Tải bản đầy đủ - 0 (trang)
Chapter 14. Security Design and Management

Chapter 14. Security Design and Management

Tải bản đầy đủ - 0trang

TheImportanceofApplicationSecurity

ForallthetalkandattentionthatInternetsecuritygetsthese

days,forsomereasonitoftentakesabackseattoother

considerationsduringapplicationdesign.Maybeit'sbecausethe

nonfunctionalrequirementsoftenareoverlookedduetothe

importancethatisplacedon"theproductworkinglikeit's

supposedto."Ormaybeit'sbecauseoftheoverallcomplexity

ofdesigningandbuildingapropersecurityframework.The

amountofplanningandforethoughtforsecurityplanningand

constructioncanconsumealargeamountofaproject'scycle.

Theironyaboutanapplication'ssecurityframeworkisthatifit's

workinglikeit'ssupposedto,noonewillnoticeit.Whenit'snot

workinglikeitshould,everyonewillnotice.Thismightbe

anotherreasonwhynotenoughattentionisgiventothe

applicationsecurityrequirements.Whatevertherealreasons

are,theresultsofnotpayingenoughattentiontothesecurity

considerationscanbedisastrousfortheapplicationandpossibly

thecompany.

Obviously,notallapplicationshavethesameexact

requirementsplacedonthemfromasecurityperspective.

However,fortypicalB2CandB2BInternetapplications,there

aremanysimilaritieswhenitcomestosecuritydesignand

constraints.Mostoftheseapplicationsaredistributed

component-basedapplications.Thekeypointinthatsentenceis

"distributed."Becausethesecomponentsarephysically

distributedoveranetwork,therearemoresecurityholesthat

possiblycanbeexploitedbyattackersandunauthorizedusers.

Thetypesofnetworksthatthesecomponentsuseto

communicatewithoneanothercanvarygreatly,butoftensome

portionoftheapplicationmustbeexposedtoanunprotected

opennetworksuchastheInternet.Forexample,abrowserthat

makesacalltoaservletorJSPpagetypicallywillsendthe

request,andthedatawithintherequest,overtheInternetto



theWebserver,whichusuallyislisteningonawell-knownport.

AsthisrequesttravelsovertheopenInternet,manybadthings

canhappenalongtheway.Therequestmightcontainthe

customer'screditcardinformationforanorder.Ifan

unauthorizedpersonweretointercepttherequestandgetthis

information,youcanimaginehowunhappythiscustomerwould

be.

BecausemostWebserverslistenonacommonsetofport

numbers,extraprecautionsmustbetakentoprotectthe

customer'sinformationandrequests.Thisisjustonepieceof

thesecuritypuzzlewithwhichapplicationdesignersmustdeal.

Thischaptertakesacloserlookatsomeoftheothersecurity

issuesthatyoumustconsiderwhendesigningandbuildingEJB

applications.Likemanyotherthingsinsoftwaredevelopment,

theearlieryoudealwiththeseissuesduringanalysisand

design,thebetterthechancesyou'llhaveofbuildingamore

secureandresilientapplication.



UnderstandingYourApplication'sSecurityRequirements

Aswestatedearlier,notalltargetenvironmentshavethesame

securityneedsandconstraints.However,therearesomebroad

generalitieswecanmakeabouttypicalEJBapplications.The

followinglistdescribessomeofthecommonsecurity-related

featuresoraspects:

Physicallyseparatedtiers

User-levelaccessbasedonusername/password

Differentvendorproductsusedthroughouttheapplication

Sensitiveandnonsensitivedatabeingused



PhysicallySeparatedTiers

AtypicalEJBapplicationmighthavethreeormorephysical

tiers,allrunningonseparatemachines.TheWebtierusuallyis

onaserverthatisplacedwhereInternetorintranetHTTPtraffic

canreachit.TheApplicationtierusuallyisonaserverlocated

intheenterprise'sprotectednetworkinfrastructure.It's

typicallynotexposedtotheInternetdirectly,becausethetraffic

toitusuallycomesfromtheWebserver.

