• Computers & Technology
  • Home Computing
  • Business & Culture
  • Programming
  • Software
  • Web Development
  • Certification
  • Networking
  • Security & Encryption
  • Computer Science
  • Operating Systems
  • Microsoft
  • Hardware
  • Databases
  • Graphic Design
  • Apple
  • Digital Music
  • Digital Photography & Video
  • Games & Strategy Guides
  • Project Management
  • Mobile & Wireless Computing
• Education & Reference
  • Encyclopedias
  • Test Preparation
  • Studying & Workbooks
  • Schools & Teaching
  • Writing, Research & Publishing Guides
  • Foreign Language Study & Reference
  • Atlases & Maps
  • Dictionaries & Thesauruses
  • Words, Language & Grammar
  • College & University
  • Trivia & Fun Facts
  • Consumer Guides
• Business & Investing
  • Industries & Professions
  • Management & Leadership
  • Organizational Behavior
  • Personal Finance
  • Small Business & Entrepreneurship
  • Popular Economics
  • Marketing & Sales
  • Finance
  • Skills
  • Business Life
  • Economics
  • Job Hunting & Careers
  • Biography & History
  • Reference
  • International
  • Real Estate
  • Investing
  • Women & Business
• Science & Math
  • Mathematics
  • Technology
  • Reference
  • Earth Sciences
  • Physics
  • Biological Sciences
  • Behavioral Sciences
  • Nature & Ecology
  • Astronomy & Space Science
  • History & Philosophy
  • Experiments, Instruments & Measurement
  • Agricultural Sciences

Oracle Application Server 10g. J2EE Deployment and Administration Authors: Wessler M. A.,  Harrop R.,  Machacek J. Published year: 2004 Pages: 121-123/150

Summary

In this chapter we covered the WC server. You saw how it's able to receive incoming requests before they reach the OHS origin server and send back cached content to the client. This improves performance for the client while reducing the load on the back-end origin servers, network, and databases. This allows for a more scalable solution with a less expensive WC server than one that manages larger, multinode application-server clusters.

You saw how WC is configured and looked at the administrative management tools. The setup and configuration of WC is relatively simple and you were able to create a new WC site ( wc-test. name ) in a matter of minutes. The WC Manager tool provides multiple monitoring, logging, and diagnostics pages for you to troubleshoot errors and monitor performance.

By default, WC already caches content that generally should be cached: HTML files, PDF files, and other image files. Using the WC Manager pages, you saw how caching rules can be created or edited to allow more content to be cached. Expiration time frames and compression of documents were also covered. Finally, we showed you how content can be manually invalidated by the administrator and how custom invalidation code can be written using preexisting templates.

Chapter 20: Configuring Enterprise Security

Overview

Computer security is one issue that routinely makes the news and keeps administrators busy. Particularly when managing web servers, security needs to be a constant theme because of the increased vulnerability of systems connected to the Internet. Failure to properly secure your system will, sooner or later (probably sooner), result in someone getting into it. If you're "lucky," the hacker will just snoop around. If the hacker is criminal or malicious, he can steal your data, rob your company and customers, use your system as a launching pad for attacking other systems, and ultimately corrupt or destroy your system.

In this chapter we'll outline the fundamentals of running a secure server and the preventative actions the administrator can take to improve security. You'll look at security fundamentals at both a total systems and web-application-server level. Concepts regarding a layered system defense, firewall security, and responding to new security threats will be covered.

Finally, you'll learn some 10g AS-specific security improvements and tools. We'll show you how to secure the powerful Application Server Control (ASC) utility. Next we'll explain Secure Sockets Layer (SSL) and examine how to set up SSL using the Oracle Wallet Manager (OWM) to allow for HTTPS traffic. Finally, we'll provide an overview of Oracle's Identity Management tools including Oracle Internet Directory (OID).

In this chapter, we'll cover the following:

• Threats and impacted parties. What are the potential threats and who is impacted?

• Web security fundamentals. Fundamental practices for securing a system at all levels.

• Securing application server control. How to make the powerful administrator's ASC tool secure.

• Secure Sockets Layer (SSL) and Oracle Wallet Manager (OWM). How to set up SSL and learning the role of OWM.

• Identity Management. The role of OID, Delegated Administration Service (DAS), and Single Sign-On (SSO).

