secure your iseries web application jim mason ebt-now [email protected] 508-888-0344

Secure your iSeries Web application

Jim Mason

ebt-nowwww.ebt-now.com

[email protected]

508-888-0344

.

http://www.ebt-now.com/

mailto:[email protected]

ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.

ebt-now QuickWebServices

WebSphere, WebSphere Studio, WebFacing, HATS QuickWebDefinition - FREE plan

o >> web definition, project summary, configuration, WebFacing code analysis

QuickWebApp - buildo >> fixed price, custom, complete Web app integrating iSeries apps, data, xmlo >> breaks e-business barriers: cost, risk, technical challenges, payback

QuickWebSupport - deployo >> implement your apps on your WebSphere or Tomcat servers

QuickWebEducation – Web-based training - o >> the best iSeries WebSphere Development Studio courses

QuickWebWorkshop - combine QuickWebApp & Skills transfer

QuickWebWorkshop – complete packageo >> CUSTOM QuickWebApp, implementation, course with ‘hands on’ labs

QuickWebSuccess on-demand seminars: o QuickWebSuccess - Rapidly web-enable iSeries applications and data

visit www.ebt-now.com or email [email protected] for more

http://www.ebt-now.com/

mailto:[email protected]


Secure iSeries Web Apps Agenda

Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources


E-business environment

Usage models: B2X = Business to Xo B2E (employee) B2C (consumer) B2B (business)o ISP (Internet Service Provider) connects your network to the Internet

Models: query, analysis, transactions, workflow, automationo XML allows applications to understand data and messages in B2B!o Web services, RMI allow B2B integration over Web without custom

networking!

E-business environment layers:o Applications, application services, servers, networko Common services reduce application work (data access, media, etc.)o Servers deliver services (WebSphere, WebFacing, HTTP, Domino,

BizTalk, etc.)

E-business platforms (applications often distributed):o Browsers, client workstations, wireless, servers


Security threats

o Sniffing - others steal data, etc.o Impersonation - others steal user IDs, passwordso Decryption - others see your data over encrypted networko Denial of service - flooding a server with too many requestso Ping of death - ping indicates more data in packet than there iso Viruses - beware WINDOWS applications and e-mail!o Spamming - mass e-mails sent in from outsideo Theft - misusing financial applicationso Destruction - malicious destruction of softwareo Others?


E-business security questions

What is my e-business environment? What are my security threats? What are my security goals? What are my security compliance issues? What are the key security concepts? What are the e-business security layers? What are my options for Java Web security? What are my security implementation strategies? How do I get started building a plan?


Security concepts

o What are the key security concepts to address?o Authentication

Validate that a user is who he claims to be

o Authorization Ensure that a user has the proper authorization to resources

o Privacy Ensure that information is private based on authorization permissions

o Integrity Ensure that information is not changed unintentionally

o Availability Ensure the authorized resources are available

o Accountability Ensure that transactions DO result in expected state changes with an audit trail


Security trust models Security trust models for Web environments allow both parties in a

transaction to verify: I am whom I claim to be You are whom you claim to be No one else can see or change the information shared between us Any objects shared between us can be verified as to the source You are allowed to perform selected operations only on specified

objects on my system This is critical in many scenarios: B2B supply-chain ordering, buying a

product over the Web, online banking, shipment tracking, employee benefits and more.

While intuitively it may seem Web environments are inherently less secure

than traditional iSeries 5250 environment because of the additional threats, a Web application environment can be made more secure than the average iSeries environment if a company wants to make the effort.

What’s worse than finding out that the security of your iSeries

applications or data have been compromised? Having them compromised and NOT finding out! Not only is it important to secure applications, data and resources in a Web environment to prevent a security breech, but it’s also important to be able to monitor and recover from any security breech.


Web app security layers

Cliento Client certificates, Signed files, certificate store, Java security

Networko Firewall port control, IP packet filters, NAT, DNS, DHCP, VPN, relay mail,

proxy servers, SSL reverse proxy server, Kerberos authentication TCP server

o HTTP aliases, virtual host mappings, URL redirects, URL rewrites, IP address filters, resource authorizations, load balancers, server certificates, Kerberos authentication, user authentication, user exit APIs

Web application servero User authentication, user-role mappings, role authorizations, Kerberos

authentication, Servlet filters. o With Java programming, security options include JGSS messages, JSSE,

certificates, key stores, JNDI, JAAS iSeries host server

o Server certificates, Kerberos authentication, user authentication, object management rights, object data rights, user-group mappings, object authorization lists, security monitoring tools, data journaling, user exit APIs


Plan security by layers

Networko Network connections (IP)o Network applications (TCP)

Computero PC and iSeries base security features

Middlewareo HTTP servers, Tomcat, WebSphere, Domino, LDAP

Applicationo Java application security

Userso User access to systems, applications (local, remote, external)


iSeries security layers

iSeries offers security features at all layerso iSeries security built in to platform and middlewareo Windows security less robust - high exposure to viruses, etc.

