Tải bản đầy đủ - 0 (trang)
Chapter 2. Enterprise Network Security and Java Technology

Chapter 2. Enterprise Network Security and Java Technology

Tải bản đầy đủ - 0trang

2.1NetworkedArchitectures

Themostcommonarchitecturalapproachesfortoday's

enterprisesarethetwo-andthree-tiermodels.



2.1.1Two-TierArchitectures

Inatwo-tierarchitecture,twoapplicationstheclientandthe

serverexchangeinformationoveranetwork.Theclientmakes

requeststotheserver,andtheserversendsresponsesbackto

theclient.Suchresponsescancontainanycombinationofstatic

anddynamicinformation.Staticresponsesareidenticalforeach

client,suchasstaticHTMLdocuments.Dynamicresponsesare

generatedbasedontheparticularinputfromtheuser;the

generationofadynamicresponserequiresaprogramrunning

ontheserver.Toperformtransactions,theservermayneedto

accessadatabase.

InaWebenvironment,theclientapplicationisusuallyaWeb

browser,andtheserverapplicationisaWebserver.TheWeb

browsercanbeenhancedbyanumberofplug-ins,includinga

JavaPlug-intorunapplets.TheWebservercanbeenhancedby

aservletcontainer,anEJBcontainer,andothertransactional

applications,asdiscussedinSection2.3onpage32.

PerhapsthesimplestuseofaJavaapplicationinatwo-tier

architectureisthebrowseradd-onJavavirtualmachine(JVM)

torunappletsandextendthefacilitiesprovidedbyaWeb

browser.Appletsmaybeusedtoenhancetheuserinterfaceby

providinginteractivity,suchascontext-sensitivehelporlocalsearchfunctions.Appletsmayalsobeusedtohandleadditional

datatypes,suchascompressedastronomicalimagesorpacked

databaserecords.TheseexamplesdependdirectlyontheJava

securityarchitecture,whichpreventsunauthorizedaccessto



protectedresources.

Thenextlevelofcomplexityisseeninnetwork-awareapplets,

whichperformnetworkoperationsotherthansimplyreading

data.Terminalemulatorsareinthiscategory.Theseapplets

providethefunctionsofanonprogrammableterminal,orvisual

displayunit(VDU),connectedviaalocalareanetwork(LAN)to

az/OSorApplicationSystem/400(AS/400)hostsystem,where

theapplicationsarerun.AnexampleisIBMHostOn-Demand,

whichemulatesa3270or5250mainframedisplaysession,

communicatingwithamainframeoverTCP/IP.Figure2.1shows

anIBMHostOn-Demandsystem.



Figure2.1.IBMHostOn-DemandSystem



Whenrunasapplets,suchprogramsaresubjecttothe

restrictionsimposedbytheJavaauthorizationmechanisms.By

default,theymayopenanetworkconnectiononlybacktothe

systemfromwhichtheyweredownloaded.However,terminal

emulationprogramsusuallyneedtocommunicatewithmany

differenthostsystems,notjustone.Ifthehostisalarge

mainframe,crucialtobusiness,itsownersmaybereluctantto

installtheTCP/IPsoftware,preferringtoremainwithSystems

NetworkArchitecture(SNA)LANs.Onotherhostsystems,it

mightnotbedesirabletoinstall,configure,run,andmaintaina

WebserversimplytodownloadtheJavaemulatorapplet,and

thisapproachwouldstillrestrictaccesstothatsinglehost.



TheJava2securityarchitecturesolvesthatproblem.Itisstill

truethatdownloadedappletsarerestrictedtoconnectback

onlytothesystemfromwhichtheyaredownloaded;thatisthe

defaultconfiguration.Usingthefine-grainedJava2access

controlmechanisms,itispossibletomodifythisdefault

restriction.Javasystemadministratorscanspecifytherangeof

socketconnectionsthataparticularJavaprogramisallowedto

use.Java2supportsadeclarativepolicyconfiguration,which

meansthatthepolicydefinitioncanbeexternaltothe

application.Therefore,modifyingthedefaultrestrictionsdoes

notrequirehard-codingthesecuritypolicyintheapplicationor

alteringtheJavasystem'ssecuritymanager,whichis

implementedasajava.lang.SecurityManagerobject.This

makesiteasytochangethepolicy,extendtheapplication,and

porttheapplicationtovariousplatforms.

AnotherpossibilityistoruntheJavaemulatorasastand-alone

application,therebyrelaxingtherestrictionsonwhichhoststhe

emulatormayconnectto.Thisistheclassictwo-tier

client/serverapplicationarchitecture.Thesecurityissuesare

verysimilartorunninganyotherexecutableprogram,namely,

thatitiswisetouseonlytrustedsourcesofprograms.Java

technologyhasseveralsafetyandsecurityadvantagesover

otherbinaryprograms;itsexecutablefilesanddigitallysigned

Javaprogramscanprovideacryptographicguaranteeaboutthe

codeauthor'sidentity.