ManyEJBvendorsthesedaysprovideWebserversinsidethe

EJBserveritself.Thisusuallycangivebetterperformanceand

provideforbettermaintenancebecauseeverythingiscentrally

located.Theproblemwiththisapproach,however,isthatthe

entiretiermighthavetobeexposedclosertotheInternet

becauseofthislackofseparationbetweenthetwotiers.You

shouldgiveplentyofthoughttoyoursecurityrequirements

beforetakingadvantageofthisconfiguration.Besureyouhave



otherstrongmeasuresinplacetoprotectsomeonefromgetting

intoyourapplicationserverandcausingdamagetothesystem.

Thethirdtierusuallyisadatabaseserverthatisusedexplicitly

bytheapplicationtierandpossiblyotherenterpriseresource

planning(ERP)systems.Thedatabasehousesthemissioncriticaldatafortheapplication,includingimportantcustomersensitivedata.TheDatabasetiershouldbelocateddeepinthe

company'sprotectednetworkinfrastructurewithnopathtoit

fromtheoutsideworld.Ifanattackerdoesgetatthisdata,it

couldspelltheendforthecompanyandmanycustomers'credit

reports.Therehavebeenseveralincidenceslatelywhere

hackerswereabletogetalistofcredit-cardnumbersfor

customersthatdidbusinesswithanonlinecompany.Thisisthe

worstpossiblethingthatcouldhappenforanInternetcompany

anditsproduct.Alwaysbesuretoprotectthisdataandnever

exposeittounauthorizedindividuals.Youprobablywanttogo

asfarasencryptingsensitiveinformationinthedatabaseto

ensurethatevenifsomeonegetscredit-cardnumbers,they

won'tbeabletousethemeasily.

Continuingwiththesweepinggeneralities,Figure14.1presents

aphysicalnetworktopologyforatypicalEJBapplication.The

figureshowshowandwheresecuritymeasuresareusually

applied.

Figure14.1.AtypicalEnterpriseJavaBeansnetwork

securitytopology.



Figure14.1showsthatthereisusuallyatleastone

demilitarizedzone(DMZ)wherecomponentsaresomewhat

exposedtotheInternetorsomeotherunprotectednetworks.

TheDMZisthepartofthenetworkthatismostsusceptibleto

intrudersandattacks.TheDMZareaisgivenmuchmore

attentionforsecurityconsiderationsthanotherareasthatare

locateddeeperinthecompany'sintranet.Thisisusuallydone

withacombinationofsoftwareandhardwareconfigurations.



User-LevelAccessBasedonUsername/Password

AnothercommonfeatureofEJBapplicationsisthatendusers

canbeauthenticatedwithausernameandpassword.The

usernameandpasswordattributesaretheonlyinformationthat

istypicallyprovidedbytheendusertobeidentified.Toprotect

sensitiveinformationsuchasthis,Webapplicationsusedigital

certificates.CertificatesareinstalledontheWebserversforthe

applicationandusetheSecureSocketsLayer(SSL)protocolto

protectcustomerdatathatmustbesentfromtheclient

browsertotheWebserver.ByusingHTTPSratherthanjustthe

HTTPprotocol,datawillbesentencryptedandnotintheclear.

Thishelpsensureconfidentialityandintegrityoftheuser'sdata

andrequests.

DigitalcertificatesaremostofteninstalledontheWebserver,



butusuallynotontheenduser'sbrowser.Ifadigitalcertificate

isinstalledonboththeWebserverandtheclient'sbrowser,this

formofauthenticationisknownasmutualauthenticationandis

notcommonlydoneonB2CorB2Bapplications.Itmightbe

moreprevalentinB2Bapplications,buteventhisisn'tthe

norm.SSLusuallyissufficient.



DifferentVendorProductsUsed

UnlessyouareusinganEJBserverthatincludestheWebserver

andyouaretakingadvantageofthisfeature,yougenerally

haveproductsfromdifferentvendorsthroughouttheenterprise

application.OneofthegoalsoftheEJBandJ2EEarchitectures

istoallowfordeveloperstochoosethebestvendorfora

specifictechnology.Theproblemassociatedwithdifferent

vendorsisthatsometimestheintegrationprocessisimmense.