Application support for library, IFS systemso Object-level permissions granted to users, set by policy

Middleware: HTTP, Tomcat, WebSphere, other TCP servers

Network supporto Full range of TCP, IP security controls: o VPN, NAT, Proxy servers, SSL and more

Users supporto Simple policies and wizards to control securityo Good monitoring tools for most exposures, threats


Outside security resources

o ISPs offer many services and can help implement securityo Each scenario to secure is somewhat differento Selecting a GOOD ISP to meet your needs is critical!o ISPs can hide IP addresses, forward mail, etc.o ISPs can host applications: mail, Web sites, Etc.o Selecting a GOOD security consultant to help plan is keyo For iSeries, third parties offer security management software

Powertech, Pentasafe, SkyView Partners and others


iSeries security policies

For e-business, go to level 40 for system value: QSECURITYo Only authorized users can get to a command entry screen, etc.

Control IFS folders with public access Control sensitive data with private physicals, public logicals Use iSeries logs for monitoring authentication, authorization

failures and system changes Follow backup plans for data and applications Journal databases for recovery Set usual controls on user ID expiration, password rules Control library security with GRTOBJAUT, IFS security with

GRTAUT Limit user access to command entry, QShell


Network security features

Network security can be grouped in two general levels:o iSeries supports all of these network solutions

most are configurable via config files or thru Ops Nav

Network level technologieso - IP packet filteringo - Network Address Translation (NAT)o - IP Security (IPSec)

Application level technologieso - Proxy serverso - SOCKS serverso - Secure Sockets Layer (SSL) and Transport Layer Security

(TLS)o - Domain Name Serverso - Mail relays


Encryption & digital keys

Public key encryptiono Data can be encrypted during transmission using keys and encryption

schemeso To send an encrypted message to you, the sender encrypts the

message by using your public key. When you receive it, you decrypt it by using your private key. When you wish to send a message to someone, you encrypt it by using the recipient's public key. The message can be decrypted only with the recipient's private key.

X509 Public Key Infrastructure (PKI)o Public-key encryption requires only two keys per participant. o The need for secrecy is easily met. The only thing that needs to be

kept private is the private key, and since it does not need to be shared, it is less vulnerable to theft in transmission than the shared key in a private-key system.

o Public keys can be published. This eliminates the need for prior sharing of a secret key before communication. Anyone who knows your public key can use it to send you a message that only you can read.


Signed files and Kerberos authentication

o Signed fileso Files can be “signed” with digital certificates to authenticate

who the author was. The recipient uses the public key of the sender to decrypt the signature to identify who the sender was.

o Kerberos authenticationo MIT created Kerberos as a network authentication protocol.

It provides strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many software tools, including open source and IBM iSeries software.

o Kerberos uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity.

http://web.mit.edu/


Digital certificates for authentication

A digital certificate is equivalent to an electronic ID card. It serves two purposes:

o To establish the identity of the owner of the certificateo To distribute the owner's public key

Certificates provide a way of authenticating users, referred to as authentication by trusted third parties

Contents of a digital certificateo A certificate contains information about the owner of the certificate and

the issuing CA:o The distinguished name (DN) of the owner. A DN is a unique identifier,

a fully qualified name including not only the common name (CN) of the owner but the owner's organization and other distinguishing information.

o The public key of the owner.o The date on which the certificate was issued.o The date on which the certificate expires.o The distinguished name of the issuing CA.o The digital signature of the issuing CA.


Authentication with certificates

Getting a certificate from a CAo The core idea of a certificate is that a CA takes the owner's public key,

signs the public key with the its own private key and returns this to the owner as a certificate.

www.godaddy.com and others

Using a certificate to authenticate with another partyo When the owner distributes the certificate to another party, it signs the

certificate with its private key. o The receiver can extract the certificate (containing the CA's signature)

with the owner's public key. o By using the CA's public key and the CA's signature on the extracted

certificate, the receiver can validate the CA's signature. o If it is valid, the public key used to extract the certificate is known to be

good. o The owner's signature is then validatedo If the validation succeeds, the owner has successfully authenticated to

the receiver.

http://www.godaddy.com/


TCP addressing, DNS

TCP addresses o Old format 4b field ( 255.255.255.1) defined four classes of domains (A, B,

C, D) o Range of addresses reserved for private networks ( 10.x.x.x, 172.16.x.x.,

192.168.x.x)o New format 6b field (IP6)

