL
non-SSL
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 13
Example 2: DMZ Application Server Configuration
Drawbacks• DMZ Applications Tier exposes too much to a
possible hacker• DMZ Applications Tier must be patched and
monitored• Not currently autoconfig and ad tools supported
(see reverse proxy server later for more info)
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZApplications
Tier
DMZ Corporate NetworkInternet
SSL
non-SSL
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 14
Example 3: DMZ Web Cache Server
Benefits• All the benefits of Example 2• Ports are filtered, only http traffic between Internet and
Applications Tier• Minimize software components in DMZ• Only one Applications Tier to patch (no patching on web
cache)• Can change URL, masking the Oracle Application
URLs were https://mysite.com/OA_HTML/URLs can be https://mysite.com/external/
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
DMZWeb Cache
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 15
Example 3: DMZ Web Cache Server
Drawbacks• Applications Tier still exposes too much to a possible
hacker. • You can deep link to JSP pages if you know their
names.• The JSP pages are suppose to throw errors if deep
linked to without applications login, yeah right.
SAN DeviceDB
DatabaseTier
ApplicationsTier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
DMZWeb Cache
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 16
• Web Cache is a component of Oracle iAS 10G (and prior versions)
• Web Cache in my example is installed without Oracle iAS 10G (standalone installation)
• Minimal set of software– No Infrastructure DB– None of the other components of iAS– Perfect for a DMZ deployment– No Applications Patching
• Please refer to the product documentation on OTNOracle Application Server 10g Release 2 (10.1.2)
• Please talk to your Oracle Sales Rep for licensing information.
What is Web Cache
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 17
• Web Cache sits between the users and the origin servers (Applications Middle Tier)
• Web Cache stores or caches data into memory based on rules you specify
• The primary purpose is to improve performance of web sites
• Our purpose is to:– Provide an SSL termination point– Change the URL’s served up– Filter the URL’s (not available yet)
• Web Cache can also provide an error page should the Application Tier be down for maintenance
What does Web Cache do?
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 18
Example 4: DMZ Web Cache & Dedicated
Apps Tier
Benefits• All the benefits of Example 3.• External Applications Tier with all of the
components not required by the Internet Users removed. Thus preventing deep linking issues.
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
DMZWeb Cache
ExternalApplications
Tier
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 19
Example 4: DMZ Web Cache & Dedicated
Apps Tier
Drawbacks• External Applications Tier not supported by
Oracle Support tools. You have to manually maintain this tier.
(see reverse proxy server later for more info)
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
CorporateFirewall
DMZ Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
DMZWeb Cache
ExternalApplications
Tier
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 20
• Eliminates the need for Example 4’s Tweaked External Application Server. (Oracle Supported)
• External Applications Web Server in DMZ will restrict JSPs which are allowed to run
• External Product Teams will supply JSP lists
• Mitigating the “unnecessary code” problem
• Described in Oracle OpenWorld Paper ‘Oracle E-Business Suite Security Management’ by George Buzsaki, VP Applications Technology Products at Oracle
• ‘DMZ Configuration with Oracle E-Business Suite 11i’, Metalink Document 287176.1, April 19, 2005
‘DMZ Reverse Proxy Server’
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 21
Example 5: Reverse Proxy & External Apps
Middle Tier Oracle’s Deployment Option 1
Note: 287176.1
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 22
Reverse Proxy and Second Apps Middle Tier
Benefits • Restrict access to a limited set of
responsibilities depending upon the Application Tier the user log’s on to.
• Limited JSPs can be accessed on External Applications Tier, (in development now)
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 23
Reverse Proxy and Second Apps Middle Tier
Drawbacks • Separate External Apps Tier to patch
(can not share APPL_TOP through firewall)• Additional firewall and Server• Still allows deep linking (until JSP filtering released)• Reverse Proxy Server URL filtering not yet implemented• It’s New, support only for 11.5.10
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 24
Other Oracle Configuration Options
• There are two other less secure options listed in document 287176.1
• They basically drop Firewalls and Applications Middle Tiers.