Fortunately,interoperabilityhasbeengivenplentyofattention

fromtheEJBandJ2EEspecifications,somanyofthe

interoperabilityproblemshavebeensolved.However,security

interoperabilityisoneoftheweakestpartsofthespecification.

Thisisnottosaythatitcan'tandisnotbeingdone,it'sjust

thatpartofthespecificationseemstobebehindwhen

comparedtosomeoftheotherareas.Ifyourcomponentsdo

havetocommunicateinasecurefashion,onechoiceisalways

tousetheSSLprotocol.BecauseRMI/IIOPisthestandardwire

protocolbetweenJ2EEclientsandcontainers,SSLisanice

solutionbecauseIIOPcanbeusedontopoftheprotocolwhen

communicatingbetweentheWebtierandEJBcontainer,for

example.



SensitiveandNonsensitiveDataBeingUsed

Notallapplicationsneedtoencryptdatathatissentfromtier

totier.Inmostcases,justthecommunicationsbetweenthe

ClienttierandWebtiermightneedtobeprotected.Thisisnot



alwaysthecase,butit'struemoreoftenthannot.Encryption

doesn'tcomewithoutaprice.Thereisanegativeimpacton

performanceandadministrationwhenyouneedtouse

encryptiontoprotectthedata.Mostapplicationswillchange

intoasecuredmodeonlywhenit'sabsolutelynecessary.Others

mightuseHTTPSfromthemomentthecustomersendsthe

usernameandpassword.Youmustthinkaboutwhenyou

actuallyneedtouseencryptiontoprotectthedata.Itreally

dependsonyourcustomerbaseandwhencertaindataisbeing

senttoandfromtheuser'sbrowser.



BasicSecurityConcepts

Oneofhardestthingsaboutunderstandingsecuritydesignand

constructionisfiguringoutwhatallthetermsmeanandhow

everythingfitstogether.Thissectionattemptstoprovidea

clear,simpledefinitionforthesetermssothatwecanhavea

foundationfortherestofthechapter.



AuthenticationandAuthorization

Authenticationistheprocessofentitiesprovingtooneanother

thattheyareactingonbehalfofspecificidentities.For

example,whenaWebuserprovidesausernameandpassword

foralogin,theauthenticationprocessverifiesthatthisisavalid

applicationuserandthatthepasswordmatchestherealuser's

providedpassword.Varioustypesofauthenticationmechanisms

canbeused.Otherthannoauthentication,twomaincategories

areemployedinthevariousEJBproducts,althoughtheactual

namingconventionsmightbedifferent.

Weakorsimpleauthenticationiswheretheuserprovidesa

usernameandpasswordtobeauthenticated.Theuserprovides

nootherauthenticationinformation.Thisprobablyisthemost

commonformofauthenticationinEJBapplications.Onemain

concernwithsimpleauthenticationisthatifsomeoneelsegets

yourusernameandpassword,theycanassumeyouridentity.

Asyoumightexpect,strongauthenticationismoresecurethan

simpleorweakauthentication.Thisiswheretheuserprovides

adigitalcertificationorotherprivatemeansofbeing

authenticated.It'smuchharderforsomeonetogetyourdigital

certificatefromyourmachine.Eveniftheydo,thecertificateis

goodforonlyaparticularmachineandwillbeprettymuch

worthlesstothem.

Otherauthenticationmechanismscanbeusedaswell.



Sometimewithinthenextyearortwo,banksareplanningto

introduceautomatictellermachines(ATMs)withasecurity

measurethatscanstheuser'siris.Althoughwemightbeafew

yearsawayfromusersofeBay.comwantingtogettheireyes

scannedbeforetheycanlogin,newertypesofauthentication

arebeingdeveloped.Anotherupandcomingauthentication

mechanisminvolvesfingerprintscans.Thisactuallyisusedin

somelargergovernment-typesystemsthatneedmoresecurity

forthesystem.

Authorizationdiffersfromauthenticationinthatauthentication

isaboutensuringonlyvalidusersgetaccessintoanapplication,

whereasauthorizationismoreaboutcontrollingwhatthe

authenticateduserisallowedtodoaftertheygetintothe

application.

