is there an accepted best practice for securing access to a Weblogic JNDI (JDBC Specifically) services from external apps?
Out primary motivation is trying to stop people from accidentally pointing QA code at production machines, but obviously there is the question of securing the port from unwanted visitors (other hosts on the internal network) as well.
Idea would be that an arbitrary client can't just connect to :
t3://importantprodhost.mycompany.com:7001
and get hold of one of the remote JDBC/JNDI stubs that are proxies to our databases
I did find this link which seems to be related, but I was hoping not to have run everything as a WebLogic.runAs() call.
My guess was that one could only expose the JNDI service over a HTTPS and authenticate with a certificate (which wouldn't be on the QA machines), but haven't found a concrete/simple example, so I don't know if this would actually work.
Please assume for the purposes of this question that we need access (i.e we can't turn it off) - we'd just like to authenticate it, and that we can't deploy anything network level such as a firewall to solve the problem.
Related
I created an api using SLIM framework, but the services are not accessible to public as they are limited to localhost. how to host the services on a realtime server, so that, they can be accessible from anywhere?
please some one help me
This question requires more detail in order to answer properly.
If you are hosting your API on a windows server, then it is likely you have configured some kind of "WAMP" stack, correct? Or maybe serving PHP through IIS? This are important questions because we need to know what port you have bound your web application server to, which leads us to the next question...
Where are you hosting the server which is running the application which bound to what port?
Ultimately, a public, external IP will need to be either:
a. NAT'ed to the internal IP of your web server instanced
b. Port-forwarded to the internal IP of the server running your web application
Still, we are making a lot of assumptions here because getting a web application "accessible from anywhere" will require different work depending on your environment.
Here is the most basic example:
You are at home, running this API on your Windows workstation and will like to be able to hit it from a remote location.
Ensure Windows firewall allows inbound traffic to the port on which your application is running (probably port 80/HTTP, maybe 443/HTTPS).
Log into your ISP's router and configure port-forwarding to ensure inbound traffic on, say, port 80, is routed to the internal IP of the workstation running the API.
That's all there is to it.
Keep in mind that this also assumes that your ISP even allows you to expose your own web server to the internet on port 80 (or 443). Also, since we know nothing about your environment, this is all pure conjecture. Please provide more information you would like a real answer.
The most traditional way to host Slim Framework, would be through Apache. Install Apache and be sure you have the proper network settings to allow inbound connections, but more information about your setup could be needed for proper guidance.
http://httpd.apache.org/docs/2.4/platform/windows.html
When Apache is installed and working, you need to set Rewrite rules on the URL, information on that can be found on http://docs.slimframework.com/routing/rewrite/.
Your question on the verge of off topic, it probaly is, but read up on what questions can be asked and not, here on Stackoverflow, hope i could help.
Enviroment
Consider the following production environment setup for a web application:
End user --Internet--> web server in DMZ --Firewall--> WCF hosted on app server --> DB Server
Constraint:
Also consider that we cannot change anything from the infrastructure point of view. For example, open ports, change any firewall setting etc.
Problem:
We want to expose the WCF, which is hosted on the app server, to external clients. We are trying to solve this as follows:
End user --Internet--> Router WCF in DMZ --Firewall--> WCF hosted on app server --> DB Server
Please note that we cannot establish a db connection from the DMZ environment where the WCF needs to be hosted so that the external clients can consume it. We have developed a "Router WCF" which passes through all messages to the internal WCF and vice-versa.
This solution adds an unnecessary overhead of serializing and de-serializing data. There must a better and proper way of doing this. We are looking forward to the community for guidance. Thank you.
In DMZ the bibliography tells you: always create an intermediate layer. This means another machine on the internet will be the point of connection and it will proxy the connection back to WCF.
The machine is the web server you seem to mention, that is stupid, has no data, and (to be a proper DMZ) has a firewall between it and all the machines (WCF and the others) it serves that permits only IP:PORTS used on such machines.
In this scenario, usually Apache on the public web server with a URL-rewrite rule (i.e if it is /x/y send it to servera.internal.com:9900 - if it is /x/z send it to serverb.internal.com:9901 etc...) is enough, but there are plenty of solutions of course.