• I am not reviewing them because they are less secure, please refer to the document for more information.
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 25
Other Changes in Document 287176.1
• Hierarchy Type– Profile Options used to construct various
URL’s for an E-Business Suite environment.– Profile Options can be set at the Server
Level
• So at the server level you can generate different URL’s for internal and external users.
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 26
Other Changes in Document 287176.1
• Node Trust Level– Profile Option used to set trust level for
each middle tier servers– Three levels supported:
• Administrative• Normal• External
• So at the server level you can set a Trust Level to be restrict user responsibility access
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 27
Other Changes in Document 287176.1
• Responsibility Trust Level– Profile Option to set the Trust Level for each
Responsibility– Same Three Trust Levels supported:
• Administrative• Normal• External
• Result: at the server level you can restrict which responsibilities are accessible to the internal and external users
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 28
Other Changes (in development)
• JSP Filtering– External Applications Teams provide a list of
externally required JSP files– Users can customize this file on the external
application server
• Result: Deep linking issue are eliminated
• Plan to spend time testing and verifying JSP’s which are really required externally
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 29
Document 287176.1
• This document is definitely a work in process
• Keep an eye on this document for further enhancements and roll out of additional internet security
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 30
My Recommendation• If cost, setup and patching time are not
issues go with Example 5, Oracle’s Option 1, Reverse Proxy & External Apps Middle Tier.
• Consider web cache for the Reverse Proxy Server
• If not on 11.5.10 or you can not afford the extra hardware consider my Example 3
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 31
My Recommendation
• Go with Oracle’s Deployment Option 1, Reverse Proxy & External Apps Middle Tier
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 32
How does it work (step 1)
• Internet users go to SSL URL:https://mysite.com/external/login.jsp
• Connects using SSL to port 443 of the DMZ Web Cache Server on NIC 1
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 33
How does it work (step 2)
• Web Cache reviews URL request to see if page/data is cached in memory
• If so it serves up page/data
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 34
How does it work (step 3)
• Web Cache sends request out to the Application Tier (Origin Server) https://myserver.com:8000/OA_HTML/login.jsp
• Communication is through NIC 2 using SSL• The External Applications Tier is the SSL termination point• Application Tier responds, Web Cache relays page/data to the Internet
User
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 35
• What is the configuration for these new DMZ servers in the Oracle Applications environment?
Reverse Proxy & External Apps Tier
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 36
• My recommendation is a small server like:– Dell PowerEdge 2850 or 1850– 2 CPU server – 4GB of RAM– Dual NICs
• Run Linux on this Server
DMZ Server Hardware
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 37
• Dual NIC’s allow us to configure them– One NIC Internet Facing– One NIC Application Tier Facing
• We are effectively using this server to route traffic from one network to the other
DMZ Server NIC Configuration
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 38
• Reinstall the factory installed OS• Install only the essential
components– Compilers– Kernal Source– X Windows/GNOME
• Install an intrusion detection product like TripWire
Hardening the Linux OS
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 39
• Creates a database of files on your server storing information like:Inode number, Multiple Checksums, File Size, File
Permission, File Ownership, etc.• You create the Policy file describing what directories/files to
track• Reports can be run periodically to tell you if something
changed and are sent via email• TripWire DB and Policy Files are stored on another
centralized server• This takes a while to setup and change the policy file to keep
the noise to a minimum• Was an Open Source product, included on older Linux
distributions. Now is commercial, www.tripwire.com
TripWire
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 40
• OS Security issues don’t just exist for Microsoft products
• Subscribe to your Linux vendor’s patching/support service
• Emails will alert you when fixes are available and are tailored to your install
• The automated tools for patching the OS are fairly easy to use
• Patch TEST first, then patch PROD
Keep Linux Patched
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 41
Don’t forget the TEST instance
PROD
TEST
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
SAN DeviceDB
DatabaseTier
InternalApplications
Tier
UserComputers
Router
Internet UserComputers
DMZ 1Firewall
DMZ 2 Firewall
DMZ Corporate NetworkInternet
SSL
non-SSL
Reverse Proxy
ExternalApplications
Tier
DMZ 3 Firewall
DMZ
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 42
• We have discussed configuration issue, now lets cover some of the functionality issues.
