Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OVERVIEW
E-Business applications have driven enormous cost savings over the years as
more and more business processes have been put online, driving out costly
manual interventions and re-keying of data. Traditionally this automation trend
has been confined within the walls of a single enterprise, but many leading
companies have begun leveraging the Internet to automate processes involving
collaboration with suppliers. Oracle Supplier Relationship Management
applications such as iSupplier Portal, Sourcing and Collaborative Planning are
pioneering this expanded opportunity for cost savings throughout the supply
chain.
To make SRM applications work involves providing your suppliers with network
access to parts of your e-Business Suite implementation. The pure Internet
architecture of the e-Business Suite means that you can do so very inexpensively.
All your suppliers will need is an ordinary web browser and an Internet
connection. All your IT department needs to do is to allow access to the eBusiness Suite from the Internet. Simple as that is, it represents a change in the
security profile of your e-Business Suite and this paper will help you step through
the decisions involved in maintaining tight security as you roll out SRM.
INTRODUCTION
Page 2
Your data center is already exposed to some risk of unauthorized access from
people within your organization with some knowledge of the IT services you
make available. Extending your e-Business Applications to include supplier users
through Internet access expands both the number of legitimate users and the
number of potential attackers.
From outsiders, the most likely attack is an intrusion aimed at looking around
your network with no clear goal. Such intrusions might be from hackers simply
exploring or possibly reconnoitering for a more serious attack. Any websites you
have are already exposed to this threat. The only additional risk is a more
focused attack motivated by a desire to break into your e-Business Suite
applications.
Even as you dramatically expand the number of potential attackers, the fact is
your highest risk will probably continue to come from the same people who
already pose a threat. Most unauthorized access comes from insiders. The
additional risk of providing Internet access may come as much from the greater
anonymity available to the same attackers as it does from random outsiders.
Denial of Service
Another security threat to consider is denial of service. The most familiar type of
denial of service is an e-mail virus. This is an e-mail message with some kind of
attachment that sends out a lot of additional copies of the email every time it is
opened. E-mail viruses are a fairly remote threat for your e-Business Suite
applications. The applications do interact with e-mail, but the technology
components managing e-mail in and out of the e-Business Suite are separate from
Page 3
the middle-tier components that handle browser-based user access. A true denial
of service attack on the e-Business Suite would involve a program that simulated
a lot of user activity against the applications. The attack would aim to make the
middle-tier and/or database servers too busy to handle any requests from
legitimate users. This type of attack is highly unlikely in a traditional pure-intranet
deployment since such an attack would be readily detected and prosecuted. In an
extranet deployment, however, an attacker has a somewhat better chance of
staging a denial of service without being identified. Also, because more people
may be aware of your external Internet domain, people without any ties to your
organization might be tempted to attack your site.
Balancing cost/benefit
Because your Supplier Relationship Management applications will raise the profile
of your e-Business Suite installation, Oracle strongly recommends that you take
some additional security precautions to limit the risk of attack. The appropriate
precautions to take will depend on your circumstances, of course. The usual
considerations of cost vs. benefit will apply.
We have reviewed the two basic threats and in the next sections will discuss how
some additional security investments can mitigate them. Some questions to bear
in mind in assessing the value of those security investments include:
Page 4
attention-seeking attacker, your SRM site will likely be known almost exclusively
to people who are, or would like to be, your business partners.
Much of the discussion in this paper is concerned with a fairly esoteric set of
high-tech attacks that in most circumstances are quite unlikely to occur. To keep
the matter in proper perspective, bear in mind that the more routine security
issues are common to both intranet and extranet applications. The e-Business
Suite has been engineered to deal with such routine issues very effectively and
these security features will apply equally to extranet access by SRM users.
Page 5
FUNCTION SECURITY
Very few of your e-Business Suite users have routine access to highly sensitive
data. Nearly all are provided very narrow access to selected features and specific
data relevant to their jobs. This assignment of specific access rights to individual
users is managed through the Function Security screens available only to System
Administrators. Even if a users password is compromised, Function Security will
prevent access to highly sensitive information unless that user has the relevant
authorization. Enforcing tighter security policies for more sensitive accounts can
mitigate such risks. In a typical SRM environment, external users will be granted
access only to those features and data that concern the supplier they represent.
Furthermore, their access can be restricted to specific supplier sites or even
restricted to only those transactions in which they are personally involved.
AUTHENTICATION
The core problem in security is being certain of the identity of a user. The most
common approach is password-based authentication: if the legitimate user is the
only one who knows the password, then you can be confident that whoever just
entered the correct password is in fact the person authorized to use the account.
In practice, many people use short easy-to-guess passwords, rarely change them
and reuse them for many accounts. A password that the user easily remembers
tends to be insecure.
Most of the time, insecure passwords dont do any harm. There just isnt anyone
motivated to find and exploit them. An attacker will generally focus on identifying
the password of a powerful user such as a system administrator. Such users are
generally more sensitive to security risks and can be persuaded to take more care
in their choice of password and to change it regularly. The e-Business Suite can
force expiration of passwords, which can be used to further secure key accounts.
For the strongest authentication, the emerging standard is Public Key
Infrastructure (or PKI) and specifically the certificate-based client authentication
feature of HTTPS/SSL. Implementing client authentication involves providing
certificates to all of your users. This provisioning problem has long posed a
serious obstacle to uptake of PKI technology throughout the industry. Beyond
the logistical issue of creating and distributing client certificates there is the
functional obstacle they create to rapid, convenient uptake of SRM applications
by your suppliers. This is where the inevitable tension between convenience and
security is most apparent.
In most instances, full PKI is more security than is really needed, but Oracle
recognizes the important potential of this and other security technologies and will
continue to work toward flexible and convenient implementations of them.
