The Uniface Lectures are an ongoing series of free monthly technical webinars that cover a wide range of useful topics. In this Lectures webinar on Application & Infrastructure Security we cover the following topics:
• Introduction
• Tomcat hardening
• Closing remarks
Full webinar video recording can also be found on: youtube.com/unifacesme
6. “I don’t need to worry…”
...it’s an internal application
…our team would never
…we’ve never had a attack
…we’re not that interesting to hackers
…our data is public record
…I’m not doing web, I’m okay
…my password is strong
…it is too complicated
7. “…everyone needs to worry”
Accidental hacker
Cyber criminals
Not just a privacy issue
Increasingly connected, integrated and exposed
Desktop, web, mobile, {x} as a service
Developers must be aware
9. These alone are not the solution
This Photo by Unknown Author is licensed under CC BY-NC-SA
This Photo by Unknown Author is licensed under CC BY-NC-ND
Firewall
Antivirus
The “IT infrastructure” guy
Automatic updates
10. Not just applicable to web applications
Uniface Web
Application Server
(WASV)
Desktop
API
Mobile
Web
HTTP
HTTPS
SOAP
REST
Web
USP, DSP
Desktop
HTML container
Mobile
Hybrid, Web
API
SOAP, REST, UHTTP
12. What is hardening?
Enhancing the security
Closing loopholes
Turning off developer/debug options
Removing non-essential objects
Not volunteering information
Patching
A ‘process’ not just an ‘event’
13. Technical Architecture
Desktop
API
Mobile
Web
e
Uniface
Virtual
Machine
Server - Tomcat
e
Service
Engine - Catalina
e
Host
e
Context
Servlet - WRDServlet - WRD*
Servlet - WRDServlet – SRD*
Port (8009)<> Connector (AJP) <> Valve
Port (443) <> Connector (HTTPS) <> Valve
Port (80)<> Connector (HTTP) <> Valve UVM Connector
* WRD: Web Request Dispatcher, SRD: SOAP Request Dispatcher
19. Harden the defaults
Remove default applications
‘Examples’, ‘docs’, ‘host-manager’, content of ‘root’
Switch off the shutdown port
<Server port="-1" shutdown="SHUTDOWN">
Do not volunteer information
<Connector Server=" " port="443“ ……..
Prevent malicious deployments
<Host name="localhost" appBase="webapps“
unpackWARs="false" autoDeploy="false">
20. Harden the defaults (2)
Remove unused connectors e.g the AJP1.3
<!--Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" / -->
Bind connectors to specific network cards
<Connector Secure="true" Server=" " address=“192.64.10.11"
port="8080“ protocol="HTTP/1.1" connectionTimeout="20000"
redirectPort="8443" />
Note: repeat whole connector block for each address and
create matching virtual hosts if multiple subdomains used.
31. Uniface Application Errors
Application errors (i.e. Yellow Error Screens)
You can replace USYSHTTPBODY with the same html
that is used in the index and error pages referred to in
previous sections.
35. Summary
Coach, train, mentor team
Continual monitoring and improvement are essential
A few simple steps greatly improve security
Server hardening is just one step along the path to security
Do not assume higher (or lower) layers provide adequate security
A 100% secure system is practically impossible
A 100% secure system would be unusable!