Securing the Internet Facing E-Business Suite

1
Securing the Internet Facing E-Business Suite

• John PetersJRPJR, Inc.
• john.peters_at_jrpjr.com

2

• How many of you have an Internet Facing Oracle
  Application Module? Or Considered Buying one?
• iStore
• iCustomers
• iSuppliers
• iSupport
• iRequitment
• iReceivables
• Others???
• How many of you have thought about security?

3
What you should learn from this presentation

• General Oracle Applications Security (why this
  is not enough)
• Various Systems Configuration Options
• An Optimal Solution at This Time
• External Facing eBusiness Suite Functionality
  Issues

4
General Oracle Applications Security

• Note 189367.1, 06-JAN-2005 Best Practices for
  Securing the E-Business Suite An excellent
  starting point
• Covers each applications component
• SQLNet Listener
• Database
• Applications Tier
• eBusiness Suite
• Desktop
• OS

5
General Oracle Applications Security

• Note 189367.1, 06-JAN-2005
• But leaves many holes
• Does not provide a configuration overview
• Does not adequately address external eBusiness
  Suite modules
• Just barely touches on OS Issues
• Does not address user registration issues

6
Typical OraApps ConfigurationInternal Users Only

• One or more physical servers for each Tier
• Typically a router between the servers and the
  user
• Connection between users and servers is typically
  non-SSL HTTP// (not HTTPS//)

7
Non-SSL vs SSLFor Internal Users Only

• SSL encrypts communications between users and the
  Applications Tier
• Sometimes SOX pushes this as a requirement
• Possibly a 10-15 performance hit
• Hardware Accelerators are available
• Probably not required and overkill for internal
  users running on a switched network

8
SSL ImplementationFor Internal Users Only

• A Guide to Understanding and Implementing SSL
  with Oracle Applications 11i, Note123718.1
• This document changes so keep up to date with it
• There are issues associated with some modules
  which call servlets
• Configurator (even if you are not using it OM
  calls it for PTO Kits)
• iPayment
• Fix requires running a non-SSL web listener
• Again SSL is probably not required for most sites

9
OraApps Internet Facing Configurations

• Example 1No DMZ, Open Up Firewall
• Example 2DMZ Application Server
• Example 3DMZ Web Cache Server
• Example 4DMZ Web Cache ServerDedicated External
  Applications Server

10
Example 1 Non-DMZ Configuration (do not do this)

• Drawbacks
• With same ports open that internal users use,
  internal functionality is exposed to the internet
• Without SSL between the Internet Users Computer
  and Applications Tier communications can be
  eaves dropped on

11
Example 2 DMZ Application Server Configuration

• Benefits
• Internet Communication is done through SSL
• SSL End Point is not on Internal Applications
  Tier
• Communication between DMZ Applications Tier and
  DB Tier are done through SQLnet
• DMZ must be compromised for a hacker to get in

12
Example 2 DMZ Application Server Configuration

• Drawbacks
• DMZ Applications Tier exposes too much to a
  possible hacker
• DMZ Applications Tier must be patched and
  monitored
• Not currently autoconfig and ad tools supported

13
Example 3 DMZ Web Cache Server

• Benefits
• All the benefits of Example 2
• Ports are filtered, only http traffic between
  Internet and Applications Tier
• Minimize software components in DMZ
• Only one Applications Tier to patch
• Can change URL, masking the Oracle
  ApplicationURLs were ? http//mysite.com/OA_HTML/
  URLs can be ? http//mysite.com/external/

14
Example 3 DMZ Web Cache Server

• Drawbacks
• Applications Tier still exposes too much to a
  possible hacker. You can deep link to JSP pages
  if you know their names.

15
What is Web Cache

• Web Cache is a component of Oracle iAS 10G (and
  prior versions)
• Web Cache in my example is installed without
  Oracle iAS 10G(standalone installation)
• Minimal set of software
• No Infrastructure DB
• None of the other components of iAS
• Perfect for a DMZ deployment
• Please refer to the product documentation on
  OTNOracle Application Server 10g Release 2
  (10.1.2)
• Please talk to your Oracle Sales Rep for
  licensing information.

16
What does Web Cache do?

• Web Cache sits between the users and the origin
  servers (Applications Tier)
• Web Cache stores or caches data into memory based
  on rules you specify
• The primary purpose is to improve performance of
  web sites
• Our purpose is to
• Provide an SSL termination point
• Change the URLs served up
• Filter the URLs (not available yet)
• Web Cache can also provide an error page should
  the Application Tier be down for maintenance

17
Example 4 DMZ Web Cache Dedicated Apps Tier

• Benefits
• External Applications Tier can have all of the
  components not required by the Internet Users
  removed. Thus preventing deep linking issues.

18
Example 4 DMZ Web Cache Dedicated Apps Tier

• Drawbacks
• External Applications Tier not supported by
  Oracle tools. You have to manually maintain this
  tier.

