Hitachi

uCosminexus Application Server Security Management Guide

4.11.2 Deploying a firewall and intrusion detection system

This subsection describes how to properly deploy and configure a firewall and intrusion detection system in order to improve system security.

Organization of this subsection

(1) Purposes of deploying a firewall and intrusion detection system

A firewall controls access between the external and internal networks. To prevent unauthorized access from an external network, it blocks communication other than that which is permitted for predetermined clients or communications, in accordance with predetermined rules. To use a firewall, it is therefore necessary to clarify and specify the ports or IP addresses for which communication is permitted.

An intrusion detection system (IDS) monitors the communication line and uses communication patterns to determine whether access is authorized.

Deploying a firewall and intrusion detection system at appropriate points and configuring them helps to protect the system from the following security threats:

This subsection describes where to deploy a firewall and intrusion detection system for each system configuration listed in the following table and the points that need to be considered when configuring them.

Table 4‒7: Considerations for deploying a firewall and intrusion detection system for different system configurations

System configuration

Description

Basic Web client configuration

This is a system configuration with a single application server. A Web browser is a client.

Basic EJB client configuration

This is a system configuration with a single application server. An EJB client application is a client.

Configuration separating each server layer by a firewall (application-centralized)

This is a system configuration with multiple application servers, each server layer separated by a firewall. All applications run on the same application server layer.

Configuration separating each server layer by a firewall (application-distributed)

This is a system configuration with multiple application servers, each server layer separated by a firewall. Applications run on different application server layers.

When connecting the system to the Internet, we recommend you consider a configuration that uses a reserved DMZ and a reverse proxy so that no application server on the internal network can be directly accessed from external networks.

To Page Top

(2) Basic Web client configuration

This section describes where to deploy a firewall and intrusion detection system for a basic Web client configuration with a single application server.

When viewed from the network, the firewall should be deployed in front of the application server. In this configuration, a Web client on the network can only access the application server via the firewall.

The figure below shows an example of a firewall and intrusion detection system deployment for a basic Web client configuration.

Figure 4‒4: Example firewall and intrusion detection system deployment for a basic Web client configuration

[Figure]

(a) Configuring the application server

For the application server, configure the following settings:

  • Specifying the address of the communication port for J2EE server management

    Specify the address at which the J2EE server management communication port can be accessed.

  • Specifying the addresses of Management Server and Administration Agent

    Specify the addresses at which Management Server and Administration Agent can be accessed.

(b) Configuring the firewall

To control access between external networks and the Web server (Cosminexus HTTP Server) within the application server, configure the following settings:

  • Permitting access from external networks to the Web server

    For communication between networks external to the firewall and the application server, only permit access to a public port such as HTTP/80 or HTTPS/443. Depending on the system configuration, permit access to a different communication port such as for DNS as necessary.

  • Limiting access based on the IP addresses of Web clients (optional)

    System users can be identified by specifying the IP addresses of Web clients for which firewall function-based access is permitted. In this case, specify the IP addresses for which communication through the firewall is permitted.

  • Specifying the communication ports of Management Server and Administration Agent

    Block communication to the communication ports for Management Server and Administration Agent so that they cannot be accessed from the outside the firewall. If these ports can be accessed, an external non-administrator user might perform an unauthorized operation on the application server.

(c) Configuring the intrusion detection system

To monitor communication between external networks and a public port on the Web server (Cosminexus HTTP Server) within the application server, configure the following settings:

  • Communication monitoring

    Configure communication monitoring to issue an alert to an administrator or equivalent if communication contains a known or suspected attack pattern. The linkage function between the intrusion detection system and the firewall can be configured to automatically block suspect communications.

  • Monitoring for attacks against established SSL connections

    Basically, HTTPS-based communication cannot be monitored because it is encrypted. In this case, monitor for attacks against an established SSL connection that follow known HTTPS attack patterns.

  • Monitoring of communication to non-public ports

    If communication is sent from external networks to a non-public port on the application server, it might be that the firewall has been broken into, for example, due to a configuration error. We recommend you configure the system to issue an alert if such an event occurs.

To Page Top

(3) Basic EJB client configuration

This section describes where to deploy a firewall and intrusion detection system for a basic EJB client configuration with a single application server.

When viewed from the network, the firewall should be deployed in front of the application server. In this configuration, an EJB client on the network can only access the application server via the firewall.

The figure below shows an example of a firewall and intrusion detection system deployment for a basic EJB client configuration.