2.1.2Three-TierArchitectures

AnotherdesignistorunmiddlewaresoftwareontheWeb

server.TheclientwillcommunicateoverTCP/IPwiththe

middlewaresoftware,whichcanthenpassthroughthe

messagestotheultimatedestination.Forexample,inthecase

of3270terminalemulation,IBM'sCommunicationsServer,

whichrunsonseveraloperatingsystems,canprovidethe

TCP/IPconnectiontotheJava3270TerminalEmulatorandcan



connecttohostsoverbothTCP/IPandSNA.Figure2.2shows

thearchitectureforthisthree-tierclient/serverapplication.



Figure2.2.Three-TierArchitectureExample



AnotherpossibilityistouseWebserverCGIprograms[1]to

providethemiddletier.TheIBMCICSInternetGatewaytakes

thisapproach:totheapplicationserver,emulatingthefunctions

ofa3270terminalbutdownstream,generatingHTMLcode,

whichisdisplayedintheWebbrowserwindow(seeFigure2.3).

ThisapproachavoidsusingJavatechnologyintheclientbut

doesnotprovideasmuchflexibility,asthedisplayisrestricted

towhatcanbedoneinHTML.

[1]OftentermedCGI-BINprogramsafterthenameofthedirectoryinwhichtheyare

conventionallystored.



Figure2.3.CICSInternetGateway



Abetterdesign,describedinSection2.3onpage32,istouse

Javaservletsand/orJSPapplicationsinplaceofCGIprograms

inthemiddletierandthentakeadvantageoftheJ2EEand

J2SEsecurityservices.TheservletandJSPprogrammingmodel

offerasimplewaytopresentdatatotheclientbygenerating

HTMLand/orXMLcodethatissenttotheclient,basedonthe

client/serverinteraction.ServletsandJSPapplicationscan

interactwithEJBcomponentsviaJavaRMI-IIOP(seeAppendix

Aonpage547).TheJDBCprotocolallowsinteractionwith

databases.ThisarchitectureisshowninFigure2.4.



Figure2.4.Three-TierArchitectureUsingServlets

andEJBTechnology



Thegatewayserverapproachcanalsobeusedtoprovide

extendedfacilitiestoJavaapplets.TheIBMCICSGatewayfor

Javaisagoodexampleofthis;itallowsaJavaapplettoaccess

transaction-processingcapabilitiesofCICSserversrunningona



varietyofserverplatforms.TheIBMCICSGatewayforJava

providesaclasslibrarypackagetoaccessCICSfunctions.The

classlibraryitselfdoesnotperformthebulkofthefunctions;

instead,ittransmitstherequesttothegatewayserverand

returnstheserver'sresponsetotheapplet.Thegatewayserver

isasmallprogramthatreceivestherequestsandcallstheCICS

clientlibrary,whichcommunicateswiththeCICSsystemitself.

TheCICStransaction-processingengineiscommonlyrunonits

ownsystem,separatefromtheWebserver,asshowninFigure

2.5.TheCICSclientapplication,residingonthemidlletier,and

theCICSserverapplications,locatedonthethirdtier,

communicateusingtheExternalPresentationInterface(EPI)

andtheExternalCallInterface(ECI).Severalcommunication

protocolsaresupported,suchasTCP/IPandNetworkBasic

Input-OutputSystem(NetBIOS).TheCICSclientandtheCICS

serverapplicationcanalsocommunicatethroughAdvanced

Peer-to-PeerCommunication(APPC),anapplication

programminginterface(API)forpeer-to-peercommunication

onSNA.



Figure2.5.CICSGatewayforJavaExample



EnforcingsecurityforthetypeofsystemshowninFigure2.5is

morecomplex.Thesecurityofboththegatewaysystemand



thesystemswithwhichitconnectsmustbeensured,especially

iftheserverisonthepublicInternet,whereanymalicious

hackermayattempttoaccessit.Intranetsystemsshould

alreadyhavesomedefensesinplacetorestrictaccessto

companypersonnel,butsecurityisstillofconcern,especiallyif

sensitivedataisatrisk.

Theusualapproachistoprovideanumberofbarriersthatmust

beovercomebeforedataaccessisgranted.Often,thefirst

barrieristhecompany'sfirewallsystem.Asdiscussedinmore

detailinSection2.4onpage36,afirewallisasystem

combininghardwareandsoftwareenforcinganaccesscontrol

policybetweentwonetworks.Typically,afirewallchecksthat

requestsarecomingfrom,andresponsesaregoingto,

apparentlyvalidaddresses.Somefirewallscheckthedata

contentofselectedprotocols,buttherearelimitstowhatcan

bechecked.Therehavebeenseveralembarrassinglypublic

demonstrationsofWebserverswhosecontenthasbeen

replacedbyderogatorypages,despitethepresenceoffirewalls.

