Dmz aa aioug
-
Upload
aioughydchapter -
Category
Technology
-
view
1.152 -
download
2
Transcript of Dmz aa aioug
© Copyright 2015. Apps Associates LLC. 1
Demilitarized Zone in 12.2
© Copyright 2015. Apps Associates LLC. 2
KaliKishore Gomattam
Lead DBA Consultant – IMS @ Apps Associates
@kgomattam
© Copyright 2015. Apps Associates LLC. 3
Performance. Growth. Excellence.
• Global Reach, Broad Service Profile
• Founded in 2002, 600+ employees
• US, Europe, India, Middle East
• Service Offerings: Applications, CRM, Analytics, EPM, Cloud, Middleware, Application Development, App & Infrastructure Managed Services
• Significant Investment in R&D
• Cloud (IaaS, PaaS, SaaS)
• Business Process & System Integration
• Analytics & Big Data
• Strategic Partnerships, Certifications, Credentials
• Oracle Platinum Partner, Oracle Specialized Across Our Portfolio of Services
• AWS Advanced Consulting Partner, Certified Managed Services Provider
• Microsoft Certified
• CMMI Level 3 & SSAE 16
© Copyright 2015. Apps Associates LLC. 4
Agenda
Overview
What is DMZ
Why DMZ
Different Ways to Setup
High Level Steps to enable DMZ
How does it defer from 12.1
Best Practices
© Copyright 2015. Apps Associates LLC. 5
Question !!!
Why do we need to Expose Applications to Public
???
© Copyright 2015. Apps Associates LLC. 6
© Copyright 2015. Apps Associates LLC. 7
© Copyright 2015. Apps Associates LLC. 8
© Copyright 2015. Apps Associates LLC. 9
Risks
As Organizations, expose their Oracle Application out of private network, via
HTTP/HTTPS, which will expose Oracle Application via public network, which has following risks. Entry point for attackers
Security information can be hacked
Expose internal Domain/network to external users.
Application Vulnerability
© Copyright 2015. Apps Associates LLC. 10
Solution is DMZ
DMZ will serve the purpose by restricting the access to application biased on
type of users login (Internal/External)
DMZ, which stands for Demilitarized Zone consists of the portions of a corporate network that are between the corporate intranet and the Internet. The DMZ can be a simple one segment LAN or it can be broken down into multiple regions.
The main benefit of a properly-configured DMZ is better security: in the event of a security breach, only the area contained within the DMZ is exposed to potential damage, while the corporate intranet remains somewhat protected.
© Copyright 2015. Apps Associates LLC. 11
DMZ with Oracle EBS
When configuring Oracle E-Business Suite in a DMZ configuration, firewalls are
deployed at various levels to ensure that only authorized traffic is allowed to cross the firewall boundaries.
The firewalls ensure that if interruption attempts against machines in the DMZ are successful, the intrusion is contained within the DMZ, leaving the machines in the intranet unaffected.
© Copyright 2015. Apps Associates LLC. 12
DMZ Architecture
Oracle Provides four different types of architectures as follows.
DMZ Configuration With an External and Internal Application Tier
DMZ Configuration With a Reverse Proxy and an External Application Tier
DMZ Configuration With Internal and External Application Tiers in the Intranet
Sharing the Application Tier File System
DMZ configuration with multiple Internal/External application tiers in the Intranet and DMZ
© Copyright 2015. Apps Associates LLC. 13
DMZ Architecture (Type 1)
DMZ Configuration With an External and
Internal Application Tier
Internet
Internal users
Intranet
External users
HTTPS – 443
HTTP – 8000
WLS – 7001 / 7002
Node Manager – 5556 / 5557
ICMP
SSH – 22
SQLNET – 1521
HTTPS
HTTP
WLS
Node Manager
ICMP
SSH
SQLNET
SQLNET
Internal External
DMZ External
Firewall
© Copyright 2015. Apps Associates LLC. 14
DMZ Architecture (Type 1)
Pros: Simple Configuration with external application tier configured in DMZ for external
users Internal users access internal application via intranet Restrict access to a limited set of Oracle Application Responsibilities for users
logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be
deployed for Internet access
Cons:
Need to expose complete EBS Suite to external world Cannot share application tier file system between external and internal application
tier nodes.