DHCP - Dynamic Host Configuration Protocolo Any computer (host in TCP terms) can have a fixed addresso Using a dynamic address allows a few addresses to be shared by many

computerso Client configures address as DHCP; DHCP server assigns temporary

address DNS - Domain Naming Service

o Addresses mapped to meaningful names (e.g. Masonlt3 = 10.0.0.9 )o Applications can use name vs. addresso Names defined locally in hosts file OR in a DNS servero If using a DNS server, a client can specify a name and server finds address


LDAP Directory servers

o This is a standard API defining the interface to standard directory services. Directories are often used to store information on authentication (user IDs and certificates) and authorization (who can access what) in a central location on a network. Setting up and using a central directory for all users and applications eliminates the need to do redundant administration on multiple servers in your network (iSeries, Windows, Linux and so on).

o The versions of all common directory servers today support the LDAP version 3 standard interface. Products, tools and applications that access directory information using the LDAP interface only are, therefore, portable across any common directory implementation. The iSeries provides a built-in LDAP server at no charge. IBM also sells other directory servers (Secureway) that you can buy for an iSeries. Common directory servers in use in iSeries shops include the iSeries LDAP server, OpenLDAP, Domino directory and Microsoft Active Directory.

o If you don’t use an LDAP directory for this information you are probably storing the user and application security rules in a standard database like many green-screen applications did.


Domain Name Server

Domain Name Servers help build a secure network. Enable client to determine the IP address associated with host name (Masonlt3 = 10.1.1.9) Domain name trees typically reflect the organization structure of a company.

DNS Threats Because it is UDP-based, DNS replies are relatively easy to fake. DNS can be used by an attacker to find out the client’s names and IP addresses.

Split DNS limits exposure using two DNS serverso The internal DNS for secure and private host names and the external

one for public names. o The external DNS is the only one visible from the Internet. o Only some hosts need to be known by Internet systems:

the e-mail relay, the public WWW servers, the external name server itself, others in DMZ.

o You only need a public DNS server to advertise your public servers. o You can use the ISP as the primary public DNS and mail exchanger

for your company.o In summary, the objectives of the split DNS function:

Internet domain name and address resolution for users in the secure network. Hide the secure network names and addresses from outside users. Name and address resolution for your public Web servers in the DMZ


Firewalls, DMZ

Firewall - iSeries can operate as a firewall o Most companies use a firewall to connect an internal network

safely to the Internet. o A firewall provides a controlled single point of contact (called a

chokepoint) between your secure internal network and the untrusted network.

o The firewall lets users in your internal network use authorized resources the outside network and prevents unauthorized outside users from using resources on your internal network.

DMZ - area between public network and private network

o Sits between the Internet and the private networko Controls access to the private networko For simple configurations, ISP may provide basic security

services to your firewall server creating a limited DMZ


IP Filters

IP packet filterso An IP packet filter discards denied traffic.o A packet filter has a set of rules with actions. o Every packet is compared against the filter rules, from top to bottom. o At the first match, the action in the matching filter rule (permit or deny) is

taken.o Most packet filters permit or deny packets based on the following:o · Source and destination IP addresseso · Protocol, such as TCP, UDP or ICMPo · Source and destination ports and ICMP types and codeso · Flags in the TCP header (whether a packet is a connect

request, etc.)o · Direction (inbound or outbound)o · Which physical interface the packet is traversing

o All packet filters share a problem -- the trust is based on IP addresses.


Network Address Translation

NAT - Network Address Translationo Translates internal or private IP addresses to public or globally

routable IP addresses.

o Some advantages of NAT: Saves public IP addresses. (the pool of global addresses can be shared) Hides the internal network's IP addresses. Simplifies routing. Hosts accessed from public network addresses translated by NAT. IF application uses the global IP address in the application, it won't work through NAT. Is more efficient than SOCKS and proxy servers.

o Some disadvantages of NAT: Provides minimum logging services. IP forwarding must be enabled. Not as adept as either the SOCKS or proxy servers in detecting attacks. Breaks some applications or (FTP) makes them harder to run.


IPSec and VPN

IPSec and VPN (virtual private networking)o VPN is an extension of a company's private intranet across a public

network infrastructure such as the Internet. It is based on creating virtual secure tunnels between hosts connected to the public network. To participate in a secure tunnel or VPN connection, the VPN partners or tunnel

o End points must implement a compatible suite of VPN protocols.o (iSeries to iSeries, iSeries to Windows 2000, NT and later)

IPSec protocols:o Authentication Header (AH): data origin authentication, integrity and

replay protection.o Encapsulating Security Payload (ESP): data confidentiality, data origin

authentication, data integrity, and replay protection.o Internet Key Exchange (IKE): automatic key management.

