3.8 Overview of security measures
Security measures for a system using Application Server use functions such as encryption and user authentication to protect the data and system from threats such as data falsification and hacking. In addition to the Application Server security functions, security measures that define how to use the system to protect the data and system from threats are also required.
Security policies
Based on the standard system configuration using Application Server, the following describes possible threats in this configuration and policies for taking measures against those threats. Note that security information for applications (UAPs) that run on Application Server is not covered here. Such information must be determined by the specific application developers.
Standard system configuration using Application Server, and possible threats
The following shows an example standard system configuration using Application Server, and describes the operation scenario and possible threats.
- Standard system configuration using Application Server
-
The following figure shows a standard system configuration using Application Server.
- System configuration elements
-
The following figure shows configuration elements of the standard system using Application Server.
Table 3‒3: System configuration elements No.
Element
Description
1
Company
An area where company users and system operators work. A company LAN and a management LAN are installed in this area. They are physically separated from each other. It is assumed that the management LANs in the company and company LANs are physically separated from outside the company.
2
Machine room
An area where the system engineer works In order to ensure security, the operation management server machine, application execution environment computers, and database server machines are installed.
This area is assumed to have the highest security level in the company and therefore requires strict management of room access.
3
Company LAN
A LAN used to exchange business data between company users' PCs and applications
4
Management LAN
A LAN used to exchange management data between the system operator's PC and the domain administration server
5
DMZ
An isolated network area established between the company LAN and the WWW.
6
Domain administration server
A server that manages operation of multiple application execution environment computers (on which Application Server is installed) by grouping them on the basis of domain.
7
Operation management server
A machine on which the domain administration server is installed. This machine manages operation of application execution environment computers.
8
Application execution environment computer
A machine on which Application Server is installed. This machine manages applications.
9
Database server machine
A server on which DBMS operates. This server is assumed to be used by applications.
Note that the database security function is not managed by Application Server.
10
Switch
Provides routing control using IP addresses.
11
Firewall
Provides access control using IP addresses and port numbers.
12
Hardware load balancer/SSL
Distributes requests to application execution environment computers. Because SSL communication is supported, encrypted communication is also possible.
- System operation scenario
-
The following describes an operation scenario based on the standard system configuration diagram using Application Server.
-
An external user uses the web browser installed on the PC to access applications via HTTP or WebSocket, and uses the system via the Internet.
Note that the external user is assumed not to use Web services (JAX-WS or JAX-RS) or RMI/RMI-IIOP to attempt access.
-
Company users access applications from within the company via HTTP (including SOAP/REST) or WebSocket by using the web browser installed on business PCs or an application client, and then execute jobs via the company LAN.
Note that the company users are assumed not to use RMI/RMI-IIOP to attempt access.
-
The system operator accesses the domain administration server from within the company by using the web browser installed on a management PC or Application Server management commands, and then manages operation via the management LAN.
-
The system engineer directly accesses the operation management server, application execution environment computer, and database server machine to perform setup and change the settings.
-
The system engineer accesses the domain administration server from the machine room by using the web browser installed on a management PC or Application Server management commands, and then manages multiple application execution environment computers.
-
The domain administration server sends instructions received from the system operator or system engineer to each application execution environment computer in order to start, stop, and change settings of Application Server processes on the application execution environment computers.
-
- Possible attacks to the system
-
The following describes the threats of attackers to the system that uses Application Server.
-
Attacker A directly attacks application execution environment computers on the Internet.
-
Attacker B attacks applications by using unauthorized access from a business PC connected to the company LAN.
-
Attacker C impersonates the system operator to perform unauthorized access to the system from a business PC connected to the company LAN, and then attacks the domain administration server and application execution environment computers.
-
Security policies against possible threats to the system
The following describes possible security policies for the system using Application Server.
- Assuming network security policies
-
-
When you design the network security for layer 3 or lower, consider the following:
Use the hardware load balancer or firewall to restrict packets from outside the company to access to ports for normal use only.
Prevent packets from the company LAN and from outside the company from being sent to the management LAN.
-
When you design the network security for layer 4 or higher, consider the following:
Support the security within the scope of the Java EE standard specifications, and let the application developer be responsible for other security issues.
-
When you design the network security for the management LAN, consider the following:
Although the management LAN is independent of the company LAN, prevent attackers from connecting to the management LAN regardless of any malicious intent.
-
- Assuming security policies for physical operations
-
-
Consider the following when you design the security that applies outside the company:
Because there might be malicious persons outside the company, prevent a physical connection with the company LAN or management LAN from being established from outside the company.
-
When you design the security that applies within the company, consider the following:
Because there are malicious attackers, allow physical access to Application Server only via the network
-
When you design the machine room area, consider the following:
Prevent attackers from entering the area regardless of malicious intent.
-
- Assuming security policies for the development environment
-
-
Use a machine in the company LAN to develop applications.
-
Make sure there is no possibility that a developer can include malicious code in applications.
-
An expert must review the developed applications.
Confirm that the developed applications are free of any viruses.
-
The system engineer must deploy the applications (developed in the company LAN) on application execution environment computers via the management LAN.
Do not allow the application developer to directly deploy the applications on an application execution environment computers in the management LAN.
-
- Application Server security policies
-
The following describes the Application Server security policies against possible threats.
-
Make sure that access from the company LAN to applications is used within the scope of the authority specified by the system engineer.
Make sure that access from the company LAN to applications does not deviate from the authority specified by the system engineer.
Make sure that file access deviating from the specified authority does not occur.
-
Support encryption of access from the company LAN to applications in order to prevent wiretapping and falsification.
-
For access from the company LAN to applications, collect the application log and Application Server log separately.
-
For access from the company LAN to applications, provide the authentication functionality within the scope of the Java EE standard specifications.
-
Do not guarantee the security of ports used by the operation management functionality.
-
Do not guarantee the tamper resistance of files and memory for Application Server.
-
Do not restrict the output of data that must be protected in files and memory for Application Server.
-
If output from Application Server exceeds the network, security-related configuration data (such as the domain.xml configuration file for the Java EE server and a password management file) must be protected.
-
Threats to the system and countermeasures
The following describes possible security threats to the system based on the standard system configuration diagram using Application Server.
Numbers in the figure indicate the locations that might be subject to threats.
The table below describes the countermeasures against threats to the system. The numbers in the figure correspond to the item numbers in the table.