Threats and Impacted Parties

Anyone who watches the news or has any exposure to the web knows that computer security is a major issue these days. Whether it's the latest email attack, defacing and crashing websites , or identity theft, these items make the news. However, more often than not, hacking is an inside job and it doesn't make the national news, but nevertheless, a security comprise has happened and data has been changed, deleted, or copied . Statistically speaking, most security compromises happen internally and are never reported to the police. Reasons typically are because either the organization doesn't know it has been hacked or if it does find out it's "easier" to hide the crime than to report it.

Threats

Here's a list of items that really do happen every day, and as a web administrator you'll likely encounter them at some point.

• Nosy or disgruntled employee or customer uses her inside knowledge and access of the system to attempt to cause damage or corrupt or steal data. These are tough to defend against and often you never know you've been compromised.

• A computer criminal accesses your system and gets credit card information about the customers, customer identity information, or bank account numbers . Companies and individuals have lost large amounts of money as a result of these data compromises.

• Computer virus of some sort gets into your system and causes damage. This is most common with email systems.

• A scripted attack scans your machines and attempts to access it via known vulnerabilities and security holes. Your system may not have been targeted specifically , but if a vulnerability is exposed it will attract the attention of those responsible. Even if a patch or work-around for the vulnerability is available, it's useless if you didn't apply it.

• A competitor or group opposed to your organization or business wants to access your system to gain and corrupt data. Corporate espionage is a reality.

• The same competitor or group opposed to your organization or business decides they don't care about your data, and that they just want to crash your site and drive customers away. So they launch a Denial of Service (DoS) attack against your system.

• The traditional "hacker" who just wants to see if he can break into your system. Or if you're less fortunate, it's a "cracker," who, after she breaks into your system, decides to cause damage. This can be the stereotypical teenage "computer nerd" breaking into systems for fun. And once she has broken into your system undetected, she will tell her friends how to get into it, too.

• Some systems, both government and commercial, are the targets of terrorists and foreign powers. These types of hackers are not just in the movies and they really do exist. If you manage important systems, you're obligated to take appropriate actions to guard against these threats.

• Internal security audits and intrusion tests by your own organization can make you look bad if your system fails a test. This is common in many organizations and it theoretically helps your system become more secure, but no one wants to look bad in front of her boss or colleagues.

Finally, if the preceding items didn't convince you that security was important, keep in mind that if you're the administrator and it was your system compromised, it can easily cost you your job if it comes out that you didn't take reasonable security precautions .

Everyone Is Impacted

There are so many ways to compromise a system that you have to guard against it at every level. You cannot just say, "I'm the web administrator so I don't care about operating system or application security issues." From an administration perspective, everyone's fate is tied together and everyone is impacted if a security breach occurs. For example, if a hacker exploits an operating system vulnerability because an unneeded port or service was left open , the following people are impacted:

• System administrators. Your server has been compromised. How far did the hacker get and did he access other servers, too, from this one? How long has he been on the system and what did he change or do?

• Web administrators. Did she change anything on the website and did she use the machine to hack into other systems? Was there any critical data on the web server, even in the form of cached content that could have been accessed?

• Database administrators. The database may be on another server, but all the JDBC database connection (usernames and passwords) information and Oracle Net Services (SQL*Net) software was on the web server. Did the hacker get access into the database and if so, what did he see or change?

• Network administrators. You know the compromised server was on X network. From that location, what other servers and system were accessible to the hacker? What was she able to see from that machine?

• Application developers. Are there any security holes within the system or data that the hacker now has access to?

• Management. You know there was an intrusion, but how bad was it? Did he do any damage or collect any data? The system holds personal information about thousands of customers including credit card information. What is the legal liability if the information was compromised? Are you, as a company, obligated to notify the customers that there may be a problem and incur the customer backlash ? Is it appropriate to contact the police and will the press find out about this?

As you can see, many people in your organization will be impacted if a hack is even suspected. Given this wide- ranging impact, prevention and risk reduction is your best approach.

Unfortunately, a complete discussion of computer security is outside the scope of this book and the topic itself could fill several books. Indeed, computer security represents a full-time job for many people and an entire, thriving industry.

In this chapter I'll show you the fundamentals so you won't be an easy target and become a hacker's dream come true.

Oracle Application Server 10g. J2EE Deployment and Administration Authors: Wessler M. A.,  Harrop R.,  Machacek J. Published year: 2004 Pages: 121-123/150

Similar books on Amazon

Oracle WebLogic Server 11g Administration Handbook (Oracle Press)

Oracle Application Server 10g Administration Handbook (Osborne ORACLE Press Series)

Oracle Application Server 10g Web Development (Oracle Press)

Oracle Application Server 10g Essentials