Hitachi

Hitachi Application Server V10 User's Guide (For Windows® Systems)

3.8 Overview of security measures

Security measures for a system using Application Server use functions such as encryption and user authentication to protect the data and system from threats such as data falsification and hacking. In addition to the Application Server security functions, security measures that define how to use the system to protect the data and system from threats are also required.

Security policies

Based on the standard system configuration using Application Server, the following describes possible threats in this configuration and policies for taking measures against those threats. Note that security information for applications (UAPs) that run on Application Server is not covered here. Such information must be determined by the specific application developers.

Standard system configuration using Application Server, and possible threats

The following shows an example standard system configuration using Application Server, and describes the operation scenario and possible threats.

Standard system configuration using Application Server

The following figure shows a standard system configuration using Application Server.

[Figure]

System configuration elements

The following figure shows configuration elements of the standard system using Application Server.

Table 3‒3: System configuration elements

No.

Element

Description

1

Company

An area where company users and system operators work. A company LAN and a management LAN are installed in this area. They are physically separated from each other. It is assumed that the management LANs in the company and company LANs are physically separated from outside the company.

2

Machine room

An area where the system engineer works In order to ensure security, the operation management server machine, application execution environment computers, and database server machines are installed.

This area is assumed to have the highest security level in the company and therefore requires strict management of room access.

3

Company LAN

A LAN used to exchange business data between company users' PCs and applications

4

Management LAN

A LAN used to exchange management data between the system operator's PC and the domain administration server

5

DMZ

An isolated network area established between the company LAN and the WWW.

6

Domain administration server

A server that manages operation of multiple application execution environment computers (on which Application Server is installed) by grouping them on the basis of domain.

7

Operation management server

A machine on which the domain administration server is installed. This machine manages operation of application execution environment computers.

8

Application execution environment computer

A machine on which Application Server is installed. This machine manages applications.

9

Database server machine

A server on which DBMS operates. This server is assumed to be used by applications.

Note that the database security function is not managed by Application Server.

10

Switch

Provides routing control using IP addresses.

11

Firewall

Provides access control using IP addresses and port numbers.

12

Hardware load balancer/SSL

Distributes requests to application execution environment computers. Because SSL communication is supported, encrypted communication is also possible.
System operation scenario

The following describes an operation scenario based on the standard system configuration diagram using Application Server.

  1. An external user uses the web browser installed on the PC to access applications via HTTP or WebSocket, and uses the system via the Internet.

    Note that the external user is assumed not to use Web services (JAX-WS or JAX-RS) or RMI/RMI-IIOP to attempt access.

  2. Company users access applications from within the company via HTTP (including SOAP/REST) or WebSocket by using the web browser installed on business PCs or an application client, and then execute jobs via the company LAN.

    Note that the company users are assumed not to use RMI/RMI-IIOP to attempt access.

  3. The system operator accesses the domain administration server from within the company by using the web browser installed on a management PC or Application Server management commands, and then manages operation via the management LAN.

  4. The system engineer directly accesses the operation management server, application execution environment computer, and database server machine to perform setup and change the settings.

  5. The system engineer accesses the domain administration server from the machine room by using the web browser installed on a management PC or Application Server management commands, and then manages multiple application execution environment computers.

  6. The domain administration server sends instructions received from the system operator or system engineer to each application execution environment computer in order to start, stop, and change settings of Application Server processes on the application execution environment computers.

Possible attacks to the system

The following describes the threats of attackers to the system that uses Application Server.

  1. Attacker A directly attacks application execution environment computers on the Internet.

  2. Attacker B attacks applications by using unauthorized access from a business PC connected to the company LAN.

  3. Attacker C impersonates the system operator to perform unauthorized access to the system from a business PC connected to the company LAN, and then attacks the domain administration server and application execution environment computers.

Security policies against possible threats to the system

The following describes possible security policies for the system using Application Server.

Assuming network security policies

  1. When you design the network security for layer 3 or lower, consider the following:

    Use the hardware load balancer or firewall to restrict packets from outside the company to access to ports for normal use only.

    Prevent packets from the company LAN and from outside the company from being sent to the management LAN.

  2. When you design the network security for layer 4 or higher, consider the following:

    Support the security within the scope of the Java EE standard specifications, and let the application developer be responsible for other security issues.

  3. When you design the network security for the management LAN, consider the following:

    Although the management LAN is independent of the company LAN, prevent attackers from connecting to the management LAN regardless of any malicious intent.

Assuming security policies for physical operations

  1. Consider the following when you design the security that applies outside the company:

    Because there might be malicious persons outside the company, prevent a physical connection with the company LAN or management LAN from being established from outside the company.