It seems you are doing exactly this, why do you say it is not the proper solution?
DMZs could seem a bit dated as protection mechanism (I agree) but you have to think when servers like your WCF machine had dozens of ports opened, and you wanted to lower the risk of random ports on web-facing machines, a giant attack surface. Nowadays everything can work with couple of ports opened, so it can seem "silly" to do all of this just to forward a TCP port. But it is still valuable as (for example) if servers behind the web server in DMZ do not have internet access, even when WCF is compromised, the attacker cannot use its own reverse shell to deploy what it is nowadays called an APT (yesterday backdoor). The attacker "won't see" his own machine from WCF as the DMZ provides the connection to the external world.
A Zookeeper architecture question for you ZK Gurus:
I use zookeeper to manage messaging to a cloud of worker machines. Currently the application servers that control the messages and the workers are in the same infrastructure (network). I'm considering allowing clients to communicate with these servers outside of the network from arbitrary locations. I've read about Zookeepers ACL and Authentication Capabilities but I notice that digest sends the passwords in cleartext. I'd be concerned about securing the socket connection and protecting against outside attacks. I dont see anything online telling me that this IS/IS NOT something that can/should be done with Zookeeper.
Is this a common architecture with Zookeeper and are there any suggestions?
Am I barking up the wrong tree for this type of work?
if you do not have a secured network (VPN), this in not something you should do for exactly the reason pointed out. you can mitigate the problem quite a bit using the kerberos plug in, which will secure the authentication and authorization, but you still will not get confidentiality (encryption). what you really need is SSL. things are setup now so that SSL support could be implemented, but code still needs to be written :)
I'm now thinking about moving to s3, but I'm still concern about the restriction policy in my country in the future, so I'm wondering if I can use some DNS service or some other way to solve this problem.
It's doubtful that DNS can help with this issue.
In general, it's quite difficult to bypass such restrictions if there is an entity that has complete control over the borders of its network. It could be anything - from a government blocking opposition sites for political reasons to a company blocking access to insecure web mail providers for security reasons.
If an entity wants to block a specific service provider, it's easier, more effective and far more efficient to simply block all IP address blocks that belong to that provider. DNS is at a higher level and will not help with this issue.
What would help is an unblocked proxy (relay) or VPN service. You connect to that service and tunnel any connection to your intended service provider through that connection. It could be:
A proxy server abroad that is not blocked. There are commercial proxy/anonymizer services that may be able to help here, although the most known ones are bound to be blocked too.
A VPN connection to an unblocked network e.g. a business partner.
An application such as Tor. This option usually implies a very significant performance drop and should not be used for high data rates (anything above a few KB/sec).
If you use a remote proxy or VPN server you should contact the owners and find out their policy for something like this.
I have a half-dozen domains (with associated domain names), hosted locally on Windows/Apache and accessible to the wider internet. At the moment, the name servers are provided by my domain name register at extra cost. I would like to host a domain name service (on the same machine as is hosting the websites).
I have tried BIND without success, I was unable to configure it correctly. I was confused about zones and the syntax of configuration, as well as how to test if it is configured correctly!
Most guides seem directed at users who wish to replicate DNS entries for local caching, whereas I simply want to host a name server (locally) which directs users to my local machine, when they request any of the half-dozen websites I host.
Is there a simple application to host limited Domain Name Service this on Windows (Vista Business), or an obvious tutorial that I haven't found yet? Or was I on the right track with BIND and missing something?
Bind is probably the best choice. The guides you're referring to are talking about configuring a caching resolver. What you want is an authoritative name server. Bind can be a pain to configure because there are so many options, but it's probably worth persevering.
Depends what your budget is..
The DNS Server on Windows 2003 Server is pretty good and easy to configure.
There's a bunch of alternatives list here:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
Simple DNS Plus could maybe do the trick for your case, but I haven't tried it.
Another option is maybe to use Bind and try to find a GUI for it, there's a few existing, usually web based, like webmin and such...