Authenticationhappensfirst,andthenauthorizationshould

happennext,assumingauthenticationsucceeds.Forsome

simpleEJBapplications,it'spossiblethatonlyauthentication

needstobeused.However,formanyapplications,thereis

sometypeofadministratorfunctionalitythatanormaluser

shouldnothaveaccessto.Oneofthewaysthatthiscanbe

preventedisbycreatingalistofpermissionsforactionsthata

usercanperformandthencheckingthispermissionlistagainst

theactionsattemptedbytheuser.

Authorizationtypicallyismuchharderandmorecomplexto

perform.Someapplicationscangetbywithoutdoingmuch

authorization,althoughbyaddingauthorizationtothe

frameworkandmakingitpossible,youwillsaveyourselfmany

headacheslatertryingtoincorporateit.



DataIntegrity

Dataintegrityisthemeansormechanismofensuringthatdata

hasnotbeentamperedwithbetweenthesenderandthe

receiver.Itensuresthatnothirdpartycouldhavemodifiedthe



information,whichispossiblewhenit'ssentoveranopen

network.Ifthereceiverdetectsthatamessagemighthave

beentamperedwith,itwouldprobablywanttodiscardthe

message.



ConfidentialityandDataPrivacy

Confidentialityisthemechanismofmakingtheinformation

availabletoonlytheintendedrecipient.Ensuringthatthe

systemyouarecommunicatingwithisreallytheonethatyou

intendedtocommunicatewithisthebiggestpartofthis

concept.Therearemanywayshackerscantrickyouinto

sharingsensitivedata.Therewasacaserecentlywherea

lesser-knownsecurityholeallowedhackerstomodifyDNS

entriesandcausetrafficfromanactualbanktobereroutedtoa

fakesite.ThefakeWebsitesetuptheWebpagestolook

exactlylikethebank'ssiteandattemptedtocapturetheuser's

usernameandpassword,whichcouldthenbeusedonthereal

sitetogainaccess.Digitalcertificateshelpsolvemostofthe

associatedproblems,butyoumustkeepyoureyesopen.



Nonrepudiation

Thisisoneofthemostmisunderstoodsecurityconcepts.

Nonrepudiationistheactofprovingthataparticularuser

performedsomeaction.Forexample,ifausersubmittedabid

foranauction,throughproperrecordkeepingandaudittrails,

thesystemadministratorscouldprovethattheactionwas

performedbytheparticularuser'saccount.Itdoesn'tmeanthat

thatowneroftheaccountactuallysubmittedthebid,butyou

canprovetheiraccountwasusedandthatit'snotjustadata

error.

Auditingissometimesoverlooked,butit'sinvaluablewhenan

actionthatwasperformedonauser'saccounthastobe

verified.Otherauditingfeaturesincludeinvalidloginattempts,



whichcanpointtopossibleattacksonthesystem.



PrincipalsandUsers

Aprincipalisanentitythatcanbeauthenticatedbythesystem.

Thisistypicallyanenduseroranotherservicerequesting

accesstotheapplication.Theprincipalisusuallyidentifiedbya

name;mostoftentheusernamethattheenduserusestologin

tothesystem.



Subject

Subjectisatermtakenfromothersecuritytechnologiesand

appliedtoEJBrecentlywiththeintroductionofJava

AuthenticationandAuthorizationService(JAAS)1.0.Asubject

holdsacollectionofprincipalsandtheirassociatedcredentials.

Theideaofneedingsomethingbroaderthanaprincipalcame

aboutbecausetherearemanysystemswhereyoumightneed

differentprincipalsorcredentialstoaccessthevariouspartsof

anapplication.Byusingasubjectthatmightholdontothese

variousprincipalsandcredentials,applicationscansupportsuch

thingsassinglesign-ons.



Credentials

Whenanenduserwantstobeauthenticatedtotheapplication,

theymustusuallyalsoprovidesomeformofcredential.This

credentialmightbejustapasswordwhensimpleauthentication

isbeingused,oritmightbeadigitalcertificatewhenstrong

authenticationisused.Thecredentialusuallyisassociatedwith

aspecificprincipal.Thespecificationsdon'tspecifythecontent

orformatofacredential,becausebothcanvarywidely.



GroupsandRoles



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 14. Security Design and Management

Tải bản đầy đủ ngay(0 tr)

×