In this chapter we covered the WC server. You saw how it's able to receive incoming
You saw how WC is configured and
By default, WC already caches content that
Computer security is one issue that routinely makes the news and keeps administrators busy. Particularly when managing web servers, security needs to be a constant theme because of the increased vulnerability of systems connected to the Internet. Failure to properly secure your system will, sooner or later (probably sooner), result in someone getting into it. If you're "lucky," the hacker will just snoop around. If the hacker is criminal or malicious, he can steal your data, rob your company and customers, use your system as a launching pad for attacking other systems, and ultimately corrupt or destroy your system.
In this chapter we'll outline the fundamentals of running a secure server and the preventative actions the administrator can take to improve security. You'll look at security fundamentals at both a total systems and web-application-server level. Concepts regarding a layered system defense, firewall security, and responding to new security threats will be covered.
Finally, you'll learn some 10g AS-specific security improvements and tools. We'll show you how to secure the powerful Application Server Control (ASC) utility. Next we'll explain Secure Sockets Layer (SSL) and examine how to set up SSL using the Oracle Wallet Manager (OWM) to allow for HTTPS traffic. Finally, we'll provide an overview of Oracle's Identity Management tools including Oracle Internet Directory (OID).
In this chapter, we'll cover the following:
Threats and impacted parties. What are the potential threats and who is impacted?
Web security fundamentals. Fundamental practices for securing a system at all levels.
Securing application server control. How to make the powerful administrator's ASC tool secure.
Secure Sockets Layer (SSL) and Oracle Wallet Manager (OWM). How to set up SSL and learning the role of OWM.
Identity Management. The role of OID, Delegated Administration Service (DAS), and Single Sign-On (SSO).
Here's a list of items that really do happen every day, and as a web administrator you'll likely encounter them at some point.
A computer criminal
Computer virus of some
A scripted attack
A competitor or
The same competitor or group opposed to your organization or business decides they don't care about your data, and that they just want to crash your site and drive customers away. So they launch a Denial of Service (DoS) attack against your system.
The traditional "hacker" who just wants to see if he can break into your system. Or if you're less fortunate, it's a "cracker," who, after she breaks into your system, decides to cause damage. This can be the stereotypical teenage "computer nerd" breaking into systems for fun. And once she has broken into your system undetected, she will tell her
Some systems, both government and commercial, are the targets of terrorists and foreign powers. These types of hackers are not just in the movies and they really do exist. If you manage important systems, you're obligated to take appropriate actions to guard against these threats.
Finally, if the
There are so many ways to compromise a system that you have to guard against it at every level. You cannot just say, "I'm the web administrator so I don't care about operating system or application security issues." From an administration perspective, everyone's fate is tied together and everyone is impacted if a security breach occurs. For example, if a hacker exploits an operating system vulnerability because an unneeded port or service was left
System administrators. Your server has been compromised. How far did the hacker get and did he access other servers, too, from this one? How long has he been on the system and what did he change or do?
Web administrators. Did she change anything on the website and did she use the machine to hack into other systems? Was there any critical data on the web server, even in the form of cached content that could have been accessed?
Database administrators. The database may be on another server, but all the JDBC database connection (usernames and passwords) information and Oracle Net Services (SQL*Net) software was on the web server. Did the hacker get access into the database and if so, what did he see or change?
Network administrators. You know the compromised server was on X network. From that location, what other servers and system were accessible to the hacker? What was she able to see from that machine?
Application developers. Are there any security holes within the system or data that the hacker now has access to?
Management. You know there was an intrusion, but how bad was it? Did he do any damage or collect any data? The system holds personal information about thousands of customers including credit card information. What is the legal liability if the information was compromised? Are you, as a company, obligated to notify the customers that there
be a problem and incur the customer
As you can see, many people in your organization will be impacted if a hack is even suspected. Given this wide-
Unfortunately, a complete discussion of computer security is outside the scope of this book and the topic itself could fill several books. Indeed, computer security represents a
In this chapter I'll show you the fundamentals so you won't be an easy target and become a hacker's dream come true.