Figure 4‒5: Example firewall and intrusion detection system deployment for a basic EJB client configuration

[Figure]

(a) Configuring the application server

For the application server, configure the following settings:

  • Specifying the address of the communication port for J2EE server management

    Specify the address at which the J2EE server management communication port can be accessed.

  • Specifying the addresses of Management Server and Administration Agent

    Specify the addresses at which Management Server and Administration Agent can be accessed.

  • Fixing the port numbers for access from the EJB client

    Configure the following port numbers so that the EJB client can communicate with the ports to use the application server:

    • CORBA naming service

      The port number is usually fixed. (The default port is 900.)

    • EJB container

      Because the port number used by EJB containers is not fixed, it is necessary to explicitly specify and fix the port number to be used by EJB containers. For details about port numbers that can be specified, see 3.15 TCP/UDP port numbers used by Application Server processes in the uCosminexus Application Server System Design Guide.

  • Specifying the communication ports of Management Server and Administration Agent

    When specifying the communication ports for Management Server and Administration Agent, we recommend you do not use public ports so that they cannot be accessed from the outside of the firewall. If these ports can be accessed, an external non-administrator user might perform an unauthorized operation on the application server.

(b) Configuring the firewall

To control access between external networks and the application server, configure the following settings:

  • Permitting access from external networks to the application server

    For communication between networks external to the firewall and the application server, only permit access to public ports such as those fixed for CORBA naming services or EJB containers. Depending on the system configuration, permit DNS or other communication as necessary.

  • Limiting access based on the IP addresses of clients (optional)

    System users can be identified by specifying the IP addresses of clients for which firewall function-based access is permitted. In this case, specify the IP addresses for which communication through the firewall is permitted.

  • Specifying the communication ports of Management Server and Administration Agent

    Block communication to the communication ports for Management Server and Administration Agent so that they cannot be accessed from the outside the firewall. If these ports can be accessed, an external non-administrator user might perform an unauthorized operation to the application server.

(c) Configuring the intrusion detection system

To monitor communication between external networks and a public port on the application server, configure the following settings:

  • Communication monitoring

    Configure communication monitoring to issue an alert to an administrator or equivalent if communication contains a known or suspected attack pattern. The linkage function between the intrusion detection system and the firewall can be configured to automatically block suspect communications.

  • Monitoring for attacks against established SSL connections

    Basically, HTTPS-based communication cannot be monitored because it is encrypted. In this case, monitor for attacks against an established SSL connection that follow known HTTPS attack patterns.

  • Monitoring of communication to a non-public port

    If communication is sent from external networks to a non-public port on the application server, it might be that the firewall has been broken into, for example, due to a configuration error. We recommend you configure the system to issue an alert if such an event occurs.

To Page Top

(4) Configuration separating each server layer by a firewall (application-centralized)

Depending on the scale of the system, a single system might consist of multiple application servers and other servers. In such a configuration, it is necessary to ensure security at each layer.

This section describes a configuration in which Web, application, and database servers are arranged into different layers, with all applications running on the same application server layer. This type of configuration is called an application-centralized configuration.

The figure below shows an example of a firewall and intrusion detection system deployment for an application-centralized configuration. In this configuration, a total of three firewalls are deployed, one for each server layer. In the DMZ, a Web server with a built-in reverse proxy module (reverse proxy server) is deployed.

Figure 4‒6: Firewall and intrusion detection system deployment in an application-centralized configuration

[Figure]

To reduce the number of firewalls, for example, to cut costs, a configuration as shown in the figure below is possible. In this example, firewall 2 is removed by consolidating the access controls to be performed by firewalls 1 and 2 into firewall 1.

Figure 4‒7: Configuration with reduced firewalls

[Figure]

In this configuration, include the settings for firewall 2 into those for firewall 1.

(a) Configuring the application server

For the application server, configure the following settings:

  • Specifying the address of the communication port for J2EE server management

    Specify the address at which the J2EE server management communication port can be accessed.

  • Specifying the addresses of Management Server and Administration Agent

    Specify the addresses at which Management Server and Administration Agent can be accessed.

(b) Configuring each firewall

This configuration uses the following three firewalls:

  • Firewall 1

    This firewall controls access between external networks and the Web server (reverse proxy server) in the DMZ.

  • Firewall 2

    This firewall controls access between the Web server (reverse proxy server) in the DMZ and the application server on the internal network.

  • Firewall 3

    This firewall controls access between the application server and the database server.

Settings to be configured for each firewall are as follows.