  2. When you design the security that applies within the company, consider the following:

    Because there are malicious attackers, allow physical access to Application Server only via the network

  3. When you design the machine room area, consider the following:

    Prevent attackers from entering the area regardless of malicious intent.

Assuming security policies for the development environment

  1. Use a machine in the company LAN to develop applications.

  2. Make sure there is no possibility that a developer can include malicious code in applications.

  3. An expert must review the developed applications.

    Confirm that the developed applications are free of any viruses.

  4. The system engineer must deploy the applications (developed in the company LAN) on application execution environment computers via the management LAN.

    Do not allow the application developer to directly deploy the applications on an application execution environment computers in the management LAN.

Application Server security policies

The following describes the Application Server security policies against possible threats.

  1. Make sure that access from the company LAN to applications is used within the scope of the authority specified by the system engineer.

    Make sure that access from the company LAN to applications does not deviate from the authority specified by the system engineer.

    Make sure that file access deviating from the specified authority does not occur.

  2. Support encryption of access from the company LAN to applications in order to prevent wiretapping and falsification.

  3. For access from the company LAN to applications, collect the application log and Application Server log separately.

  4. For access from the company LAN to applications, provide the authentication functionality within the scope of the Java EE standard specifications.

  5. Do not guarantee the security of ports used by the operation management functionality.

  6. Do not guarantee the tamper resistance of files and memory for Application Server.

  7. Do not restrict the output of data that must be protected in files and memory for Application Server.

  8. If output from Application Server exceeds the network, security-related configuration data (such as the domain.xml configuration file for the Java EE server and a password management file) must be protected.

Threats to the system and countermeasures

The following describes possible security threats to the system based on the standard system configuration diagram using Application Server.

Numbers in the figure indicate the locations that might be subject to threats.

[Figure]

The table below describes the countermeasures against threats to the system. The numbers in the figure correspond to the item numbers in the table.

No.

Threats to the system

Overview of threats

Application Server functions and operations used for countermeasures

Security function settings

1

Peeking and falsification of communication data

An attacker illegally browses business data and management data by unauthorized acquisition of packets flowing in the network, or illegally changes data by altering a packet itself.
Function

Use the SSL and TLS encryption functions of Web Server.

Operation

Use the SSL and TLS encryption functions of the load balancer.

In the httpsd.conf file that configures the operating environment of the web server, specify the encryption function for SSL authentication.

2

Falsification of instructions

An attacker alters the packets flowing in the network to change the instructions issued by a system engineer or system operator.
Operation

Implement access control for the management LAN.

--

3

Application access by unauthorized users

An attacker without access authority sends a request to applications and executes jobs illegally.
Function

Use the Java EE standard security roles.

Use the create-auth-realm subcommand to create a named authentication realm, and then define the security role in the application DD.

4

Execution of instructions by unauthorized users

An attacker without access authority accesses the operation management function and executes instructions illegally.
Function

Use the management password of the domain administration server for authentication.

Operation

Only save and store the user authentication data (such as passwords) on a device that is connected to the management LAN only.

Permit access to management ports of the domain administration server only from the management LAN.

When creating a domain by using the create-domain subcommand, specify the management user password. Use the change-admin-password subcommand to change the management user password.

5

Chain-reaction effect of the vulnerability of applications on the whole Java EE server

A vulnerability that is revealed by an unexpected message received by a specific application affects the whole Java EE server in a chain reaction manner.

Function

Use the Java security policies to protect the system (by restricting the use of API).

Specify the location of the system properties (in the server.policy file) provided by Java SE.

6

Denial of unauthorized access

An attacker who attempts unauthorized access denies the fact of unauthorized access.

Function

Set Web Server access logging.

In the httpsd.conf file that configures the operating environment of the web server, set web server access logging.

7

Shoulder hacking

An attacker acquires information, such as a password, by looking over the shoulder of the system engineer or system operator.
Function

In order to prevent critical information such as passwords from being viewed, use a function that hides the characters entered in the text box and displays black dots or other characters instead.

--

8

Denial of service (DoS) attack

A type of attack designed to make services unavailable
Function

Use the functions for timeout control and packet size restriction.

Operation

Link with JP1 to monitor security errors.

Other countermeasures

You need to use network products such as a firewall and load balancer to reduce DoS attack access.

In the httpsd.conf file that configures the operating environment of the web server, specify timeout control and packet size restriction.

Related topics

To Page Top

Trademarks

Copyright (C) 2015, Hitachi, Ltd.

Copyright (C) 2013, Oracle and/or its affiliates. All rights reserved.