Authentication, encryption, and integrity algorithms heavily depend on secret keys that the VPN partners share.


Proxy servers

Proxy server: Protecting direct access Proxy servers are deployed for two key purposes: security and performance. Proxy servers can monitor and filter inbound and outbound requests, or as a single point of

access for communications with untrusted networks. Proxy servers can improve HTTP response times by serving documents from a local cache.

Forward proxyo A forward proxy fetches from another server, allowing clients to reach

a network to which they wouldn't otherwise have access.

Reverse proxy and proxy chainingo Two other forms of proxy support are available with the HTTP Server

(powered by Apache).o One is reverse proxy, which is the same as a forward proxy, except

that requests from outside of the firewall to the proxy are allowed. o The other is proxy chaining, which requires two or more proxy servers

and can be used to balance server workloads or network traffic.


SOCKS server

o A SOCKS server is another TCP/IP application that re-sends requests and responses between clients and servers. The SOCKS server handles all (HTTP, Telnet, FTP and so on) protocols.

o The purpose of the SOCKS server is the same as a proxy: to break the TCP/IP connection and hide internal network information.

o Client must be SOCKS-enabled, that is, it must support the SOCKS protocol. Some applications (such as popular Web browsers) support SOCKS.

o There are some products such as Hummingbird SOCKS that “socksify” the Microsoft TCP/IP stack

o There are also some systems (such as OS/400) that support a SOCKS client in their TCP/IP protocol stack (versatile clients) so that all client applications can use a SOCKS server. The client configuration gives the name of the SOCKS server to use and rules for when it should be used.

o Socks servers have no knowledge of the application protocol that they are using. They don't distinguish Telnet from HTTP. As a result, they can be written in a more efficient manner than a proxy. The down side is that they can't perform such tasks as caching or log URLs that are accessed.


SSL – Secure Sockets Layer SSL (now TLS) protocol provides privacy over the Internet. SSL-enabled client and server applications prevent eavesdropping, tampering or message

forgery. These protocols provide, encryption, integrity and authentication. TLS includes some new features and clarifications of protocol flows for areas ill-defined by the

SSL protocol definition. The SSL/TLS protocol consists of two separate protocols: the record protocol and the

handshake. SSL handshake establishes an SSL session on TCP/IP for a client and a server application. During the handshake, the client and server agree on encryption algorithms and the encryption

keys The client will authenticate and verify the identity of the server. The server can optionally authenticate and verify the identity of the client. After the SSL handshake, information exchanged between the client and server is encrypted SSL negotiates unique encryption keys for each SSL session between a client and a server During the SSL handshake, the server sends a digital certificate to the client. Digital certificates provide information that enable the client and server to identify each other. Digital certificates are issued by trusted third parties called certificate authorities. An SSL client must trust the certificate authority that issued the server's certificate to

communicate


Mail relay server iSeries SMTP can be local mail server (local Mail Transfer Agent (MTA)), a mail relay, or both. Mail sent from user mail queue thru mail transfer agents to user mailbox Relays mail between the internal mail server and Internet mail servers. iSeries (post office protocol (POP) 3 server) stores the mail for user retrieval.

o Spam - if relay allows, outside mail sender sends many mail pieces through relay

o Summary for the flow of mail from the sender to the receiver using SMTP:

User [email protected] sends an e-mail from her PC client Netscape mail to user [email protected].

The Mail User Agent (MUA) program in the mail application is invoked. The MUA passes the mail to the Mail Delivery Agent (MDA), MDA transfers it to the local Message Transfer Agent (MTA) for delivery. The local MTA client in mycompany.com sends the mail to the company's mail relayMTA. The mail relay in mycompany.com sends the mail to the mail relay MTA in yourcompany.com. The mail relay MTA in yourcompany.com passes the mail to the local MTA in the SMTP server. The local MTA at yourcompany.com delivers the mail to the receiver's mail box.


VPN or SSL?

Running services over SSL provides encryption and, therefore, confidentiality. Data and passwords do not flow in the clear. Only a few clients and servers provide SSL client authentication. If valid iSeries user IDs

and passwords were compromised, they can be used to remotely access your SSL servers. Secure Sockets Layer (SSL) is in the transport layer (TCP/UDP) and requires changes for

applications. Only those TCP/IP server and client applications written to SSL can use this protocol.

IPSec (for iSeries VPN support) is implemented in the network layer (IP) of the TCP/IP stack.

Network-layer security protocols protect the upper-layer application without requiring modification of the upper-layer applications that use the secure tunnel.

Once a host supports IPSec, all TCP/IP applications are protected without any changes to the application. This provides the virtual network view of the interconnected VPN hosts.

SSL offers more granularity than VPN. With SSL, you can decide to protect only some applications while VPN protects all the traffic between the data endpoints.