  • Configuring firewall 1

    Firewall 1 is used to control access between external networks and the Web server (reverse proxy server) in the DMZ. Configure the following settings:

    • Permitting access from external networks to the Web server (reverse proxy server)

      For communication from networks external to firewall 1 to the Web server that is inside the application server, only permit access to public ports, such as HTTP/80 or HTTPS/443. Depending on the system configuration, permit DNS or other communication as necessary.

    • Limiting access by the IP addresses of Web clients (optional)

      System users can be identified by specifying the IP addresses of Web clients for which firewall function-based access is permitted. In this case, specify the IP addresses for which communication to firewall 1 is permitted.

  • Configuring firewall 2

    Firewall 2 is used to control access between the Web server and the application server. Configure the following settings:

    • Permitting access from the Web server (reverse proxy server) in the DMZ to the Web server that is inside the application server on the internal network

      For communication from networks external to firewall 2 (DMZ) to the Web server that is inside the application server, only permit access to public ports, such as HTTP/80 or HTTPS/443. Depending on the system configuration, permit DNS or other communication as necessary.

    • Limiting access based on the IP addresses of Web clients (optional)

      System users can be identified by specifying the IP addresses of Web clients for which firewall function-based access is permitted. In this case, specify the IP address of the reverse proxy server.

    For other communication settings, permit access as appropriate according to the particular system configuration. It might be necessary to permit DNS communication, etc.

    Reference note

    If a firewall is deployed between the Web server and the application server running the J2EE server, it is necessary to configure the following settings:

    • Permitting access from the Web server to the application server

      This setting permits communication with the web server communication port on the J2EE server. This port is used to receive requests from the NIO HTTP server. The default port number is 8008.

  • Configuring firewall 3

    Firewall 3 is used to control access between the application server and the database. This firewall serves as the last line of defense to protect the most important information in the system.

    Configure the following settings:

    • Permitting access from the application server to the database server

      For communication from the application server to the database server, only permit access to a communication port for the database server. The communication port for the database server should be set up in accordance with the relevant settings for the database to be used. Note that it might be necessary to establish a connection from the database server to the application server.

    For other communication settings, permit access as appropriate according to the particular system configuration. It might be necessary to permit DNS communication, etc.

(c) Configuring the intrusion detection system

To monitor communication between external networks and the public port for the Web server that is inside the application server, configure the following settings:

  • Communication monitoring

    Configure communication monitoring to issue an alert to an administrator or equivalent if communication contains a known or suspected attack pattern. The linkage function between the intrusion detection system and the firewall can be used to automatically block suspect communications.

  • Monitoring for attacks against established SSL connections

    Basically, HTTPS-based communication cannot be monitored because it is encrypted. In this case, monitor for attacks against an established SSL connection that follow known HTTPS attack patterns.

  • Monitoring of communication to non-public ports

    If communication is sent from external networks to a non-public port on the application server, it might be that the firewall has been broken into, for example, due to a configuration error. We recommend you configure the system to issue an alert if such an event occurs.

To Page Top

(5) Configuration separating each server layer by a firewall (application-distributed)

This section describes a configuration in which Web, application, and database servers are arranged into different layers and all applications are run on different application server layers. This type of configuration is called an application-distributed configuration.

The figure below shows an example of a firewall and intrusion detection system deployment for an application-distributed configuration. In this example, the Web applications run on the same layer as the Web server because the machine serving as the Web server also serves as an application server. Enterprise Bean runs on the application server that is set up on a separate machine from the Web server.

Administration is performed by instances of Management Server deployed on each host. Therefore, a management host is deployed to each layer.

In this configuration, a total of four firewalls are deployed: one in front of the DMZ and one for each server layer. In the DMZ, a Web server with a built-in reverse proxy module (reverse proxy server) is deployed.

Figure 4‒8: Firewall and intrusion detection system deployment in an application-distributed configuration

[Figure]

(a) Configuring the Web/application server

For the application server machine that also serves as a Web server (Web/application server), configure the settings as shown below. Note that this application server machine also runs Web applications.

  • Specifying the address of the communication port for J2EE server management

    Specify the address at which the J2EE server management communication port can be accessed.

  • Specifying the addresses of Management Server and Administration Agent

    Specify the addresses at which Management Server and Administration Agent can be accessed.

(b) Configuring the application server

For the application server running Enterprise Bean, configure the following settings:

  • Specifying the address of the communication port for J2EE server management

    Specify the address at which the J2EE server management communication port can be accessed.