© Copyright 2015. Apps Associates LLC. 15
DMZ Architecture (Type 2)
DMZ Configuration With a Reverse Proxy and
an External Application Tier
Internet
Internal
users
Intranet
External
users
HTTPS
HTTP
WLS
Node Manager
ICMP
SSH
SQLNET
SQLNET
Internal External
DMZ Internal
Firewall DMZ External
Firewall
Reverse
Proxy
HTTPS – 443
HTTP – 8000
WLS – 7001 / 7002
Node Manager – 5556 / 5557
ICMP
SSH – 22
SQLNET – 1521
© Copyright 2015. Apps Associates LLC. 16
DMZ Architecture (Type 2)
Pros: Restrict access to a limited set of Oracle Application Responsibilities for users
logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be
deployed for Internet access Mask external application tier details from external users with the use of reverse
proxy server Terminate SSL connections at the reverse proxy if required Implement URL firewall on the reverse proxy server to restrict access.
Cons:
Additional Server is required for reverse proxy Cannot share application tier file system between external and internal application
tier nodes.
© Copyright 2015. Apps Associates LLC. 17
DMZ Architecture (Type 3)
DMZ Configuration With Internal and External Application Tiers
in the Intranet Sharing the Application Tier File System
Internet
Internal
users
Intranet
External
users
HTTPS
HTTP
SQLNET
DMZ Internal
Firewall
DMZ External
Firewall
External Load Balancer
WLS
Node Manager
ICMP
SSH
SQLNET
Internal External
Internal
Load Balancer
HTTPS – 443
HTTP – 8000
WLS – 7001 / 7002
Node Manager – 5556 / 5557
ICMP
SSH – 22
SQLNET – 1521
© Copyright 2015. Apps Associates LLC. 18
DMZ Architecture (Type 3)
Pros: Restrict access to a limited set of Oracle Application Responsibilities for users
logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be
deployed for Internet access Application file system can be shared among all nodes. Not required to open ports on firewall Load is balanced across multiple nodes
Cons:
Load Balancer is exposed to external world.
© Copyright 2015. Apps Associates LLC. 19
DMZ Architecture (Type 4)
DMZ configuration with multiple Internal/External application
tiers in the Intranet and DMZ
Internet
Internal
users
Intranet
External
users
HTTPS
HTTP
SQLNET
DMZ Internal
Firewall
DMZ External
Firewall
External Load Balancer
WLS
Node Manager
ICMP
SSH
SQLNET
Internal External
Internal
Load Balancer
HTTPS – 443
HTTP – 8000
WLS – 7001 / 7002
Node Manager – 5556 / 5557
ICMP
SSH – 22
SQLNET – 1521
© Copyright 2015. Apps Associates LLC. 20
DMZ Architecture (Type 4)
Pros: Restrict access to a limited set of Oracle Application Responsibilities for users
logging in via Internet Allow user access to only Oracle E-Business Suite Release 12 product that can be
deployed for Internet access Application file system can be shared among all nodes. Load is balanced across multiple nodes
Cons:
Load Balancer is exposed to external world Application tier file system between external and internal application tier nodes are
not Shared.
© Copyright 2015. Apps Associates LLC. 21
Application Access Flow
http://internal.mydomain.com
Private Network
EBS Instance
10.1.1.100
© Copyright 2015. Apps Associates LLC. 22
Application Access Flow
http://external.mydomain.com
Private Network Public Network
Proxy Server EBS Instance 10.1.1.100
54.100.200.100
© Copyright 2015. Apps Associates LLC. 23
Application Access Flow
Global DNS
54.100.200.100 external.mydomain.com
© Copyright 2015. Apps Associates LLC. 24
Application Access Flow
http://external.mydomain.com
Private Network Public Network
Proxy Server EBS Instance
10.1.1.100
54.100.200.100
© Copyright 2015. Apps Associates LLC. 25
Application Access Flow
Local DNS
10.1.1.100 external.mydomain.com
Global DNS
54.100.200.100 external.mydomain.com
© Copyright 2015. Apps Associates LLC. 26
Application Access Flow
http://external.mydomain.com
Private Network Public Network
Proxy Server EBS Instance
10.1.1.100
54.100.200.100
© Copyright 2015. Apps Associates LLC. 27
Steps to enable DMZ
To enable DMZ using any of the four prototypes, we need to perform some/all of the below steps biased on which architecture we selected. Patches required for DMZ Configuration
Clone External node using adcfgclone.pl (Run & Patch)
Update Hierarchy TypeUpdate Node/Responsibility Trust Level
Configure Reverse/Load Balancer Proxy (Conditional)
Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x)
© Copyright 2015. Apps Associates LLC. 28
Steps to enable DMZ
1. Patches required for DMZ Configuration R12.AD.C.Delta.4 and R12.TXK.C.Delta.4
Note: MOS Note 1617461.1 to apply the required patches. If an update patch for AD/TXK is
available, apply those instead of the minimum code level mentioned under Patch Number/Min Code Level.