When client authentication is supported, SSL authenticates each application with different digital certificates or even the same application (for example HTTP server) with different certificates depending on the server requirements.

VPN authenticates the VPN server.


Single sign-on

o The goal for single sign-on is to let a user authenticate only once to your network and then access multiple applications on different servers without signing on again in the session.

o In a single sign-on environment a user (client) connects to a company’s network and receives an authentication challenge. After successfully logging on to the network, the client is associated with a special Kerberos digital ticket for the duration of the session.

o With Kerberos, when a user requests access to an application on a secured server (say Order Entry on an iSeries), the user’s identity is checked in a central directory to see if he has a valid ID for the requested server. If the ID is found for the user, the digital ticket for that server is retrieved and passed automatically to the iSeries server. The server authenticates the ticket. If it’s validated, the user is given access to the Order Entry application on the iSeries.


Java Web application security APIs

o JNDI – Java Networking and Directory Interface JNDI provides application access to any LDAP-compliant directory in your network.

Your application looks up a resource by name in the LDAP directory.

o JCE – Java Cryptography Extensions Encryption algorithms let you encrypt or decrypt messages using any of the supported

algorithms in the JCE (Java Cryptography Extensions) : RSA, DES, IDEA, MAC and more.

o JAAS – Java Authentication and Authorization This Java package enables an application to authenticate users and grant authorization

to resources. Web application servers such as WebSphere have administration tools that use this support to set up users, groups, roles and authorizations to resources.

o JSSE – Java Secure Sockets Extensions The secure sockets support allows a Java application to directly use SSL/TLS encryption

over a TCP socket. I’m writing an application for a company to check credit automatically over a secure Internet connection. Normally, you’d use TCP applications that do this automatically. Sometimes, you must write an application to do this using this package.

o JGSS – Java Generic Security Services JGSS provides secure messaging between applications using Kerberos V5

authentication and encryption algorithms.

o JCP – Java Certification Path Java applications can build and validate certification paths (chains) on certificates.

There is support for key stores and certificate stores to manage keys and certificates. In the latest release (J2SE v1.4.2), applications can build and analyze certification paths for a certificate.


Middleware security features

Dependent on middleware products: LDAP server - Local Directory Access Protocol

o Directory server built in to iSeries for application objects, users

Apache Http Servero IBM Apache HTTP server supporting WebSphere, Tomcat

WebSphereo IBM J2EE application server for Java Web apps (multiple

versions)

Dominoo Application server for document Web serving, Notes apps

Tomcato Open source J2EE application server for Java Web appso Included free with IBM Apache HTTP server


WebSphere Express runtime

o Web app servers provide J2EE middle tier 2 support Web applications run in Web container, EJB applications in EJB container Web components = servlets, JSPs, Java beans and other resources in WAR files

browser

wireless

appclient

HTTP Server

Web applicationserver

Java beans - logic, dataJSP -

output pages

servlets - control

Enterprise Java Bean container

5250 apps

server apps

data

Tier 1 Tier 2 Tier 3


WebSphere Express v6 features

Server Feature SupportsWeb server plug-in lets WebSphere receive requests for web pages,

servlets, JSPs and EJB from an Http serverApplication server Runs apps that are servlets, JSPs or Enterprise

Java Beans. Manages configurations, directories and security. Track user web sessions, objects

Servlets Servlet 2.2: Run servlets, search, load classes JSP (Java Server Pages) JSP 1.1: dynamically compiling and loading

JSPs as servlets.XML XML docs -- a parser, translator and generator Connection Manager manage database & services connectionsWeb services supports WSDL, SOAP, UDDI services to create,

publish, run web servicesApplication messaging JMS application messages by queue or topic

EJB - Enterprise Java Beans EJBs - Entity, Session and Message Driven beanWebSphere Admin Server Manager

Admin server to run application servers. -- Java console interface or browser interface


LDAP features

o The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs over Transmission Control Protocol/Internet Protocol (TCP/IP).

o LDAP is a directory service with descriptive, attribute-based information.

o The LDAP directory service model is based on entries (also referred to as objects). Each entry consists of one or more attributes, such as a name or address, and a type.

o Types are mnemonic strings, such as cn for common name or mail for e-mail address

o Directory Services, the files are located at /QIBM/UserData/OS400/DirSrv.

o Distinguished names ordered: e.g. is cn=Tim Jones, o=IBM, c=US o = organization, c = class and cn = common name above..

o Relative Distinguished Name (RDN) of the entry. The entry above a given RDN is called its parent Distinguished Name. For example, cn=Tim Jones names the entry, so it is the RDN. o=IBM, c=US is the parent DN for cn=Tim Jones.

o Can import, export entries in ldif format using QShell or use Ops Nav


WebSphere security features

o WebSphere (WAS) features IBM's family of WebSphere servers are J2EE-compliant Web application servers. WebSphere version 5 has three iSeries versions: Express, Application Server, Network

Deployment All WAS servers support full J2EE: servlets, JSPs, XML, Web services, EJB, JMS Express v6 is free on new i5 servers – call your IBM rep to find out if you qualify WebSphere security can be set for server instances and customized for applications and

resources.

o WebSphere security The WebSphere security system enables the administrator to define security

policy to establish control of resources. The system provides security services to enforce the policy.