  • Specifying the addresses of Management Server and Administration Agent

    Specify the addresses at which Management Server and Administration Agent can be accessed.

  • Fixing the port number to be used by EJB containers

    It is necessary to explicitly specify and fix the port number to be used by EJB containers.

    For details about port numbers that can be specified, see 3.15 TCP/UDP port numbers used by Application Server processes in the uCosminexus Application Server System Design Guide.

(c) Configuring each firewall

This configuration uses a total of four firewalls:

  • Firewall 1

    This firewall controls access between external networks and the Web server (reverse proxy server) in the DMZ.

  • Firewall 2

    This firewall controls access between the Web server (reverse proxy server) in the DMZ and the Web/application server on the internal network.

  • Firewall 3

    This firewall controls access between the Web/application server and the application server.

  • Firewall 4

    This firewall controls access between the application server and the database server.

Settings to be configured for each firewall are as follows.

  • Configuring firewall 1

    Firewall 1 is used to control access between external networks and the Web server (reverse proxy server) in the DMZ. Configure the following settings:

    • Permitting access from external networks to the Web server (reverse proxy server)

      For communication from networks external to firewall 1 to the Web server that is inside the application server, only permit access to public ports, such as HTTP/80 or HTTPS/443. Depending on the system configuration, permit DNS or other communication as necessary.

    • Limiting access based on the IP addresses of Web clients (optional)

      System users can be identified by specifying the IP addresses of Web clients for which firewall function-based access is permitted. In this case, specify the IP addresses for which communication to firewall 1 is permitted.

  • Configuring firewall 2

    Firewall 2 is used to control access between external networks and the Web/application server on the internal network. Configure the following settings:

    • Permitting access from the Web server (reverse proxy server) in the DMZ to the Web server that is inside the application server

      For communication from networks external to firewall 1 to the Web server that is inside the application server, only permit access to public ports, such as HTTP/80 or HTTPS/443. Depending on the system configuration, permit DNS or other communication as necessary.

    • Limiting access based on the IP addresses of Web clients (optional)

      System users can be identified by specifying the IP addresses of Web clients for which firewall function-based access is permitted. In this case, specify the IP address of the reverse proxy server.

  • Configuring firewall 3

    Firewall 3 is used to control access between the Web/application server and the application server. Configure the following settings:

    • Permitting access from the Web/application server to the application server

      So that the Web/application server can use the J2EE server in the application server, permit communication to the following port numbers:

      [Figure]CORBA naming service

      The port number is usually fixed. (The default port is 900.)

      [Figure]EJB container

      Because the port number used by EJB containers is not fixed, it is necessary to explicitly specify and fix the port number to be used by EJB containers.

      For details about port numbers that can be specified, see 3.15 TCP/UDP port numbers used by Application Server processes in the uCosminexus Application Server System Design Guide.

    • Permitting bidirectional access for transaction-related communication (if a global transaction is using transaction-context propagation)

      If a global transaction is using transaction-context propagation between the Web/application server and the application server, configure the following ports for bidirectional communication for both of the application servers:

      [Figure]Communication port for J2EE server transaction recovery (The default port is 20302.)

      [Figure]Smart agent communication port (The default port is 14000.)

    • Other settings (optional)

      Depending on the system configuration, permit DNS and other communication as necessary.

  • Configuring firewall 4

    Firewall 4 is used to control access between the application server and the database. This firewall serves as the last line of defense to protect the most important information in the system.

    Configure the following settings:

    • Permitting access from the application server to the database server

      For communication from the application server to the database server, only permit access to a communication port for the database server. The communication port for the database server should be set up in accordance with the relevant settings for the database to be used. Note that it might be necessary to establish a connection from the database server to the application server. Depending on the system configuration, permit DNS or other communication as necessary.

(d) Configuring the intrusion detection system

To monitor communication between external networks and the public port for the Web server within the application server, configure the following settings:

  • Communication monitoring

    Configure communication monitoring to issue an alert to an administrator or equivalent if communication contains a known or suspected attack pattern. The linkage function between the intrusion detection system and the firewall can be used to automatically block suspect communications.

  • Monitoring for attacks against established SSL connections

    Basically, HTTPS-based communication cannot be monitored because it is encrypted. In this case, monitor for attacks against an established SSL connection that follow known HTTPS attack patterns.

  • Monitoring of communication to non-public ports

    If communication is sent from external networks to a non-public port on the Web/application server, it might be that the firewall has been broken into, for example, due to a configuration error. We recommend you configure the system to issue an alert if such an event occurs.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.