© Copyright 2015. Apps Associates LLC. 29
Steps to enable DMZ
2. Clone External node using adcfgclone.pl (Run & Patch) When prompted say “Yes” to add node Enable “Web Entry Point” and “Web Application Services”. Don’t enable “Batch Processing Services”
© Copyright 2015. Apps Associates LLC. 30
Steps to enable DMZ
3. Update Hierarchy Type Following user profiles are used to construct various URL’s in EBS
© Copyright 2015. Apps Associates LLC. 31
Steps to enable DMZ
3. Update Hierarchy Type By default hierarchy type value for the profiles option is “Server type”
© Copyright 2015. Apps Associates LLC. 32
Steps to enable DMZ
3. Update Hierarchy Type E-Biz environment for DMZ requires these profiles hierarchy set to “SERVRESP” Run “$FND_TOP/patch/115/sql/txkChangeProfH.sql SERVRESP” on run FileSystem
as apps user.
© Copyright 2015. Apps Associates LLC. 33
Steps to enable DMZ
4. Update Node/Responsibility Trust Level Oracle E-Biz has the capability to restrict access to a predefined set of
responsibilities base on the application tier server from which the user logs in. This capability is achieved by tagging application server with a trust level indicated
by the Node Trust Level (NODE_TRUST_LEVEL) server profile option.
Option: Administrative: These servers are considered secure and provide access to
any and all Ebiz functions. Normal: Users logging in from normal servers have access to only a limited set
of responsibilities. External: These servers have access to an even smaller set of responsibilities.
© Copyright 2015. Apps Associates LLC. 34
Steps to enable DMZ
4. Update Node/Responsibility Trust Level
© Copyright 2015. Apps Associates LLC. 35
Steps to enable DMZ
5. Configure Reverse/Load Balancer Proxy (Conditional) Reverse Proxy server is configured in the front of the external application tier node
and it requires the Oracle E-Biz application tier nodes to be aware of the presence of the reverse proxy server.
Modify following parameters in the application tier context file for both run and patch file system.
© Copyright 2015. Apps Associates LLC. 36
Steps to enable DMZ
6. Remove references to Internal Node(s) in mod_wl_ohs.conf (Only for 12.2.x) When node is added to an existing Ebiz instance, mod_wl_ohs.conf will have
references to both primary and secondary nodes. We need to remove these references to make sure, external nodes will not refer to
internal managed servers.
© Copyright 2015. Apps Associates LLC. 37
12.1.x Vs 12.2.x
12.1.x 12.2.x
Virtual Host Can Set while running adcfgcloneCannot be set using adcfgclone,
need to configre OHS
SSL Supports till SHA-1 Supports SHA-2
SSH Does not require User Equivalence Requires User Equivalence
Apache No configuration Change required
Need to remove access to Internal
Node(s) in mod_wl_ohs.conf
© Copyright 2015. Apps Associates LLC. 38
Best Practices
Identify the network flow
Preserve isolation as much as possible
Practice good vulnerability management
Make sure there is no way to directly request your web server, bypassing security filtering layers
Audit your equipment's
Follow security best practices
Monitor, monitor, monitor
© Copyright 2015. Apps Associates LLC. 39
Connect with Us
Web: www.appsassociates.com
Email: [email protected]
YouTube: www.youtube.com/user/AppsAssociates
LinkedIn: www.us.linkedin.com/company/apps-associates
Twitter: @AppsAssociates
Facebook: www.facebook.com/AppsAssociatesGlobal
Thank You! @kgomattam