7 Replies Latest reply on Feb 14, 2011 11:19 AM by Udo

    Secure Tomcat setup

    834500
      Here is a description of what I'm trying to do, along with my current setup.

      The Oracle database server resides on internal network, call it N1 (I have no control over the firewall F1 to this network). My server has two different physical NICs. One is directly connected to N1, the other one is connected to a firewall F2 (which I control) and then is publicly accessible via network N2.

      I'm not familiar with GlassFish, so I installed Tomcat to run on the server, with SSL enabled and certificates deployed. What I want to do further is install the APEX Listener in order to provide access to the APEX applications running on the database server. HTTP traffic will be redirected to run via HTTPS.

      I'm not sure if I've provided enough details, but my question is whether this is a secure configuration? If not, how can I improve it?

      As a disclaimer, I already looked at the Advanced Configuration described at http://www.oracle.com/technetwork/developer-tools/apex-listener/overview/index.html and I'm a little bit confused at this quote:

      For public systems or hosted environments it is important that the Oracle APEX Listener is installed inside of the firewall, and the HTTP listener is installed outside of the firewall. The requests are sent to the external Web server and pased through the firewall to the APEX Listener.


      Thanks,

      Jeff
        • 1. Re: Secure Tomcat setup
          Udo
          Hello Jeff,

          you scenario can be quite safe, if your F1 allows database connections only from your Tomcat host. However, that hosts is facing a public network, so it can be compromised and hence should be regarded as unsafe.
          What the quote you have there would suggest is to put another layer in between, so the instance making the database calls is in a safe zone, which would improve safety. This is typical implementation: a (hardened) HTTP Proxy facing the public network (SSL only or mixed) and forwarding HTTP to an internal zone (Port open only for the proxy and only towards specified hosts inside).
          In your scenario, this would mean that you setup a proxy (e.g. Apache HTTP Server) in N2. Following, your Tomcat either moves into N1, or you split N2 into two parts (N2.1 facing public with only the proxy inside and N2.2 facing the proxy with your Tomcat inside), or if both approaches aren't applicable, you put both Tomcat and proxy in N2 but configure the Tomcat to listen to local requests by your proxy only. In either case Tomcat and proxy should not be on the same machine or at least in different cages (e.g. chroot-boxes).

          Hope this helps you understand the suggested "Advanced Configuration".

          -Udo
          • 2. Re: Secure Tomcat setup
            834500
            Udo,

            Thanks for the quick reply.

            So is it "safe" to have the two NICs on the same machine? I can't think of any other way to make N1 and N2 communicate with each other, since I can access N1 but have no control over F1.

            I can certainly install Apache on the server and move Tomcat to a different environment (and install the APEX Listener there), but I think Apache would still reside in both N1 and N2 due to the configuration above.
            • 3. Re: Secure Tomcat setup
              Udo
              Hello Jeff,

              well, two NICs is what any router/firewall/etc. uses to serve in separate networks, you can't do more to be secure for that. There's never 100 percent safety, as you always need a communication hole to pass information to the outside world. The main idea is to make it as hard as possible to break in through that hole and even if that is successful once, let it stay hard to get further.
              So, if you have a service that only does HTTP (the proxy), that component is rather safe. If it is located in a "dumb" environment and only forwards HTTP, a potential break in would probably end on that machine and a DoS would only hit that proxy. If an attacker hits your Tomcat, he gets access to a machine (including passwords) for direct access to your databases. You don't want that. Furthermore, a DoS against a Tomcat might be more successful and would immediately also hit the database behind it.
              Of course, the DoS-prevention aspect needs further notice, as it's very likely that the proxy will still be able to forward requests to the Tomcat when the Tomcat is already suffering from overload. So you have to configure the proxy (or a firewall/load defense system) to limit the amount of requests to handle, so your inner systems will never get overloaded.

              Perhaps these thougts give you an impression what potential threats there are and how your setup can help to make the impact of attacks as little as possible.

              How much security you need (i.e., how much you want to decrease the impact of any possible attack) is something I can't decide for you. My experience is, that a setup as shown in the Advanced Configuration is safe enough for almost any production line. Often, the focus on internal threats is what should get more attention.

              -Udo
              1 person found this helpful
              • 4. Re: Secure Tomcat setup
                834500
                That makes sense to me although I still have a couple of questions:

                - should I have 2 different firewalls, one between the (Apache) server and the public (via network N2), the other between the server and the Tomcat, or is the first one redundant?
                - with this new setup, Apache would absorb HTTPS traffic, but what gets forwarded to Tomcat/APEX Listener - HTTPS, or HTTP? Do I need to set up SSL on both servers?


                (at this point, I'm not really sure that this discussion still belongs to the APEX Listener forum, but maybe it will help others in the future)
                • 5. Re: Secure Tomcat setup
                  Udo
                  Hello Jeff,

                  an additional firewall can make sense, depending on how secure/stable you estimate the machine hosting your proxy to be. On the other hand, every additional component will increase round trip time and, if you care, it also increases the total power consumption of your environment and it costs additional space. If you can secure your proxy (close all unneeded ports, limit connections, etc.), and there's no other service on that machine that might need to be protected, you could place it in the public zone. The Tomcat should definetly be in a closed network (i.e. behind a firewall protecting it from the public network).
                  Concerning the second question: As the connection between proxy and Tomcat is already using your private network, it won't be necessary to encrypt the traffic there, if you trust your infrastructure. ;)

                  I think this is still relevant for the APEX Listener, as it is a discussion concerning the deployment scenario.

                  -Udo
                  • 6. Re: Secure Tomcat setup
                    834500
                    I haven't abandoned this thread, I'm just in the process of implementing the design discussed above. Thanks, Udo!
                    • 7. Re: Secure Tomcat setup
                      Udo
                      Hello Jeff,

                      don't hesitate to post additional questions if they arise during your implementation.
                      However, when you are done and your questions are answered, could you please mark your post accordingly and if applicable, mark helpful and/or correct answers to make it easier for other users to find the relevant posts.

                      Thanks,

                      Udo