This content has been marked as final. Show 7 replies
you scenario can be quite safe, if your F1 allows database connections only from your Tomcat host. However, that hosts is facing a public network, so it can be compromised and hence should be regarded as unsafe.
What the quote you have there would suggest is to put another layer in between, so the instance making the database calls is in a safe zone, which would improve safety. This is typical implementation: a (hardened) HTTP Proxy facing the public network (SSL only or mixed) and forwarding HTTP to an internal zone (Port open only for the proxy and only towards specified hosts inside).
In your scenario, this would mean that you setup a proxy (e.g. Apache HTTP Server) in N2. Following, your Tomcat either moves into N1, or you split N2 into two parts (N2.1 facing public with only the proxy inside and N2.2 facing the proxy with your Tomcat inside), or if both approaches aren't applicable, you put both Tomcat and proxy in N2 but configure the Tomcat to listen to local requests by your proxy only. In either case Tomcat and proxy should not be on the same machine or at least in different cages (e.g. chroot-boxes).
Hope this helps you understand the suggested "Advanced Configuration".
Thanks for the quick reply.
So is it "safe" to have the two NICs on the same machine? I can't think of any other way to make N1 and N2 communicate with each other, since I can access N1 but have no control over F1.
I can certainly install Apache on the server and move Tomcat to a different environment (and install the APEX Listener there), but I think Apache would still reside in both N1 and N2 due to the configuration above.
Hello Jeff,1 person found this helpful
well, two NICs is what any router/firewall/etc. uses to serve in separate networks, you can't do more to be secure for that. There's never 100 percent safety, as you always need a communication hole to pass information to the outside world. The main idea is to make it as hard as possible to break in through that hole and even if that is successful once, let it stay hard to get further.
So, if you have a service that only does HTTP (the proxy), that component is rather safe. If it is located in a "dumb" environment and only forwards HTTP, a potential break in would probably end on that machine and a DoS would only hit that proxy. If an attacker hits your Tomcat, he gets access to a machine (including passwords) for direct access to your databases. You don't want that. Furthermore, a DoS against a Tomcat might be more successful and would immediately also hit the database behind it.
Of course, the DoS-prevention aspect needs further notice, as it's very likely that the proxy will still be able to forward requests to the Tomcat when the Tomcat is already suffering from overload. So you have to configure the proxy (or a firewall/load defense system) to limit the amount of requests to handle, so your inner systems will never get overloaded.
Perhaps these thougts give you an impression what potential threats there are and how your setup can help to make the impact of attacks as little as possible.
How much security you need (i.e., how much you want to decrease the impact of any possible attack) is something I can't decide for you. My experience is, that a setup as shown in the Advanced Configuration is safe enough for almost any production line. Often, the focus on internal threats is what should get more attention.
That makes sense to me although I still have a couple of questions:
- should I have 2 different firewalls, one between the (Apache) server and the public (via network N2), the other between the server and the Tomcat, or is the first one redundant?
- with this new setup, Apache would absorb HTTPS traffic, but what gets forwarded to Tomcat/APEX Listener - HTTPS, or HTTP? Do I need to set up SSL on both servers?
(at this point, I'm not really sure that this discussion still belongs to the APEX Listener forum, but maybe it will help others in the future)
an additional firewall can make sense, depending on how secure/stable you estimate the machine hosting your proxy to be. On the other hand, every additional component will increase round trip time and, if you care, it also increases the total power consumption of your environment and it costs additional space. If you can secure your proxy (close all unneeded ports, limit connections, etc.), and there's no other service on that machine that might need to be protected, you could place it in the public zone. The Tomcat should definetly be in a closed network (i.e. behind a firewall protecting it from the public network).
Concerning the second question: As the connection between proxy and Tomcat is already using your private network, it won't be necessary to encrypt the traffic there, if you trust your infrastructure. ;)
I think this is still relevant for the APEX Listener, as it is a discussion concerning the deployment scenario.
I haven't abandoned this thread, I'm just in the process of implementing the design discussed above. Thanks, Udo!
don't hesitate to post additional questions if they arise during your implementation.
However, when you are done and your questions are answered, could you please mark your post accordingly and if applicable, mark helpful and/or correct answers to make it easier for other users to find the relevant posts.