19
DMZ Reverse Proxy Server

• Eliminates the need for Example 4s External
  Application Server
• WebCache Server in DMZ will filter URLs
• External Product Teams will supply URL patterns
• Mitigating the unnecessary code problem
• Described in Oracle OpenWorld Paper Oracle
  E-Business Suite Security Management by George
  Buzsaki, VP Applications Technology Products at
  Oracle

20
My Recommendation

• Go with Example 3 for now.
• You can hack the Apache web server configuration
  to provide some URL filtering
• Keep an eye open for Oracles DMZ Reverse Proxy
  Server filtering release

21
How does it work (step 1)

• Internet users go tohttps//mysite.com/external/
  login.jsp
• Connects using SSL to port 443 of the DMZ Web
  Cache Server on NIC 1

22
How does it work (step 2)

• Web Cache reviews URL request to see if page/data
  is cached in memory
• If so it serves up page/data

23
How does it work (step 3)

• Web Cache sends request out to the Application
  Tier (Origin Server) http//myserver.com8000/OA_
  HTML/login.jsp
• Communication is through NIC 2 using non-SSL
• Notice the URL changes
• Application Tier responds, Web Cache relays
  page/data to the Internet User

24
Web Cache Server HW

• My recommendation is a small server like
• Dell PowerEdge 2850 or 1850
• 2 CPU server
• 4GB of RAM
• Dual NICs
• Run Linux on this Server

25
Web Cache Server NIC Configuration

• Dual NICs allow us to configure them
• One NIC Internet Facing
• One NIC Application Tier Facing
• We are effectively using this server to route
  traffic from one network to the other

26
Hardening the Linux OS

• Reinstall the factory installed OS
• Install only the essential components
• Compilers
• Kernal Source
• X Windows/GNOME
• Install an intrusion detection product like
  TripWire

27
TripWire

• Creates a database of files on your server
  storing information like
• Inode number
• Multiple Checksums
• File Size
• File Permission
• File Ownership
• You create the Policy file describing what
  directories/files to track
• Reports can be run periodically to tell you if
  something changed and are sent via email
• TripWire DB and Policy Files are stored on
  another centralized server
• This takes a while to setup and change the policy
  file to keep the noise to a minimum
• Was an Open Source product, included on older
  Linux distributions
• Now is commercial, www.tripwire.com

28
Keep Linux Patched

• OS Security issues dont just exist for Microsoft
  products
• Subscribe to your Linux vendors patching/support
  service
• Emails will alert you when fixes are available
  and are tailored to your install
• The automated tools for patching the OS are
  fairly easy to use

29
Dont forget the TEST instance

• PROD
• TEST

30
Support Issues

• Down time for patching is now a bigger deal with
  External Users
• Web Cache can serve up System Down For
  Maintenance messages to External Users, rather
  than no server found browser errors
• What was 6am to 6pm support, now turns into 24x7
• Who do external users contact for support?

31
User Registration Issues

• All External Facing eBusiness Suite Applications
  utilize FND_USER
• All of these non-company resources have accounts
  on your system
• iStore Users
• iReceivables Users
• iSupplier Users
• iRecruitment Users

32
How to know who is who

• Come up with a Userid Standard for both classes
  of users
• Internal Users
• External Users
• Internal Usersltfirst name initialgtltlast
  namegtltwindows logingtjsmith
• External Usersltemail addressgtjoe.smith_at_mycustome
  r.com

33
Internal vs External

• They are different
• Internal and External differences
• Password aging
• Handling of Password reset requests
• Responsibility requests
• Responsibility verifications
• End date
• Also eBusiness Suite Record History is instantly
  visible and identifiable.

34
User Registration Page Issues

• iStores user registration page inserts FND_USER
  records
• User records can not be purged
• Internal and External Users are mixed together
• (use a convention of email address for external
  users)
• They are routed for approval but if denied they
  are unusable forever
• Approval process is really insufficient for most
  business cases

35
User Registration Page Issues (cont.)

• iStores user registration page requests the
  Party Number from the customer registering.
• How many customers know they are 123456
• If they enter 123465 they are linked to a
  completely different customer
• Once incorrectly linked it is almost impossible
  to correct in CRM, FND_USER, TCA
• FND_USER record is lost for further use

36
User Registration Page Issues (cont.)

• Soution
• Create a custom form and table
• External userids request are stored in the custom
  table for review
• Data is reviewed and if okay entered by internal
  resources into the Oracle Applications
  registration processes to ensure its accuracy
• Denial of Service attacks will fill this custom
  table which we can delete records from. This
  object can be created with no redo log actions to
  minimize impact on archive logs if required.

37
Summary

• External Facing eBusiness Suite modules bring
  Security issues to light
• You might ask, Why do this to yourself?
• There are legitimate business reasons to use
  External Facing eBusiness Suite modules
• Just go into them with open eyes and an
  understanding of what you are getting into

38
Additional References

• Note189367.1, 06-JAN-2005 Best Practices for
  Securing the E-Business Suite
• Note243324.1, 08-JUL-2003 Securing Oracle
  E-Business Suite for Internet Access by Suppliers
• Note229335.1, 19-MAY-2004 Best Practices for
  Securing Oracle E-Business Suite for Internet
  Access

39
Additional Book References

• Linux Security Cookbook
• by Daniel J. Barrett, Richard E. Silverman,
  Robert G. Byrnes O'Reilly
• Real World Linux Security Intrusion Prevention,
  Detection and Recovery
• by Bob ToxenPrentice Hall PTR

40

• My contact information
• John Petersjohn.peters_at_jrpjr.com
  http//www.jrpjr.com
• Additional reference papers can be found
  athttp//www.norcaloaug.org
• http//www.jrpjr.com