Authentication is the process of verifying that users are who they say they are Authentication generally requires two steps: 1. The user sends to an authentication service (LDAP directory or OS/400 System

Dist Directory) 2. The service validates the information. If valid, the server authenticates user.


WebSphere security

o Authorization is the process of determining what a user is permitted to do. o Different classes of users and groups are associated with roles, which give

them privileges, such as the ability to Read, Write, or Execute (Run) an appo Security managed through the administration consoleo SSL can be configured for Web applications easilyo "Run As" option - Delegation allows an intermediary to perform a task

initiated by a client under an identity set by the associated security policy.o Use the Application Assembly Tool (AAT) to set the SecurityIdentity value in

the deployment descriptor. Securing applications with WebSphere product security involves:

o Tasks that create a set of policies that define which users have access to which methods or operations in which applications.

o Example: you can establish policies to specify whether the user Jim is permitted to use the company's inventory application to perform a write operation, such as changing the number of units of merchandise recorded in the company's inventory database.

o The security server works with the selected user registry or directory product to enforce the policies


Express authentication options

o For a WebSphere Express application, you can specify one of several user authentication mechanisms:

Basic authenticationThe realm name is sent from the server to the browser, and the user name and password are sent by the browser as part of the HTTP request

Client certficate authenticationEach client has a valid digital certificate that credentials are sent from over an SSL (Secure Sockets Layer encryption) connection to the server. While very secure, it can be cumbersome to set up for many types of clients

Form authenticationThe values a user supplies for user ID and password are transmitted in clear text as part of the HTTP request. SSL connections are required to ensure this information is secure.


Domino features

o An application server for mail, Notes applications, documents internally and over the Web

o Can plug in into Apache HTTP server (version 6) or Old IBM HTTP server (version 5)

o Premier solution for e-mail, collaborationo Can access iSeries resources via LotuScript or Java

Domino offers VERY fine-grained security and control easily!o Network o Domino servero User authenticationo Databaseo View / Formso Documento Section editoro Hidden paragraphso Edit fields


Apache HTTP Server

o Open-source HTTP server code from Apache Software Foundation

o "It must be called the HTTP Server (powered by Apache) with the parenthetical phrase as a bold reminder of the power and value of the integration with OS/400."

o Requires 3 LPPs: 5722-DG1 (Http), 5722-JV1 (Java), 5722-TC1 (TCP)

o A Web server to receive HTTP requests, send HTTP responses to clients

o Supports "plug-ins" to handle requests: WebSphere, Tomcat etc

o Has configurable routing rules to process different types of requests

o Is administered thru Ops Nav or browser


Apache HTTP Server features

o Persistent connections - for a single client between requests for objects

o Virtual hosts - multiple Web sites hosted through one servero Dynamic virtual hosting - adds Web site address, host to HTTP

headerso Proxy caching - faster page response to internal userso SSI - server side includes to process page responses before returningo CGI - calls to CGI programs allowedo LDAP support for directory names, authenticationo Web server search engine - text searches on Web pageso WebDAV - collaboration on documents over the web supportedo Plug-ins supported: Domino, WebSphere, Tomcat, moreo APR - Portable runtime libraries added - ILE service programso TRCTCPAPP command for tracingo FRCA - Fast response cache architecture for cached pageso Clustering of HTTP servers for load balancing


Apache HTTP Server security

o User authentication - thru LDAP or OS/400, authentication by password or digitial certificates

o Specifiy which profiles are used for which realms (resource pools)

o Access control - configuration controls which resources are served to which users.

o Supports allow, deny directives in order with requires for user for a resource name

o Encryption - SSL supported using a virtual host configuration

o Proxy server - can be a proxy hiding internal addresses, forward, reverse and proxy chains


Apache Tomcat server security

Tomcat is a J2EE Web application servero Runs Java Web applications well: Servlets 2.3, JSPs 1.2, Java beanso Supports the Web container applications but NOT EJB (Enterprise

Java Beans)o Uses Java toolkit or local Java support to access iSeries objects,

serviceso On iSeries, it's packaged with IBM Apache HTTP Server (5722-DG1)o Configurable through Web browser on HTTP Server administrationo Available for free from www.apache.org for other platforms

Tomcat architectureo Class Loaderso Tomcat 4 installs a variety of class loaders to allow different portions

of the container, and the Web applications running on the container, to have access to different repositories of available classes and resources

o SSL Config - Secure Sockets Layero SSL can be configured in Tomcat by installing JSSE, creating a

certificate key store and configuring SSL in conf/server.xml file.