Page 6
AUDIT TRAIL
Every user login to the e-Business Suite is recorded permanently together with a
time stamp, a session ID and information about the Function Security rules
applicable to that session. Information about the identity of the user is also
attached to all transactions. This provides a means of detecting the party
responsible for any transaction, or determining which users might have viewed
sensitive data in a given time period. Naturally, if a valid user password has been
compromised, it can be difficult to trace back to the actual attacker. But the
particular account being used is still potentially valuable information, since it might
help to identify other people who could have learned that accounts password.
All failed attempts to login are also permanently recorded. This type of record
could be used to determine when an attacker might have been trying to find a
password by repeated guessing.
TECHNICAL DEFINITIONS
OHS
This refers to the Oracle HTTP Listener (based on Apache) that responds to the
HTTP requests made by a users web browser and routes them to the
applications.
Page 7
JSERV
This refers to the Java Virtual Machine process that will handle the detailed
processing of application business logic.
Middle-Tier
This refers collectively to OHS and JSERV, the components that manage user
sessions, carry out a variety of data entry validations, formulate database queries
and render HTML screens for browser display.
The most common configuration places OHS and JSERV together on each of
one or more dedicated middle-tier server machines, and the database is run on
one or more dedicated database servers.
NETWORK SECURITY
HTTP/HTTPS
These are the basic protocols used by web browsers to communicate with web
servers. HTTP is the Hypertext Transfer Protocol and HTTPS is the secure
variant. HTTPS uses the underlying TCP protocol in a slightly different way
from HTTP because it uses the SSL (Secure Sockets Layer) to carry out the
browser-to-server conversation.
SSL
Secure Sockets Layer is an encryption scheme that involves a negotiation over
detailed protocol and an exchange of encryption keys. These keys are packaged
in Certificates issued by a Certificate Authority (CA), Verisign being the best
known. The added security is very valuable, but does impose an appreciable
performance penalty.
X.509
This is the major standard relevant to defining the content of certificates and the
processes surrounding their use.
Page 8
PKI
Public Key Infrastructure refers to the technology and processes around allowing
ubiquitous use of public key cryptography for secure communications. SSL and
Certificates implement parts of the larger PKI agenda.
Server Certificate
This is the certificate issued to the organization running the web site (it may be
specific to a particular web server). This is necessary for the site to support SSL
at all.
Client Certificate
This is a certificate issued to the individual user. It is required only if the web
server has been configured to activate Client Authentication. This option is rarely
used because of the difficulty of providing all users with the right kind of
certificate and getting their browsers configured to use them properly. Over time,
Oracle expects that these issues will be resolved and will support this type of
authentication as appropriate.
Firewall
This is a dedicated routing computer combined with specialized filtering software
that enforces policy rules about what network traffic is permitted. The firewall is
placed at a bottleneck in the physical network so that all traffic from one side to
the other is forced through this consistent policy filter. Typical filtering rules
check IP addresses, ports, protocol type, or their combination.
Bussed-Connection Firewall
This is one that allows all attached devices to examine any packets passing through
it, relying on the integrity of those devices for consistent enforcement of filtering
policy.
Page 9
Stateful Inspection
This is a feature of more advanced firewalls that enables them to track each
sessions compliance with the state transition rules defined by HTTP (or other
Internet protocols). A class of intrusion techniques is based on violating these
rules, so stateful inspection helps in defending against such attacks.
DMZ
De-Militarized Zone is the network area between two firewalls. The term reflects
the fact that it is a defensive perimeter surrounding a private intranet and any
servers located there are dedicated to performing routing or security functions
rather than business functions.
Make sure that your project staff includes people with a strong background in
network security. Consider additional training to ensure that your staff can be
relied on for:
1. Accurate risk assessment
Page 10
If you provide Internet access for your employees, you probably already have a
firewall in place to ensure (among other things) that the traffic from the outside is
limited to the data returning to web browsers on your employees PCs. If you do
nothing else to secure your e-Business Suite from outside access, be certain that
your database servers are not accessible from anywhere on the network other
than the corresponding middle-tier servers. A firewall can provide added
assurance that access to the database is available only through a known network
route which can be monitored and further restricted at will.
KEEP YOUR MIDDLE-TIER BEHIND A FIREWALL (Must Have)
Your middle-tier servers will have to have access to the database in order to
function. Once an attacker gains access to the middle-tier server, therefore, he
will be a long step closer to the database itself. He would still need to find the
password for the correct user on the middle-tier server and also a valid database
schema password, but the task of finding those is greatly simplified by having
access to the middle-tier box to begin with.
USE HTTPS/SSL TO ENCYPT TRANSMITTED DATA (Must Have)
Page 11
Setting up a dedicated middle-tier server exclusively for external users isolates the
external user community and allows you to apply additional security restrictions
such as completely ignoring browser requests for screens suppliers dont need to
see. Function Security already provides user-specific access controls, but having a
redundant layer enforcing similar access rules adds another obstacle to attackers.
This approach is also useful in defending against denial of service attacks since a
successful attack on the extranet facing middle-tier could be addressed by shutting
down the extranet middle-tier while leaving the rest of the system operational.
USE A DMZ PROXY SERVER FOR ADDED FILTERING (Nice to Have)
SAMPLE CONFIGURATIONS
Minimal Configuration
Strengths
Page 12
Weakness
Preferred Configuration
Strengths
Weakness
This type of configuration is closer to the ideal for best security. Not every
option will be required in every case, but this configuration illustrates how the
environment might look in a fuller configuration.
Page 13
Proxy server in the DMZ (with additional routing rules to ignore nonSRM http requests).
3.
CONCLUSION
Page 14
Page 15