Often,thesehackershavesucceededbecausevalidHTTP

uniformresourcelocator(URL)requeststotheWebserver

allowedsoftwaretoberunthatcontainedunintendedsecurity

holesinit,suchaspermittinganydatafiletobereadorwritten

orevenexecutingarbitrarybinarycode.

Therefore,itisnecessarytosecuretheWebserveragainstas

manyvulnerabilitiesaspossibleandtoensurethatiftheWeb

serveriscompromised,theattacker'saccesstodataislimited.

HardeningWebserversagainstattackhasbeenthesubjectof

severalbooks,suchasPracticalUnix&InternetSecurityby

SimsonGarfinkel,GeneSpafford,andAlanSchwartz[2]soonlya

briefchecklistisgivenhere.

[2]S.Garfinkel,G.Spafford,andA.Schwartz.PracticalUnix&InternetSecurity,3rdEdition.

(Sebastopol,CA:O'Reilly&Associates,2003).



Disableallnetworkservicesthatdonotneedtobepresent;



wherepossible,allowonlyHTTPandthegatewayprotocol.

ChecktheWebserverconfigurationfilestoallowaccess

onlytotherequiredsetofpages.

DeleteanyCGI-BINandotherexecutableprogramsthatare

notrequired;iftheyarenotpresent,theycannotberun.

UseJavaservletsand/orJSPapplicationsinplaceofCGI

programs.

RestricttheprivilegesoftheWebserverprogram,if

possible.OnUNIX,theWebservercanberunasanormal

userwithrestrictedaccessrights.

Theseguidelinesalsoapplytoanygatewaysoftware.Ensure

thatitdoesnotprovideaccesstoresourcesthatarenot

requiredforittorun.Inparticular,donotdependontheclient

tovalidaterequests.Assumethatahackerhasconstructeda

modifiedclientthatcangenerateanypossiblerequest,

includingawidevarietyofinvalidrequests.Forexample,fora

3270gateway,donotassumethattheclientwillrequest

connectiontoonlyalimitedsetofhosts.Configurethegateway

sothattheminimalnumberofhostshaveconnections

available.Nootherhostnamesmustbevisible.Fordatabase

accessandtransactionprocessing,makesurethatthegateway

allowsnomorethanthesetofpermittedrequestsandthatits

authorizationsarelimitedtoaminimalset.



2.2NetworkSecurity

Theclassicthree-tierarchitecturepicturescanhideotherattack

routes.Figures2.2,2.3,and2.5implythatthereareseparate

connectionsbetweentheclientandtheWebserver/gateway

andbetweenthegatewayandtheendserver.However,thereal

networkmaynotbeconfiguredthatway.Forsimplicityorcost,

theremightbeonlyasinglenetworkinterfaceontheWeb

server,asshowninFigure2.6.



Figure2.6.WebServerwithOneNetwork

Interface



Inthiscase,thethird-tierserverisonthesamenetworkand

canpotentiallybeaccesseddirectlyfromthefirewall.Perhaps

thefirewallisconfiguredcorrectlyandwillpreventdirectaccess

totheendserver.However,willthisbetruetomorrow,after

additionalserviceshavebeenadded?Forverylittleextracost,

thenetworkscanbephysicallyseparatedbyprovidingtwo

networkinterfacesintheWebserver,asshowninFigure2.7.



Figure2.7.SeparatingtheThirdTier



Or,asecondfirewallsystemcanbeused.Thisconfigurationhas

thebenefitthateveniftheWebserveriscompromised,the

secondfirewallstillrestrictsaccesstotherestofthenetwork.It

ismoreexpensivetoprovidesuchademilitarizedzone(DMZ)

(Figure2.8),butifsuchaconfigurationisalreadyrequiredto

providesafeInternetconnection,thereisnoextracost.The

costofasecondfirewallislikelytobelessthanthevalueofthe

dataitprotects,soavalueassessmentneedstobemade.



Figure2.8.DMZNetworkEnvironment



Oneadditionalsecuritybarriertoconsiderusingisthetypeof

network.Thegatewayandtheendservercouldbelinkedby

usingSNAprotocolsorbyasmallcustom-builtprogram

communicatingoveradedicatedseriallink.Theseapproaches

effectivelyusethenetworkconnectionasanotherfirewall;if

TCP/IPcannottraveloverit,manyhackingtechniquesare

simplynotpossible.However,iftheWebserveristotally

compromised,thehackershaveallthecommunications



softwareattheirdisposaliftheycandiscoverit.Therefore,the

third-tierserverstillneedstobeguarded(seeFigure2.9).



Figure2.9.ProtectionUsingMixedConnection

Protocols



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 2. Enterprise Network Security and Java Technology

Tải bản đầy đủ ngay(0 tr)

×