Tomcat controls

o JNDI Resources - Java Network Directory Interface Tomcat 4 provides a JNDI InitialContext implementation instance to Web applications running

under it. Tomcat applications use JNDI to access directories like LDAP server.

o Manager App - allows a client to control Tomcat processing. Tomcat can be stopped, started using commands. Also deploy and reload an application using

commands.

o Proxy Support Tomcat applications can request proxy access to requester's original server name & port. The Apache HTTP server can operate as a proxy server to Tomcat forwarding requests. This is an option to the normal configuration "plugging" Tomcat in to the HTTP server.

o Realm - a set of users & the roles they have for applications. There are three realms an application can connect to for authentication: JDBCRealm, JNDIRealm,

MemoryRealm

o Security Mgr Tomcat can have a security manager installed to control application access and user access to

resources. Tomcat's security not as tested as WebSphere's.


Sample security scenarios

Web scenario 1: mail, Web browsing, external Web serving

o Assumes a 270 running on a LAN with PC users

Web scenario 2: mail, Web browsing, Web serving, WebFacing

o Assumes a 270 running on a LAN with PC users

Web scenario 3: mail, Web browsing, Wweb serving, o WebFacing, XML, FTP, Web serviceso Assumes a front-end 270 Web server and an application

server 820 running on a LAN with PC users


Make decisions on how to secure…

.Security option

Access control

Encryption

Authentication

Integrity checking

Address conceal-ment

IP filtering Yes No No No No

NAT Yes No No No Yes

VPN Yes Yes (packet)

Yes (packet) Yes (packet)

Yes

SSL Yes Yes (data) Yes (system/user)

Yes No

Reverse proxy

Yes normally no

Yes (user) Yes Yes


Simple network

.

iSeriesPC

PC server

Ethernet network running TCPNot connected to InternetiSeries has dial portstandalone pc for ISP access

Primary threatsinternal abuseviruses from Internet files

standalone FTP to ISP

Net router

Internet link


Web 1: browsing, email

.

iSeries

PC

Net router

Internet link

PC server

Added Internet connection thruiSeries proxy server to router

Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windows


Web 1 plan

Provides basic mail services, Web browsing to internal users and allows external users access to an outsourced company Web site

On iSeries:o Simple e-mail using SMTP, POP mail servers, a Web gateway for

internal users, DNS, DHCP for internal clients ISP services:

o Forwards e-mail to iSeries servers, assigns one IP, resolves external DNS queries, has external Web site

Scenario benefits:o One IP address neededo Eliminates need for added security deviceo ISP provides dynamic public IP address for iSeries so internal address

not knowno iSeries only does routing, filtering and mail servingo Internal users protected by iSeries from outside

Scenario risks:o Configuration errors impact securityo Denial of service attack on iSeries gateway


Web 2: Web site, Web apps, WebFacing

.

iSeries

PC

Net router

Internet link

PC server

Added Domino, Http, Tomcat, WebFacing servers

Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windowslimited access to IFSsecurity for database, objects, users


Web 2 plan

Provides browsing, SMTP mail server, WebFacing for browser access to 5250 applications and integrated Web site running Java Web applications in Tomcat

o On iSeries: SMTP server, HTTP server with Tomcat for Web serving, a Web gateway for internal users, DNS,

DHCP for internal clients, WebFacing server, virtual hosts, VPN, NAT, SSL, LDAP

o On ISP: Forwards e-mail to iSeries servers, assigns one IP (one for HTTP server), resolves external DNS

queries

o Scenario benefits One IP address needed: HTTP server, SMTP server ISP provides dynamic public IP addresses for iSeries so internal address not known iSeries does only routing, filtering and mail serving, application serving of all types Internal users protected by iSeries from outside Remote users can also access mail, all applications Internal and remote users have SAME interface to applications (browser) External users can access applications if authorized (WebFacing, mail, Java Web)

o Scenario risks Denial of service attack on iSeries gateway. Availability risk IF SMTP mail relay task not

constrained Requires higher skills to implement internal servers


Web 3: Add XML, Web services

.iSeriesPC

Net router

Internet link

PC server

Added WebSphere, XML, B2B services

Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windowslimited access to IFSsecurity for database, objects, users