Functionality Issues
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 43
• Down time for patching is now a bigger deal with External Users
• Web Cache can serve up “System Down For Maintenance” messages to External Users, rather than no server found browser errors
• What was 6am to 6pm support, now turns into 24x7
• Who do external users contact for support?
Support Issues
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 44
• All External Facing eBusiness Suite Applications utilize FND_USER
• All of these non-company resources have accounts on your system– iStore Users– iReceivables Users– iSupplier Users– iRecruitment Users
User Registration Issues
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 45
• Come up with a Userid Standard for both classes of users:– Internal Users– External Users
• Internal Users<first name initial><last name><windows login>
jsmith
• External Users<email address>
How to know who is who
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 46
• They are different• Internal and External differences
– Password aging– Handling of Password reset requests– Responsibility requests– Responsibility verifications– End date
• Also eBusiness Suite Record History is instantly visible and identifiable.
Internal vs External Users
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 47
Example:• iStore’s user registration page inserts
FND_USER records– User records can not be purged– Internal and External Users are mixed
together(use a convention of email address for external users)
– They are routed for approval but if denied they are unusable forever
– Approval process is really insufficient for most business cases
User Registration Page Issues
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 48
• iStore’s user registration page requests the Party Number from the customer registering.– How many customers know they are 123456– If they enter 123465 they are linked to a
completely different customer– Once incorrectly linked it is almost
impossible to correct in CRM, FND_USER, TCA
– FND_USER record is lost for further use
User Registration Page Issues (cont.)
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 49
• Soution:– Create a custom form and table – External userids request are stored in the
custom table for review– Data is reviewed and if okay entered by
internal resources into the Oracle Applications registration processes to ensure it’s accuracy
• Denial of Service attacks will fill this custom table which we can delete records from. This object can be created with no redo log actions to minimize impact on archive logs if required.
User Registration Page Issues (cont.)
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 50
• Keep an eye on what your external users can do to your Oracle Applications data.
• Extensively review all forms for hidden functionality, a simple link can open up a whole world of functionality you did not know about.
External User Data Changes
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 51
Example:• iStore allows external users (customers)
to modify addresses and contacts
• How many companies have customer master issues around addresses and contacts with just Internal Users making changes?
• Now your customers can do what ever they want, to your customer master.
External User Data Changes
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 52
• External Facing eBusiness Suite modules bring Security issues to light
• You might ask, Why do this to yourself?
• There are legitimate business reasons to use External Facing eBusiness Suite modules
• Just go into them with your eyes wide open and an understanding of what you are getting into
Summary
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 53
• Note:189367.1, 06-JAN-2005 Best Practices for Securing the E-Business Suite
• Note:287176.1, 19-APR-2005
DMZ Configuration with Oracle E-Business Suite 11i
• Note:243324.1, 08-JUL-2003 Securing Oracle E-Business Suite for Internet Access by Suppliers
• Note:229335.1, 19-MAY-2004 Best Practices for Securing Oracle E-Business Suite for Internet Access
Additional References
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 54
• Linux Security Cookbook– by Daniel J. Barrett, Richard E. Silverman, Robert G.
Byrnes O'Reilly
• Real World Linux Security: Intrusion Prevention, Detection and Recovery– by Bob Toxen
Prentice Hall PTR
Additional Book References
OAUG Connection Point 2005 Copyright ©2005 by John Peters, JRPJR, Inc. 55
• My contact information:
John [email protected] http://www.jrpjr.com
• Additional reference papers can be found at:http://www.norcaloaug.orghttp://www.jrpjr.com