iSeries


Web 3 plan

Delivers Web browsing, Domino mail & document server, WebFacing, WebSphere Express for Java web applications, XML content, Web services for B2B connections

o On iSeries: Domino application server, HTTP server with WebSphere Express for Web serving, a Web

gateway for internal users, DNS, DHCP for internal clients, WebFacing server, virtual hosts, VPN, SSL, NAT, LDAP

o On ISP: Forwards e-mail to iSeries servers, assigns two IPs ( one for Domino, one for HTTP server),

resolves external DNS queries

o Scenario benefits Two IP address needed: Domino application server, HTTP server ISP provides dynamic public IP addresses for iSeries, so internal address not known Internal users protected by iSeries from outside Internal and remote users have SAME interface to applications (browser) External users can access applications if authorized (WebFacing, Domino, Java web)

o Scenario risks Denial of service attack on iSeries gateway. Availability risk IF Domino mail router task not

constrained Requires higher skills to implement internal servers, WebSphere partner link needs to be secure


Seven steps to secure your e-business

o Define a clear e-business plano Define potential security threatso Set a security plano Set security policieso Implement security procedures and controlso Monitor security performanceo Audit security performance


Seven steps (cont)

E-business plan definedo Define e-business objectives and metricso Review help needed for design, implementation, supporto Map existing application services, infrastructureo Set application services needed to meet objectiveso Review implementation alternatives for serviceso Review user access points and methods for serviceso Define infrastructure design for serviceso Define ISP services needed

Security threats definedo What is your environment?o What are your threats?o What is the potential damage from these threats?o How can these threats be controlled?o What are the costs, risks associated with a control method?


Seven steps (cont)

Security plan definedo What are the business objectives our plan supports?o What areas of security does our plan address?o What are the primary threats our plan mitigates?o What are the strategies for managing security?o What controls do we want?o What are the procedures we want?o What resources do we have/need to control security?o Where do we get relevant security training?

Security policieso What controls do we need for each security layer (network to user)? o What are the security policies we need, given our control strategies?o How do we implement the policies in different tools, software?


Security policy delivers:

o Guidelines on required and preferred security features of new productso Privacy policy for e-mail, keystrokes recording, files stored on company's mediao Which messages must be displayed, warning users that they might be monitored and

informing them that only authorized access is permittedo An Acceptable Use Policy (AUP) that clearly defines the purposes for which the

company's systems and networks may be usedo Responsibilities of users, IT staff, and management, and how they should handle a

security incidento Which connections are allowed to external networks and systemso What services are permitted from the internal network to the Internet, who is authorized

to access those services, and what restrictions applyo Same as above, but from the Internet to the company's networko How configuration of systems, networks can change and who may change them allo Who’s allowed to access what systems and in which ways they access those systemso How to authenticate users, passwords requirements; local and remote user

authentication guidelineso Availability of resources, performance and how to measure and monitor deviations for

the service levelo Who is authorized to perform maintenance of systems and networkso How to report policy violations, including contact information


Security procedures and controls

o What security procedures do we need for our control strategies, policies?

o What specific controls are we implementing as part of security procedures?

Sample procedureso Job timeouts without user inputo Session timeouts without user input in Javao Password not equal to user ido Password expirationo Hide internal addresses from external userso Set FTP timeouts for no-activity


Monitoring and audits

Security monitoringo How do we monitor the effectiveness of security controls, procedures?o Firewall logs for intrusions on IP addresses, etc.o Network traffic logs for TCP on connection and application layer

serviceso iSeries QHSTo iSeries Joblogso Disabled user profileso Password controlso Object access logs for invalid authorizations

Security audito How do we audit the effectiveness of security controls, procedures?o What are the highest impact security exposures to audit?

Who audits and how?o Big 5 accounting firms traditionally have real technology challenges to

faceo IBM services -- can they really audit themselves?


Key security points

o Review your security plan, issues, challenges by layero Get good outside help to plan, review e-business security

Use iSeries ONLY business partners versus standard e-business providers Don't ask one expert (even IBM), get a second and third opinion even if you have to

pay

o Coordinate with ISP security services neededo Focus on common security models based on standards

Avoid "custom" solutions vs. standard solutions that can be customized

o Balance security exposure impact to plans and resultso Leverage iSeries security runtime built-in free!o Check resources for more details on specific areas


Resources

IBM iSeries Web siteo http://www.ibm.com/software/ad/wds400/

IBM WebSphere Web siteo http://java.sun.com/

Search400.com Web siteo www.search400.com

Apache software organization for open source softwareo http://www.apache.org/

iSeries security advisoro http://www.redbooks.ibm.com/tstudio/secure1/advisor/

secwiz.htm

secure your iseries web application jim mason ebt-now [email protected] 508-888-0344

Documents